-
Notifications
You must be signed in to change notification settings - Fork 166
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[secure boot]Remove WA after the fix in commit 5717c5d. The flow now …
…will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only.
- Loading branch information
1 parent
10322c3
commit 77e1842
Showing
2 changed files
with
49 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,51 +1,69 @@ | ||
#!/bin/bash | ||
|
||
# Note: this script was created because there is a problem when changing the kernel config | ||
# values that are required by the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags). | ||
# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions. | ||
# This script is doing modification in kconfig-inclusions and kconfig-exclusions files in order to support Secure Boot feature. | ||
|
||
usage() { | ||
cat <<EOF | ||
$0: # Display Help | ||
$0 <PEM_CERT> | ||
$0 -c <PEM_CERT> -a <CONF_ARCH> | ||
Script is modifying kernel config file to support system trusted key with custom certificate. | ||
Note: The signature algorithm used will be RSA over SHA512 x509 format. | ||
Parameters description: | ||
PEM_CERT public key (pem format). Key to be store in kernel. | ||
CONF_ARCH is the kernel arch amd/arm/etc | ||
Usage example: bash secure_boot_kernel_config.sh cert.pem | ||
EOF | ||
} | ||
|
||
# the function is appending a line after the string from variable $1 | ||
# var pos $2: new config to be set | ||
# var pos $3: filename to be modify | ||
append_line_after_str() { | ||
sed -i "/$1/a $2" $3 | ||
} | ||
|
||
while getopts 'c:a:hv' flag; do | ||
case "${flag}" in | ||
c) CERT_PEM="${OPTARG}" ;; | ||
a) CONF_ARCH="${OPTARG}" ;; | ||
v) VERBOSE='true' ;; | ||
h) print_usage | ||
exit 1 ;; | ||
esac | ||
done | ||
|
||
if [ "$1" = "-h" -o "$1" = "--help" ]; then | ||
usage | ||
fi | ||
|
||
echo "$0: Adding Secure Boot support in Kernel config file." | ||
|
||
CERT_PEM=$1 | ||
|
||
[ -f "$CERT_PEM" ] || { | ||
echo "Error: CERT_PEM file does not exist: $CERT_PEM" | ||
usage | ||
exit 1 | ||
} | ||
|
||
local_cert_pem="debian/certs/$(basename $CERT_PEM)" | ||
linux_cfg_file="debian/build/build_amd64_none_amd64/.config" | ||
sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file | ||
sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file | ||
sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file | ||
sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file | ||
[ ! -z "$CONF_ARCH" ] || { | ||
echo "Error: CONF_ARCH file does not exist: $CONF_ARCH" | ||
usage | ||
exit 1 | ||
} | ||
|
||
#lockdown feature disable | ||
sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file | ||
sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file | ||
sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file | ||
sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file | ||
LOCAL_CERT_PEM="debian/certs/$(basename $CERT_PEM)" | ||
KCONFIG_INCLUSIONS_FILE="../patch/kconfig-inclusions" | ||
KCONFIG_EXCLUSIONS_FILE="../patch/kconfig-exclusions" | ||
CONF_ARCH_BLOCK_REGEX="^\[$CONF_ARCH\]" | ||
|
||
# warm boot secure | ||
sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file | ||
echo "$0: Appending kernel configuration in files: $KCONFIG_INCLUSIONS_FILE, $KCONFIG_EXCLUSIONS_FILE" | ||
|
||
echo "$0: Secure Boot support in Kernel config file DONE." | ||
# add support to secure boot and secure warm boot | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE | ||
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE |