mirror of
https://github.com/vyos/vyos-build.git
synced 2025-10-01 20:28:40 +02:00
d235b31a09
The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to: * sign all build-in Kernel modules * sign all other out-of-tree Kernel modules The key lives in /tmp and is destroyed after the build container exits and is named: "VyOS build time autogenerated kernel key". In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key.
23 lines
780 B
Bash
Executable File
23 lines
780 B
Bash
Executable File
#!/bin/sh
|
|
SIGN_FILE=$(find /usr/lib -name sign-file)
|
|
MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
|
|
MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
|
|
VMLINUZ=$(readlink /boot/vmlinuz)
|
|
|
|
# All Linux Kernel modules need to be cryptographically signed
|
|
find /lib/modules -type f -name \*.ko | while read MODULE; do
|
|
modinfo ${MODULE} | grep -q "signer:"
|
|
if [ $? != 0 ]; then
|
|
echo "E: Module ${MODULE} is not signed!"
|
|
read -n 1 -s -r -p "Press any key to continue"
|
|
fi
|
|
done
|
|
|
|
if [ ! -f ${MOK_KEY} ]; then
|
|
echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
|
|
else
|
|
echo "I: Signing Linux Kernel for Secure Boot"
|
|
sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
|
|
sbverify --list /boot/${VMLINUZ}
|
|
fi
|