|
1 | 1 | #!/bin/bash
|
2 | 2 |
|
3 |
| -# Note: this script was created because there is a problem when changing the kernel config |
4 |
| -# values that are required by the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags). |
5 |
| -# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions. |
| 3 | +# This script is doing modification in kconfig-inclusions and kconfig-exclusions files in order to support Secure Boot feature. |
6 | 4 |
|
7 | 5 | usage() {
|
8 | 6 | cat <<EOF
|
9 | 7 | $0: # Display Help
|
10 |
| -$0 <PEM_CERT> |
| 8 | +$0 -c <PEM_CERT> -a <CONF_ARCH> |
11 | 9 | Script is modifying kernel config file to support system trusted key with custom certificate.
|
12 | 10 | Note: The signature algorithm used will be RSA over SHA512 x509 format.
|
13 | 11 |
|
14 | 12 | Parameters description:
|
15 | 13 | PEM_CERT public key (pem format). Key to be store in kernel.
|
16 |
| -
|
| 14 | +CONF_ARCH is the kernel arch amd/arm/etc |
17 | 15 | Usage example: bash secure_boot_kernel_config.sh cert.pem
|
18 | 16 | EOF
|
19 | 17 | }
|
20 | 18 |
|
| 19 | +# the function is appending a line after the string from variable $1 |
| 20 | +# var pos $2: new config to be set |
| 21 | +# var pos $3: filename to be modify |
| 22 | +append_line_after_str() { |
| 23 | +sed -i "/$1/a $2" $3 |
| 24 | +} |
| 25 | + |
| 26 | +while getopts 'c:a:hv' flag; do |
| 27 | + case "${flag}" in |
| 28 | + c) CERT_PEM="${OPTARG}" ;; |
| 29 | + a) CONF_ARCH="${OPTARG}" ;; |
| 30 | + v) VERBOSE='true' ;; |
| 31 | + h) print_usage |
| 32 | + exit 1 ;; |
| 33 | + esac |
| 34 | +done |
| 35 | + |
21 | 36 | if [ "$1" = "-h" -o "$1" = "--help" ]; then
|
22 | 37 | usage
|
23 | 38 | fi
|
24 | 39 |
|
25 |
| -echo "$0: Adding Secure Boot support in Kernel config file." |
26 |
| - |
27 |
| -CERT_PEM=$1 |
28 |
| - |
29 | 40 | [ -f "$CERT_PEM" ] || {
|
30 | 41 | echo "Error: CERT_PEM file does not exist: $CERT_PEM"
|
31 | 42 | usage
|
32 | 43 | exit 1
|
33 | 44 | }
|
34 | 45 |
|
35 |
| -local_cert_pem="debian/certs/$(basename $CERT_PEM)" |
36 |
| -linux_cfg_file="debian/build/build_amd64_none_amd64/.config" |
37 |
| -sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file |
38 |
| -sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file |
39 |
| -sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file |
40 |
| -sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file |
| 46 | +[ ! -z "$CONF_ARCH" ] || { |
| 47 | + echo "Error: CONF_ARCH file does not exist: $CONF_ARCH" |
| 48 | + usage |
| 49 | + exit 1 |
| 50 | +} |
41 | 51 |
|
42 |
| -#lockdown feature disable |
43 |
| -sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file |
44 |
| -sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file |
45 |
| -sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file |
46 |
| -sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file |
| 52 | +LOCAL_CERT_PEM="debian/certs/$(basename $CERT_PEM)" |
| 53 | +KCONFIG_INCLUSIONS_FILE="../patch/kconfig-inclusions" |
| 54 | +KCONFIG_EXCLUSIONS_FILE="../patch/kconfig-exclusions" |
| 55 | +CONF_ARCH_BLOCK_REGEX="^\[$CONF_ARCH\]" |
47 | 56 |
|
48 |
| -# warm boot secure |
49 |
| -sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file |
| 57 | +echo "$0: Appending kernel configuration in files: $KCONFIG_INCLUSIONS_FILE, $KCONFIG_EXCLUSIONS_FILE" |
50 | 58 |
|
51 |
| -echo "$0: Secure Boot support in Kernel config file DONE." |
| 59 | +# add support to secure boot and secure warm boot |
| 60 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE |
| 61 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE |
| 62 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE |
| 63 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE |
| 64 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE |
| 65 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE |
| 66 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE |
| 67 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE |
| 68 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE |
| 69 | +append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE |
0 commit comments