T861: add UEFI Secure Boot support #763
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When moving to UEFI and secure-boot it's better to just reboot the system for Machine Owner Key installation, then powercycling the machine. This commit will use `reboot now` over `poweroff` after base system installation and boot into installed image for smoketest handling.
This code path was unused during CI runs.
To use VNC you could run "make test -- --vnc"
…e disks This is required to support proper disk ejection and not reloading the disk on system reboot when operation in BIOS mode.
In the past the CLI based smoketest was always executed under an else branch in the testcase if-statement. Instead of using negative logic move all testcases to positive logic adding an empty "catch all" else path.
c-po
requested review from
dmbaturin,
sarthurdev,
zdc,
jestabro,
sever-sever and
nicolas-fort
|
👍 |
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux Kernel and enforces module signing. This results in an additional security layer where untrusted (unsigned) Kernel modules can no longer be loaded into the live system. NOTE: This commit will not work unless signing keys are present. Arbitrary keys can be generated using instructions found in: data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
Rise upper limit for UID when working in an Active Direcotry integrated environment. This solves the warning: vyos_bld's uid 1632000007 outside of the UID_MIN 1000 and UID_MAX 60000 range.
dmbaturin
approved these changes
Sep 15, 2024
sarthurdev
approved these changes
Sep 15, 2024
sever-sever
approved these changes
Sep 16, 2024
11 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Summary
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux Kernel and enforces module signing. This results in an additional security layer where untrusted (unsigned) Kernel modules can no longer be loaded into the live system.
NOTE: This commit will not work unless signing keys are present.
Types of changes
Related Task(s)
Related PR(s)
How to test
You can see in a Kernel log if keys are embedded by searching for
Loaded X.509Arbitrary keys can be generated using
CA
Create Certificate Authority used for Kernel signing. CA is loaded into the
Machine Owner Key store on the target system.
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes openssl x509 -inform der -in MOK.der -out MOK.pemKernel Module Signing Key
We do not make use of ephemeral keys for Kernel module signing. Instead a key
is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
modules during ISO assembly if present.
openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256Checklist: