[secure boot]Remove WA after the fix in commit 5717c5d. The flow now will modify the kconfig-inclusions/exclusions file if the Secure Boot is enabled only.

davidpil2002 · davidpil2002 · commit 77e18425b9a1 · 2022-12-15T11:29:05.000+02:00
diff --git a/Makefile b/Makefile
@@ -121,11 +121,6 @@ $(addprefix $(DEST)/, $(MAIN_TARGET)): $(DEST)/% :
 		stg import -s $(NON_UP_DIR)/series
 	fi
 
-	# Optionally add/remove kernel options
-	if [ -f ../manage-config ]; then
-		../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM)
-	fi
-
 # Secure Boot Configuration
 ifneq ($(origin SECURE_UPGRADE_MODE), undefined)
 ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod))
@@ -134,17 +129,23 @@ ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined)
 		echo "Add secure boot support in kernel config file"
 		cp ../patch/secure_boot_kernel_config.sh .
 		cp $(SECURE_UPGRADE_DEV_SIGNING_CERT) debian/certs
-		bash secure_boot_kernel_config.sh $(SECURE_UPGRADE_DEV_SIGNING_CERT)
+		echo "secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)"
+		./secure_boot_kernel_config.sh -c $(SECURE_UPGRADE_DEV_SIGNING_CERT) -a $(CONFIGURED_ARCH)
 	else
 		echo "no certificate file exists, SECURE_UPGRADE_DEV_SIGNING_CERT=$(SECURE_UPGRADE_DEV_SIGNING_CERT)"
 		exit 1
 	fi
 else
-	echo "SECURE_UPGRADE_DEV_SIGNING_CERT is not defined"
+	echo "SECURE_UPGRADE_MODE is defined, but SECURE_UPGRADE_DEV_SIGNING_CERT is not defined"
 endif # ifneq ($(origin SECURE_UPGRADE_DEV_SIGNING_CERT), undefined)
 endif # ifeq ($(SECURE_UPGRADE_MODE),$(filter $(SECURE_UPGRADE_MODE),dev prod))
 endif # ifneq ($(origin SECURE_UPGRADE_MODE), undefined)
 
+	# Optionally add/remove kernel options
+	if [ -f ../manage-config ]; then
+		../manage-config $(CONFIGURED_ARCH) $(CONFIGURED_PLATFORM)
+	fi
+
 	# Building a custom kernel from Debian kernel source
 	ARCH=$(CONFIGURED_ARCH) DEB_HOST_ARCH=$(CONFIGURED_ARCH) DEB_BUILD_PROFILES=nodoc fakeroot make -f debian/rules -j $(shell nproc) binary-indep
 ifeq ($(CONFIGURED_ARCH), armhf)
diff --git a/patch/secure_boot_kernel_config.sh b/patch/secure_boot_kernel_config.sh
@@ -1,51 +1,69 @@
 #!/bin/bash
 
-# Note: this script was created because there is a problem when changing the kernel config
-# values that are required by the Secure Boot feature when using patch/kconfig-inclusions (sonic flow to modify kernel flags).
-# So, when this problem will be resolved, this script should be removed and used the kconfig-inclusions.
+# This script is doing modification in kconfig-inclusions and kconfig-exclusions files in order to support Secure Boot feature.
 
 usage() {
     cat <<EOF
 $0: # Display Help
-$0 <PEM_CERT>
+$0 -c <PEM_CERT> -a <CONF_ARCH>
 Script is modifying kernel config file to support system trusted key with custom certificate.
 Note: The signature algorithm used will be RSA over SHA512 x509 format.
 
 Parameters description:
 PEM_CERT                             public key (pem format). Key to be store in kernel.
-
+CONF_ARCH                           is the kernel arch amd/arm/etc
 Usage example: bash secure_boot_kernel_config.sh cert.pem
 EOF
 }
 
+# the function is appending a line after the string from variable $1
+# var pos $2: new config to be set
+# var pos $3: filename to be modify 
+append_line_after_str() {
+sed -i "/$1/a $2" $3
+}
+
+while getopts 'c:a:hv' flag; do
+  case "${flag}" in
+    c) CERT_PEM="${OPTARG}" ;;
+    a) CONF_ARCH="${OPTARG}" ;;
+    v) VERBOSE='true' ;;
+    h) print_usage
+       exit 1 ;;
+  esac
+done
+
 if [ "$1" = "-h" -o "$1" = "--help" ]; then 
     usage
 fi
 
-echo "$0: Adding Secure Boot support in Kernel config file."
-
-CERT_PEM=$1
-
 [ -f "$CERT_PEM" ] || {
     echo "Error: CERT_PEM file does not exist: $CERT_PEM"
     usage
     exit 1
 }
 
-local_cert_pem="debian/certs/$(basename $CERT_PEM)"
-linux_cfg_file="debian/build/build_amd64_none_amd64/.config"
-sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"$local_cert_pem\"|g" $linux_cfg_file
-sed -i 's/^CONFIG_MODULE_SIG_HASH=.*/CONFIG_MODULE_SIG_HASH="sha512"/g' $linux_cfg_file
-sed -i 's/^CONFIG_MODULE_SIG_SHA256=.*/# CONFIG_MODULE_SIG_SHA256 is not set/g' $linux_cfg_file
-sed -i 's/# CONFIG_MODULE_SIG_SHA512 is not set/CONFIG_MODULE_SIG_SHA512=y/g' $linux_cfg_file
+[ ! -z "$CONF_ARCH" ] || {
+    echo "Error: CONF_ARCH file does not exist: $CONF_ARCH"
+    usage
+    exit 1
+}
 
-#lockdown feature disable
-sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM=.*/# CONFIG_SECURITY_LOCKDOWN_LSM is not set/g' $linux_cfg_file
-sed -i 's/^CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=.*/# CONFIG_SECURITY_LOCKDOWN_LSM_EARLY is not set/g' $linux_cfg_file
-sed -i 's/^CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=.*/# CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE is not set/g' $linux_cfg_file
-sed -i 's/^CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=.*/# CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT is not set/g' $linux_cfg_file
+LOCAL_CERT_PEM="debian/certs/$(basename $CERT_PEM)"
+KCONFIG_INCLUSIONS_FILE="../patch/kconfig-inclusions"
+KCONFIG_EXCLUSIONS_FILE="../patch/kconfig-exclusions"
+CONF_ARCH_BLOCK_REGEX="^\[$CONF_ARCH\]"
 
-# warm boot secure
-sed -i 's/# CONFIG_KEXEC_SIG_FORCE is not set/CONFIG_KEXEC_SIG_FORCE=y/g' $linux_cfg_file
+echo "$0: Appending kernel configuration in files: $KCONFIG_INCLUSIONS_FILE, $KCONFIG_EXCLUSIONS_FILE"
 
-echo "$0: Secure Boot support in Kernel config file DONE."
+# add support to secure boot and secure warm boot
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SYSTEM_TRUSTED_KEYS=\"$LOCAL_CERT_PEM\"" $KCONFIG_INCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_HASH=\"sha512\"" $KCONFIG_INCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA512=y" $KCONFIG_INCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_KEXEC_SIG_FORCE=y" $KCONFIG_INCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "#Secure Boot" $KCONFIG_INCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM" $KCONFIG_EXCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_SECURITY_LOCKDOWN_LSM_EARLY" $KCONFIG_EXCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE" $KCONFIG_EXCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT" $KCONFIG_EXCLUSIONS_FILE
+append_line_after_str $CONF_ARCH_BLOCK_REGEX "CONFIG_MODULE_SIG_SHA256" $KCONFIG_EXCLUSIONS_FILE
