Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T861: sign all Kernel modules with an ephemeral key #772

Merged
merged 5 commits into from
Sep 25, 2024
Merged

T861: sign all Kernel modules with an ephemeral key #772

merged 5 commits into from
Sep 25, 2024

Conversation

c-po
Copy link
Member

@c-po c-po commented Sep 23, 2024
edited
Loading

Change Summary

The shim review board (which is the secure boot base loader) recommends using ephemeral keys when signing the Linux Kernel. This commit enables the Kernel build system to generate a one-time ephemeral key that is used to:

  • sign all build-in Kernel modules
  • sign all other out-of-tree Kernel modules

The key lives in /tmp and is destroyed after the build container exits and is named: VyOS build time autogenerated kernel key.

In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This makes it unable to load any Kernel Module to the image that is NOT signed by the ephemeral key.

During system boot one will now see:

image

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

Kernel / Boot

How to test

image

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@c-po
T861: stripping Kernel modules would also remove module signatures
53bd06d 
As the VyOS Linux Kernel will be compiled with CONFIG_MODULE_SIG_FORCE all
driver modules need to be cryptographically signed. This happens during build
of the Kernel and it's 3rd party modules.

Stripping the objects would remove said signature and the system will be unable
to boot b/c of CONFIG_MODULE_SIG_FORCE.
@c-po
Kernel: T5887: update Linux Kernel to v6.6.52
88f072d
@c-po
Kernel: T5887: disable various unused/not needed debug options
b2945a4
@c-po
T861: VyOS image build should use UTC timestamps
b93672d
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 23, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

@c-po c-po marked this pull request as ready for review September 23, 2024 19:43
@c-po c-po requested a review from a team as a code owner September 23, 2024 19:43
@sever-sever
Copy link
Member

Could you update scripts in the scrips/package-build dir?
Otherwise we have to do it on a separate PR

@c-po
Copy link
Member Author

c-po commented Sep 24, 2024

Could you update scripts in the scrips/package-build dir? Otherwise we have to do it on a separate PR

Will do

@c-po c-po marked this pull request as draft September 24, 2024 16:33
@c-po
T861: sign all Kernel modules with an ephemeral key
d235b31 
The shim review board (which is the secure boot base loader) recommends using
ephemeral keys when signing the Linux Kernel. This commit enables the Kernel
build system to generate a one-time ephemeral key that is used to:

* sign all build-in Kernel modules
* sign all other out-of-tree Kernel modules

The key lives in /tmp and is destroyed after the build container exits and is
named: "VyOS build time autogenerated kernel key".

In addition the Kernel now uses CONFIG_MODULE_SIG_FORCE. This now makes it
unable to load any Kernel Module to the image that is NOT signed by the
ephemeral key.
@c-po c-po marked this pull request as ready for review September 25, 2024 18:24
@c-po c-po merged commit eff99f5 into vyos:current Sep 25, 2024
8 of 9 checks passed
@c-po c-po deleted the kernel-ephemeral-keys branch September 25, 2024 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sarthurdev sarthurdev sarthurdev approved these changes

@dmbaturin dmbaturin dmbaturin approved these changes

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

@fett0 fett0 Awaiting requested review from fett0 fett0 is a code owner automatically assigned from vyos/reviewers

Assignees

@c-po c-po

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@c-po @sever-sever @dmbaturin @sarthurdev