From 345bdbd26477f976b2f1807112d43dfe1e666b6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Thu, 2 Mar 2023 09:32:25 +0100 Subject: [PATCH] build: sign modules and set trust anchor/lockdown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit this is required for secure boot support. at build time, an ephemeral key pair will be generated and all built modules will be signed with it. the private key is discarded, and the public key embedded in the kernel image for signature validation at module load time. this change means that every kernel release must be considered an ABI change from now on, else the signatures of on-disk modules and the signing key embedded in the running kernel image might not match. Signed-off-by: Fabian Grünbichler --- debian/rules | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/debian/rules b/debian/rules index 32c9e9b..b4bfb5c 100755 --- a/debian/rules +++ b/debian/rules @@ -54,7 +54,13 @@ PMX_CONFIG_OPTS= \ -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \ -e CONFIG_SYSFB_SIMPLEFB \ -e CONFIG_DRM_SIMPLEDRM \ --d CONFIG_MODULE_SIG \ +-e CONFIG_MODULE_SIG \ +-e CONFIG_MODULE_SIG_ALL \ +-e CONFIG_MODULE_SIG_FORMAT \ +--set-str CONFIG_MODULE_SIG_HASH sha512 \ +--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \ +-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \ +-e CONFIG_MODULE_SIG_SHA512 \ -d CONFIG_MEMCG_DISABLED \ -e CONFIG_MEMCG_SWAP_ENABLED \ -e CONFIG_HYPERV \ @@ -87,9 +93,9 @@ PMX_CONFIG_OPTS= \ -e CONFIG_UNWINDER_FRAME_POINTER \ --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\ --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\ --d CONFIG_SECURITY_LOCKDOWN_LSM \ --d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \ ---set-str CONFIG_LSM yama,integrity,apparmor \ +-e CONFIG_SECURITY_LOCKDOWN_LSM \ +-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \ +--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \ -e CONFIG_PAGE_TABLE_ISOLATION debian/control: $(wildcard debian/*.in) @@ -168,6 +174,14 @@ endif # strip debug info find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done + + # sign modules using ephemeral, embedded key + if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \ + find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \ + ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \ + done; \ + rm ./ubuntu-kernel/certs/signing_key.pem ; \ + fi # finalize /sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME) # Autogenerate blacklist for watchdog devices (see README)