mirror of
https://abf.rosa.ru/djam/kernel-6.1.git
synced 2025-02-25 00:02:55 +00:00
Implement signing kernel modules
This commit is contained in:
Mikhail Novosyolov
parent
95836da65c
commit
3a8564ce81
1 changed files with 77 additions and 1 deletions
78
kernel.spec
78
kernel.spec
|
|
@ -4,7 +4,7 @@
|
|||
%define sublevel 7
|
||||
|
||||
# Release number. Increase this before a rebuild.
|
||||
%define rpmrel 2
|
||||
%define rpmrel 5
|
||||
%define fullrpmrel %{rpmrel}
|
||||
|
||||
%define rpmtag %{disttag}
|
||||
|
|
@ -56,6 +56,29 @@
|
|||
# Directories definition needed for installing
|
||||
%define target_boot %{buildroot}%{_bootdir}
|
||||
%define target_modules %{buildroot}%{_modulesdir}
|
||||
|
||||
# Manual control of creating and deleting keys
|
||||
# "rnd" is "random" and means that a key pair is generated at build time
|
||||
# and is not saved anywhere.
|
||||
%define certs_dir_rnd %{src_dir}/certs_%{vendor}_rnd
|
||||
%define certs_signing_key_rnd %{certs_dir_rnd}/signing_key.pem
|
||||
%define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
|
||||
# %%certs_email_rnd expansion has bashisms
|
||||
%define _buildshell /bin/bash
|
||||
# On ABF, %%packager == $username <$email>
|
||||
# Try to extract email from %%packager if it is set
|
||||
# https://stackoverflow.com/a/5719562
|
||||
%define certs_email_rnd %(\
|
||||
if echo '%{packager}' | grep -q 'packager}$' || [ -z "%{packager}" ]; \
|
||||
then echo 'rpmbuild@rosa.unknown' && exit 0; \
|
||||
else temp="$(echo '%{packager}' | awk '{print $NF}' | tr -d '<>')"; \
|
||||
fi; \
|
||||
if [[ "$temp" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$ ]]; \
|
||||
then echo "$temp" && exit 0; \
|
||||
else echo 'rpmbuild@rosa.unknown' && exit 0; \
|
||||
fi; \
|
||||
echo 'rpmbuild@rosa.unknown' )
|
||||
|
||||
############################################################################
|
||||
|
||||
# SELinux is now built in by default but some other hardening features
|
||||
|
|
@ -183,6 +206,7 @@ Patch109: fs-aufs.patch
|
|||
|
||||
Autoreqprov: no
|
||||
|
||||
BuildRequires(pre): bash
|
||||
BuildRequires: bc
|
||||
BuildRequires: binutils
|
||||
BuildRequires: gcc
|
||||
|
|
@ -222,6 +246,11 @@ BuildRequires: zlib-devel
|
|||
BuildRequires: pkgconfig(libcrypto)
|
||||
%endif
|
||||
|
||||
%if %{enhanced_security}
|
||||
# To generate keys
|
||||
BuildRequires: openssl
|
||||
%endif
|
||||
|
||||
# might be useful too:
|
||||
Suggests: microcode
|
||||
|
||||
|
|
@ -707,6 +736,7 @@ sed -i 's/# CONFIG_DEBUG_INFO is not set/CONFIG_DEBUG_INFO=y\nCONFIG_DEBUG_INFO_
|
|||
%endif
|
||||
|
||||
%if %{enhanced_security}
|
||||
### SELinux enablement
|
||||
# seems to be needed to boot system in enforcing selinux mode
|
||||
# note: cpio fpormat of initramfs does not support xattrs without patches
|
||||
# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
|
||||
|
|
@ -715,6 +745,19 @@ echo CONFIG_SECURITY_SELINUX_DISABLE=y >> .config
|
|||
# enable selinux in kernel by default if not disabled explicitly
|
||||
sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
|
||||
echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> .config
|
||||
|
||||
### Signing kernel modules
|
||||
# https://www.kernel.org/doc/html/v5.3/admin-guide/module-signing.html
|
||||
sed -i '/CONFIG_MODULE_SIG/d' .config
|
||||
echo CONFIG_MODULE_SIG=y >> .config
|
||||
# Disallow loading not signed modules
|
||||
echo CONFIG_MODULE_SIG_FORCE=y >> .config
|
||||
# Sign all built modules automatically
|
||||
echo CONFIG_MODULE_SIG_ALL=y >> .config
|
||||
# Use SHA-512 algo
|
||||
echo CONFIG_MODULE_SIG_SHA512=y >> .config
|
||||
# Set path to the key that will be generated later by openssl
|
||||
echo CONFIG_MODULE_SIG_KEY="%{certs_signing_key_rnd}" >> .config
|
||||
%endif
|
||||
|
||||
# Store the config file in the appropriate directory.
|
||||
|
|
@ -750,6 +793,35 @@ install -d %{temp_root}
|
|||
|
||||
cd %src_dir
|
||||
|
||||
### Keys for signing kernel modules
|
||||
# Keys can be generated both manually and automatically,
|
||||
# let's generate them by ourselves to take full control of the process
|
||||
# https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html
|
||||
%if %{enhanced_security}
|
||||
mkdir -p "%{certs_dir_rnd}"
|
||||
cat <<EOF > "%{certs_key_config_rnd}"
|
||||
[ req ]
|
||||
# https://github.com/openssl/openssl/issues/3536
|
||||
prompt = no
|
||||
default_bits = 4096
|
||||
default_md = sha512
|
||||
days = 109500
|
||||
default_keyfile = %{certs_signing_key_rnd}
|
||||
distinguished_name = req_distinguished_name
|
||||
[ req_distinguished_name ]
|
||||
organizationName = %{vendor} rpmbuild
|
||||
commonName = Build time autogenerated kernel key
|
||||
emailAddress = %{certs_email_rnd}
|
||||
EOF
|
||||
cat "%{certs_key_config_rnd}"
|
||||
|
||||
openssl req -new -nodes -utf8 -batch -x509 \
|
||||
-config "%{certs_key_config_rnd}" \
|
||||
-outform PEM \
|
||||
-out "%{certs_signing_key_rnd}" \
|
||||
-keyout "%{certs_signing_key_rnd}"
|
||||
%endif
|
||||
|
||||
# .config
|
||||
%smake -s mrproper
|
||||
cp arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} .config
|
||||
|
|
@ -984,3 +1056,7 @@ install -m644 %{SOURCE53} %{buildroot}%{_unitdir}/cpupower.path
|
|||
install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
|
||||
install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh
|
||||
%endif
|
||||
|
||||
# Ensure that build time generated private keys don't get published
|
||||
# as e.g. "RPM build root" on ABF!
|
||||
rm -fvr "%{certs_dir_rnd}"
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue