T861: use custom Kernel certificate over the root shim signing certificate

2025-10-01 20:28:40 +02:00 · 2025-03-16 20:11:28 +01:00 · 2025-03-16 20:11:28 +01:00 · d5db3bf117
commit d5db3bf117
parent a02b10b2ba
3 changed files with 27 additions and 7 deletions
--- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@ -1,7 +1,7 @@
 #!/bin/sh
 SIGN_FILE=$(find /usr/lib -name sign-file)
-MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
-MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
+KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
+KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
 VMLINUZ=$(readlink /boot/vmlinuz)

 # All Linux Kernel modules need to be cryptographically signed
@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do
    fi
 done

-if [ ! -f ${MOK_KEY} ]; then
+if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
 else
    echo "I: Signing Linux Kernel for Secure Boot"
-    sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
    sbverify --list /boot/${VMLINUZ}
+    rm -f ${KERNEL_KEY}
 fi
+
+for cert in $(ls /var/lib/shim-signed/mok/); do
+    if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
+        echo "Found private key - bailing out"
+        exit 1
+    fi
+done
+
--- a/scripts/check-qemu-install
+++ b/scripts/check-qemu-install
@ -398,6 +398,16 @@ try:

    loginVM(c, log)

+    #################################################
+    # Check for no private key contents within the image
+    #################################################
+    msg = 'Found private key - bailing out'
+    c.sendline(f'if sudo grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok; then echo {msg}; exit 1; fi')
+    tmp = c.expect([f'\n{msg}', op_mode_prompt])
+    if tmp == 0:
+        log.error(msg)
+        exit(1)
+
    #################################################
    # Installing into VyOS system
    #################################################
@ -879,7 +889,7 @@ except pexpect.exceptions.ExceptionPexpect:
    EXCEPTION = 1

 except Exception:
-    log.error('Unknown error occured while VyOS!')
+    log.error('Unknown error occured!')
    traceback.print_exc()
    EXCEPTION = 1

--- a/scripts/package-build/linux-kernel/build-kernel.sh
+++ b/scripts/package-build/linux-kernel/build-kernel.sh
@ -36,12 +36,13 @@ do
 done

 # Change name of Signing Cert
-sed -i -e "s/CN =.*/CN=VyOS build time autogenerated kernel key/" certs/default_x509.genkey
+sed -i -e "s/CN =.*/CN=VyOS Networks build time autogenerated Kernel key/" certs/default_x509.genkey

 TRUSTED_KEYS_FILE=trusted_keys.pem
 # start with empty key file
 echo -n "" > $TRUSTED_KEYS_FILE
-CERTS=$(find ../../../../data/live-build-config/includes.chroot/var/lib/shim-signed/mok -name "*.pem" -type f || true)
+GIT_ROOT=$(git rev-parse --show-toplevel)
+CERTS=$(find ${GIT_ROOT}/data/certificates -name "*.pem" -type f || true)
 if [ ! -z "${CERTS}" ]; then
  # add known public keys to Kernel certificate chain
  for file in $CERTS; do