-
Notifications
You must be signed in to change notification settings - Fork 376
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #763 from c-po/secure-boot
T861: add UEFI Secure Boot support
- Loading branch information
Showing
20 changed files
with
339 additions
and
123 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#!/bin/sh | ||
SIGN_FILE=$(find /usr/lib -name sign-file) | ||
MOK_KEY="/var/lib/shim-signed/mok/kernel.key" | ||
MOK_CERT="/var/lib/shim-signed/mok/kernel.pem" | ||
kernel_elf=$(readlink /boot/vmlinuz) | ||
|
||
if [ ! -f ${MOK_KEY} ]; then | ||
echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" | ||
else | ||
echo "I: Signing Linux Kernel for Secure Boot" | ||
|
||
sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf} | ||
sbverify --list /boot/${kernel_elf} | ||
|
||
find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do | ||
$SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module | ||
done | ||
fi |
22 changes: 22 additions & 0 deletions
22
data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# Secure Boot | ||
|
||
## CA | ||
|
||
Create Certificate Authority used for Kernel signing. CA is loaded into the | ||
Machine Owner Key store on the target system. | ||
|
||
```bash | ||
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes | ||
openssl x509 -inform der -in MOK.der -out MOK.pem | ||
``` | ||
|
||
## Kernel Module Signing Key | ||
|
||
We do not make use of ephemeral keys for Kernel module signing. Instead a key | ||
is generated and signed by the VyOS Secure Boot CA which signs all the Kernel | ||
modules during ISO assembly if present. | ||
|
||
```bash | ||
openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes | ||
openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256 | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.