Skip to content

Commit 77e1842

Browse files
committed
[secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only.
1 parent 10322c3 commit 77e1842

File tree

2 files changed

+49
-30
lines changed

2 files changed

+49
-30
lines changed

Makefile

+8-7
Original file line numberDiff line numberDiff line change
@@ -121,11 +121,6 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
121121
stg import -s $(NON_UP_DIR)/series
122122
fi
123123

124-
# Optionally add/remove kernel options
125-
if [ -f ../manage-config ]; then
126-
../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM)
127-
fi
128-
129124
# Secure Boot Configuration
130125
ifneq ($(origin SECURE_UPGRADE_MODE), undefined)
131126
ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod))
@@ -134,17 +129,23 @@ ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined)
134129
echo "Add secure boot support in kernel config file"
135130
cp ../patch/secure_boot_kernel_config.sh .
136131
cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs
137-
bash secure_boot_kernel_config.sh $(SECURE_UPGRADE_DEV_SIGNING_CERT)
132+
echo "secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)"
133+
./secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)
138134
else
139135
echo "no certificate file exists, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)"
140136
exit 1
141137
fi
142138
else
143-
echo "SECURE_UPGRADE_DEV_SIGNING_CERT is not defined"
139+
echo "SECURE_UPGRADE_MODE is defined, but SECURE_UPGRADE_DEV_SIGNING_CERT is not defined"
144140
endif # ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined)
145141
endif # ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod))
146142
endif # ifneq ($(origin SECURE_UPGRADE_MODE), undefined)
147143

144+
# Optionally add/remove kernel options
145+
if [ -f ../manage-config ]; then
146+
../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM)
147+
fi
148+
148149
# Building a custom kernel from Debian kernel source
149150
ARCH=$(CONFIGURED_ARCH) DEB_HOST_ARCH=$(CONFIGURED_ARCH) DEB_BUILD_PROFILES=nodoc fakeroot make -f debian/rules -j $(shell nproc) binary-indep
150151
ifeq ($(CONFIGURED_ARCH), armhf)

patch/secure_boot_kernel_config.sh

100644100755
+41-23
Original file line numberDiff line numberDiff line change
@@ -1,51 +1,69 @@
11
#!/bin/bash
22

3-
# Note: this script was created because there is a problem when changing the kernel config
4-
# values that are required by the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags).
5-
# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions.
3+
# This script is doing modification in kconfig-inclusions and kconfig-exclusions files in order to support Secure Boot feature.
64

75
usage() {
86
cat <<EOF
97
$0: # Display Help
10-
$0 <PEM_CERT>
8+
$0 -c <PEM_CERT> -a <CONF_ARCH>
119
Script is modifying kernel config file to support system trusted key with custom certificate.
1210
Note: The signature algorithm used will be RSA over SHA512 x509 format.
1311
1412
Parameters description:
1513
PEM_CERT public key (pem format). Key to be store in kernel.
16-
14+
CONF_ARCH is the kernel arch amd/arm/etc
1715
Usage example: bash secure_boot_kernel_config.sh cert.pem
1816
EOF
1917
}
2018

19+
# the function is appending a line after the string from variable $1
20+
# var pos $2: new config to be set
21+
# var pos $3: filename to be modify
22+
append_line_after_str() {
23+
sed -i "/$1/a $2" $3
24+
}
25+
26+
while getopts 'c:a:hv' flag; do
27+
case "${flag}" in
28+
c) CERT_PEM="${OPTARG}" ;;
29+
a) CONF_ARCH="${OPTARG}" ;;
30+
v) VERBOSE='true' ;;
31+
h) print_usage
32+
exit 1 ;;
33+
esac
34+
done
35+
2136
if [ "$1" = "-h" -o "$1" = "--help" ]; then
2237
usage
2338
fi
2439

25-
echo "$0: Adding Secure Boot support in Kernel config file."
26-
27-
CERT_PEM=$1
28-
2940
[ -f "$CERT_PEM" ] || {
3041
echo "Error: CERT_PEM file does not exist: $CERT_PEM"
3142
usage
3243
exit 1
3344
}
3445

35-
local_cert_pem="debian/certs/$(basename $CERT_PEM)"
36-
linux_cfg_file="debian/build/build_amd64_none_amd64/.config"
37-
sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file
38-
sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file
39-
sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file
40-
sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file
46+
[ ! -z "$CONF_ARCH" ] || {
47+
echo "Error: CONF_ARCH file does not exist: $CONF_ARCH"
48+
usage
49+
exit 1
50+
}
4151

42-
#lockdown feature disable
43-
sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file
44-
sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file
45-
sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file
46-
sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file
52+
LOCAL_CERT_PEM="debian/certs/$(basename $CERT_PEM)"
53+
KCONFIG_INCLUSIONS_FILE="../patch/kconfig-inclusions"
54+
KCONFIG_EXCLUSIONS_FILE="../patch/kconfig-exclusions"
55+
CONF_ARCH_BLOCK_REGEX="^\[$CONF_ARCH\]"
4756

48-
# warm boot secure
49-
sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file
57+
echo "$0: Appending kernel configuration in files: $KCONFIG_INCLUSIONS_FILE, $KCONFIG_EXCLUSIONS_FILE"
5058

51-
echo "$0: Secure Boot support in Kernel config file DONE."
59+
# add support to secure boot and secure warm boot
60+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE
61+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE
62+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE
63+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE
64+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE
65+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE
66+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE
67+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE
68+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE
69+
append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE

0 commit comments

Comments
 (0)