vyos/vyos-build
1
0
Fork 0
mirror of https://github.com/vyos/vyos-build.git synced 2025-10-01 20:28:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

T861: use custom Kernel certificate over the root shim signing certificate

Browse Source
This commit is contained in:
Christian Breunig 2025-03-16 20:11:28 +01:00
parent a02b10b2ba
commit d5db3bf117
3 changed files with 27 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
View File

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
SIGN_FILE=$(find /usr/lib -name sign-file) SIGN_FILE=$(find /usr/lib -name sign-file)
MOK_KEY="/var/lib/shim-signed/mok/MOK.key" KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
MOK_CERT="/var/lib/shim-signed/mok/MOK.pem" KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
VMLINUZ=$(readlink /boot/vmlinuz) VMLINUZ=$(readlink /boot/vmlinuz)
# All Linux Kernel modules need to be cryptographically signed # All Linux Kernel modules need to be cryptographically signed
@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do
fi fi
done done
if [ ! -f ${MOK_KEY} ]; then if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
else else
echo "I: Signing Linux Kernel for Secure Boot" echo "I: Signing Linux Kernel for Secure Boot"
sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
sbverify --list /boot/${VMLINUZ} sbverify --list /boot/${VMLINUZ}
rm -f ${KERNEL_KEY}
fi fi
for cert in $(ls /var/lib/shim-signed/mok/); do
if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
echo "Found private key - bailing out"
exit 1
fi
done

12
scripts/check-qemu-install
View File

@ -398,6 +398,16 @@ try:
loginVM(c, log) loginVM(c, log)
#################################################
# Check for no private key contents within the image
#################################################
msg = 'Found private key - bailing out'
c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi')
tmp = c.expect([f'\n{msg}', op_mode_prompt])
if tmp == 0:
log.error(msg)
exit(1)
################################################# #################################################
# Installing into VyOS system # Installing into VyOS system
################################################# #################################################
@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect:
EXCEPTION = 1 EXCEPTION = 1
except Exception: except Exception:
log.error('Unknown error occured while VyOS!') log.error('Unknown error occured!')
traceback.print_exc() traceback.print_exc()
EXCEPTION = 1 EXCEPTION = 1

5
scripts/package-build/linux-kernel/build-kernel.sh
View File

@ -36,12 +36,13 @@ do
done done
# Change name of Signing Cert # Change name of Signing Cert
sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey
TRUSTED_KEYS_FILE=trusted_keys.pem TRUSTED_KEYS_FILE=trusted_keys.pem
# start with empty key file # start with empty key file
echo -n "" > $TRUSTED_KEYS_FILE echo -n "" > $TRUSTED_KEYS_FILE
CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true) GIT_ROOT=$(git rev-parse --show-toplevel)
CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true)
if [ ! -z "${CERTS}" ]; then if [ ! -z "${CERTS}" ]; then
# add known public keys to Kernel certificate chain # add known public keys to Kernel certificate chain
for file in $CERTS; do for file in $CERTS; do