[pve-devel] [PATCH pve-kernel 1/2] fix #4831: build: sign modules and enable lockdown

Fabian Grünbichler f.gruenbichler at proxmox.com
Tue Jul 18 15:02:04 CEST 2023 

and this one and 2/2 are obviously for pve-kernel :-/ fixed up the git
settings so that it doesn't happen again..

On July 18, 2023 11:11 am, Fabian Grünbichler wrote:
> this is required for secure boot support.
> 
> at build time, an ephemeral key pair will be generated and all built modules
> will be signed with it. the private key is discarded, and the public key
> embedded in the kernel image for signature validation at module load time.
> 
> these changes allow booting the built kernel in secure boot mode after manually
> signing the kernel image with a trusted key (either MOK, or by enrolling custom
> PK/KEK/db keys and signing the whole bootchain using them).
> 
> Tested-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
> ---
>  debian/rules | 22 ++++++++++++++++++----
>  1 file changed, 18 insertions(+), 4 deletions(-)
> 
> diff --git a/debian/rules b/debian/rules
> index 744e5cb..123c870 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \
>  -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
>  -e CONFIG_SYSFB_SIMPLEFB \
>  -e CONFIG_DRM_SIMPLEDRM \
> --d CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG_ALL \
> +-e CONFIG_MODULE_SIG_FORMAT \
> +--set-str CONFIG_MODULE_SIG_HASH sha512 \
> +--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
> +-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
> +-e CONFIG_MODULE_SIG_SHA512 \
>  -d CONFIG_MEMCG_DISABLED \
>  -e CONFIG_MEMCG_SWAP_ENABLED \
>  -e CONFIG_HYPERV \
> @@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \
>  -e CONFIG_UNWINDER_FRAME_POINTER \
>  --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
>  --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
> --d CONFIG_SECURITY_LOCKDOWN_LSM \
> --d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> ---set-str CONFIG_LSM yama,integrity,apparmor \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> +--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
>  -e CONFIG_PAGE_TABLE_ISOLATION
>  
>  debian/control: $(wildcard debian/*.in)
> @@ -163,6 +169,14 @@ endif
>  
>  	# strip debug info
>  	find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
> +
> +	# sign modules using ephemeral, embedded key
> +	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
> +		find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
> +			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
> +		done; \
> +		rm ./ubuntu-kernel/certs/signing_key.pem ; \
> +	fi
>  	# finalize
>  	/sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME)
>  	# Autogenerate blacklist for watchdog devices (see README)
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>

More information about the pve-devel mailing list