Skip to content

Commit

Permalink
[secure boot]Add Linux Kernel configuration to support Secure Boot fe…
Browse files Browse the repository at this point in the history
…ature & Secure warmboot
  • Loading branch information
davidpil2002 committed Nov 13, 2022
1 parent 34f26b3 commit 1781f60
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 0 deletions.
13 changes: 13 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,19 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM)
fi

ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod))
if [ -f $(SECURE_UPGRADE_DEV_SIGNING_CERT) ]; then
echo "Add secure boot support in kernel config file"
cp ../patch/secure_boot_kernel_config.sh .
cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs
bash secure_boot_kernel_config.sh $(SECURE_UPGRADE_DEV_SIGNING_CERT)
else
echo "no certificate file exist, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)"
exit 1
fi

endif # ifeq ($(SECURE_UPGRADE_MOD),$(filter $(SECURE_UPGRADE_MOD),dev prod))

# Building a custom kernel from Debian kernel source
ARCH=$(CONFIGURED_ARCH) DEB_HOST_ARCH=$(CONFIGURED_ARCH) DEB_BUILD_PROFILES=nodoc fakeroot make -f debian/rules -j $(shell nproc) binary-indep
ifeq ($(CONFIGURED_ARCH), armhf)
Expand Down
54 changes: 54 additions & 0 deletions patch/secure_boot_kernel_config.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
#!/bin/bash

# Note: this script was created because there is a problem when changing the kernel config
# values that requires in the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags).
# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions.

usage() {
cat <<EOF
$0: # Display Help
$0 <PEM_CERT>
Script is modifying kernel config file to support system trusted key with custom certificate.
Note: The signature algorithem used will be SHA512.
Parameters description:
PEM_CERT public key (pem format). Key to be store in kernel.
Run example:
bash secure_boot_kernel_config.sh cert.pem
EOF
}

if [ "$1" = "-h" -o "$1" = "--help" ]; then
usage
fi

echo "$0: Adding Secure Boot support in Kernel config file."

CERT_PEM=$1

[ -f "$CERT_PEM" ] || {
echo "Error: CERT_PEM file does not exist: $CERT_PEM"
usage
exit 1
}

local_cert_pem="debian/certs/$(basename $CERT_PEM)"
linux_cfg_file="debian/build/build_amd64_none_amd64/.config"
sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file
sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file
sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file
sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file

#lockdown feature disable
sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file
sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file
sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file
sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file

# warm boot secure
sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file

echo "$0: Secure Boot support in Kernel config file DONE."


0 comments on commit 1781f60

Please sign in to comment.