c/pve-kernel-lowlatency-qoup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

build: sign modules and set trust anchor/lockdown

Browse Source 
this is required for secure boot support.

at build time, an ephemeral key pair will be generated and all built modules
will be signed with it. the private key is discarded, and the public key
embedded in the kernel image for signature validation at module load time.

this change means that every kernel release must be considered an ABI change
from now on, else the signatures of on-disk modules and the signing key
embedded in the running kernel image might not match.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2023-03-02 09:32:25 +01:00
parent 25b7be41bf
commit 345bdbd264
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
debian/rules vendored
View File

@ -54,7 +54,13 @@ PMX_CONFIG_OPTS= \
-e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-e CONFIG_SYSFB_SIMPLEFB \
-e CONFIG_DRM_SIMPLEDRM \
-d CONFIG_MODULE_SIG \
-e CONFIG_MODULE_SIG \
-e CONFIG_MODULE_SIG_ALL \
-e CONFIG_MODULE_SIG_FORMAT \
--set-str CONFIG_MODULE_SIG_HASH sha512 \
--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
-e CONFIG_MODULE_SIG_SHA512 \
-d CONFIG_MEMCG_DISABLED \
-e CONFIG_MEMCG_SWAP_ENABLED \
-e CONFIG_HYPERV \
@ -87,9 +93,9 @@ PMX_CONFIG_OPTS= \
-e CONFIG_UNWINDER_FRAME_POINTER \
--set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
--set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
-d CONFIG_SECURITY_LOCKDOWN_LSM \
-d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
--set-str CONFIG_LSM yama,integrity,apparmor \
-e CONFIG_SECURITY_LOCKDOWN_LSM \
-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
-e CONFIG_PAGE_TABLE_ISOLATION
debian/control: $(wildcard debian/*.in)
@ -168,6 +174,14 @@ endif
# strip debug info
find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
# sign modules using ephemeral, embedded key
if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
done; \
rm ./ubuntu-kernel/certs/signing_key.pem ; \
fi
# finalize
/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
# Autogenerate blacklist for watchdog devices (see README)