Djam/kernel-6.1
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/kernel-6.1.git synced 2025-02-25 08:12:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement signing kernel modules

Browse source
This commit is contained in:
Mikhail Novosyolov 2019-11-11 17:47:53 +03:00
parent 95836da65c
commit 3a8564ce81
1 changed files with 77 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

78
kernel.spec
View file

@ -4,7 +4,7 @@
%define sublevel 7 %define sublevel 7
# Release number. Increase this before a rebuild. # Release number. Increase this before a rebuild.
%define rpmrel 2 %define rpmrel 5
%define fullrpmrel %{rpmrel} %define fullrpmrel %{rpmrel}
%define rpmtag %{disttag} %define rpmtag %{disttag}
@ -56,6 +56,29 @@
# Directories definition needed for installing # Directories definition needed for installing
%define target_boot %{buildroot}%{_bootdir} %define target_boot %{buildroot}%{_bootdir}
%define target_modules %{buildroot}%{_modulesdir} %define target_modules %{buildroot}%{_modulesdir}
# Manual control of creating and deleting keys
# "rnd" is "random" and means that a key pair is generated at build time
# and is not saved anywhere.
%define certs_dir_rnd %{src_dir}/certs_%{vendor}_rnd
%define certs_signing_key_rnd %{certs_dir_rnd}/signing_key.pem
%define certs_key_config_rnd %{certs_dir_rnd}/x509.genkey
# %%certs_email_rnd expansion has bashisms
%define _buildshell /bin/bash
# On ABF, %%packager == $username <$email>
# Try to extract email from %%packager if it is set
# https://stackoverflow.com/a/5719562
%define certs_email_rnd %(\
if echo '%{packager}' | grep -q 'packager}$' || [ -z "%{packager}" ]; \
then echo 'rpmbuild@rosa.unknown' && exit 0; \
else temp="$(echo '%{packager}' | awk '{print $NF}' | tr -d '<>')"; \
fi; \
if [[ "$temp" =~ ^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$ ]]; \
then echo "$temp" && exit 0; \
else echo 'rpmbuild@rosa.unknown' && exit 0; \
fi; \
echo 'rpmbuild@rosa.unknown' )
############################################################################ ############################################################################
# SELinux is now built in by default but some other hardening features # SELinux is now built in by default but some other hardening features
@ -183,6 +206,7 @@ Patch109: fs-aufs.patch
Autoreqprov: no Autoreqprov: no
BuildRequires(pre): bash
BuildRequires: bc BuildRequires: bc
BuildRequires: binutils BuildRequires: binutils
BuildRequires: gcc BuildRequires: gcc
@ -222,6 +246,11 @@ BuildRequires: zlib-devel
BuildRequires: pkgconfig(libcrypto) BuildRequires: pkgconfig(libcrypto)
%endif %endif
%if %{enhanced_security}
# To generate keys
BuildRequires: openssl
%endif
# might be useful too: # might be useful too:
Suggests: microcode Suggests: microcode
@ -707,6 +736,7 @@ sed -i 's/# CONFIG_DEBUG_INFO is not set/CONFIG_DEBUG_INFO=y\nCONFIG_DEBUG_INFO_
%endif %endif
%if %{enhanced_security} %if %{enhanced_security}
### SELinux enablement
# seems to be needed to boot system in enforcing selinux mode # seems to be needed to boot system in enforcing selinux mode
# note: cpio fpormat of initramfs does not support xattrs without patches # note: cpio fpormat of initramfs does not support xattrs without patches
# see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315 # see also: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1680315
@ -715,6 +745,19 @@ echo CONFIG_SECURITY_SELINUX_DISABLE=y >> .config
# enable selinux in kernel by default if not disabled explicitly # enable selinux in kernel by default if not disabled explicitly
sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config sed -i '/CONFIG_SECURITY_SELINUX_BOOTPARAM/d' .config
echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> .config echo CONFIG_SECURITY_SELINUX_BOOTPARAM=y >> .config
### Signing kernel modules
# https://www.kernel.org/doc/html/v5.3/admin-guide/module-signing.html
sed -i '/CONFIG_MODULE_SIG/d' .config
echo CONFIG_MODULE_SIG=y >> .config
# Disallow loading not signed modules
echo CONFIG_MODULE_SIG_FORCE=y >> .config
# Sign all built modules automatically
echo CONFIG_MODULE_SIG_ALL=y >> .config
# Use SHA-512 algo
echo CONFIG_MODULE_SIG_SHA512=y >> .config
# Set path to the key that will be generated later by openssl
echo CONFIG_MODULE_SIG_KEY="%{certs_signing_key_rnd}" >> .config
%endif %endif
# Store the config file in the appropriate directory. # Store the config file in the appropriate directory.
@ -750,6 +793,35 @@ install -d %{temp_root}
cd %src_dir cd %src_dir
### Keys for signing kernel modules
# Keys can be generated both manually and automatically,
# let's generate them by ourselves to take full control of the process
# https://www.ibm.com/support/knowledgecenter/en/SSB23S_1.1.0.13/gtps7/cfgcert.html
%if %{enhanced_security}
mkdir -p "%{certs_dir_rnd}"
cat <<EOF > "%{certs_key_config_rnd}"
[ req ]
# https://github.com/openssl/openssl/issues/3536
prompt = no
default_bits = 4096
default_md = sha512
days = 109500
default_keyfile = %{certs_signing_key_rnd}
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
organizationName = %{vendor} rpmbuild
commonName = Build time autogenerated kernel key
emailAddress = %{certs_email_rnd}
EOF
cat "%{certs_key_config_rnd}"
openssl req -new -nodes -utf8 -batch -x509 \
-config "%{certs_key_config_rnd}" \
-outform PEM \
-out "%{certs_signing_key_rnd}" \
-keyout "%{certs_signing_key_rnd}"
%endif
# .config # .config
%smake -s mrproper %smake -s mrproper
cp arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} .config cp arch/x86/configs/%{arch_suffix}_defconfig-%{flavour} .config
@ -984,3 +1056,7 @@ install -m644 %{SOURCE53} %{buildroot}%{_unitdir}/cpupower.path
install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower install -m644 %{SOURCE51} %{buildroot}%{_sysconfdir}/sysconfig/cpupower
install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh install -m755 %{SOURCE52} %{buildroot}%{_bindir}/cpupower-start.sh
%endif %endif
# Ensure that build time generated private keys don't get published
# as e.g. "RPM build root" on ABF!
rm -fvr "%{certs_dir_rnd}"