From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Subject: [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown
Date: Tue, 18 Jul 2023 11:11:00 +0200 [thread overview]
Message-ID: <20230718091102.6631-8-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20230718091102.6631-1-f.gruenbichler@proxmox.com>
this is required for secure boot support.
at build time, an ephemeral key pair will be generated and all built modules
will be signed with it. the private key is discarded, and the public key
embedded in the kernel image for signature validation at module load time.
these changes allow booting the built kernel in secure boot mode after manually
signing the kernel image with a trusted key (either MOK, or by enrolling custom
PK/KEK/db keys and signing the whole bootchain using them).
Tested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
debian/rules | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/debian/rules b/debian/rules
index 744e5cb..123c870 100755
--- a/debian/rules
+++ b/debian/rules
@@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \
-e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-e CONFIG_SYSFB_SIMPLEFB \
-e CONFIG_DRM_SIMPLEDRM \
--d CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
-d CONFIG_MEMCG_DISABLED \
-e CONFIG_MEMCG_SWAP_ENABLED \
-e CONFIG_HYPERV \
@@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \
-e CONFIG_UNWINDER_FRAME_POINTER \
--set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
--set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--d CONFIG_SECURITY_LOCKDOWN_LSM \
--d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM yama,integrity,apparmor \
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
-e CONFIG_PAGE_TABLE_ISOLATION
debian/control: $(wildcard debian/*.in)
@@ -163,6 +169,14 @@ endif
# strip debug info
find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+ # sign modules using ephemeral, embedded key
+ if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+ find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+ ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+ done; \
+ rm ./ubuntu-kernel/certs/signing_key.pem ; \
+ fi
# finalize
/sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME)
# Autogenerate blacklist for watchdog devices (see README)
--
2.39.2
next prev parent reply other threads:[~2023-07-18 9:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-18 9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-25 15:06 ` Thomas Lamprecht
2023-07-26 7:34 ` Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH proxmox-backup] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2 Fabian Grünbichler
2023-07-18 13:00 ` [pve-devel] [PATCH proxmox-backup-meta] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-18 13:00 ` [pve-devel] [PATCH proxmox-kernel-helper] " Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
2023-07-18 13:01 ` [pve-devel] [PATCH proxmox-mailgateway] " Fabian Grünbichler
2023-07-25 15:12 ` [pve-devel] [PATCH] " Thomas Lamprecht
2023-07-26 7:25 ` Fabian Grünbichler
2023-07-18 9:10 ` [pve-devel] [PATCH proxmox-ve] " Fabian Grünbichler
2023-07-18 9:11 ` Fabian Grünbichler [this message]
2023-07-18 13:02 ` [pve-devel] [PATCH pve-kernel 1/2] fix #4831: build: sign modules and enable lockdown Fabian Grünbichler
2023-07-18 9:11 ` [pve-devel] [PATCH 2/2] integrate meta packages and change prefix Fabian Grünbichler
2023-07-18 9:11 ` [pve-devel] [PATCH manager] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230718091102.6631-8-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=w.bumiller@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox