Skip to content

Sign module and vmlinuz #371

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

Sign module and vmlinuz #371

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions default-package-config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,35 @@ function kernel_build() {
#
logmust fakeroot debian/rules printenv "${debian_rules_args[@]}"

#
# Download SB keys and configure signing keys/certs before build
#
SB_KEYS_DIR="/var/tmp/sbkeys"
logmust mkdir -p $SB_KEYS_DIR
logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR

FLAVOUR=$platform
OBJ=debian/build/build-$FLAVOUR
CERTS=$OBJ/certs

ensure the objdir + certs dir exist
mkdir -p "$CERTS"

# provide the key the packaging expects INSIDE the objdir
# (symlink or copy)
logmust ln -sf "${SB_KEYS_DIR}/signing_key.pem" "$CERTS/signing_key.pem"
logmust chmod 600 "$CERTS/signing_key.pem"

# create the DER .x509 that sign-file needs from .crt)
logmust openssl x509 -in "${SB_KEYS_DIR}/db.crt" -outform DER -out "$CERTS/signing_key.x509"
# sanity checks
logmust test -s "$CERTS/signing_key.pem" || { echo "missing signing_key.pem"; exit 1; }
logmust test -s "$CERTS/signing_key.x509" || { echo "missing signing_key.x509"; exit 1; }
logmust openssl pkey -in "$CERTS/signing_key.pem" -noout >/dev/null || { echo "key unreadable"; exit 1; }

SBSIGN_KEY="${SBSIGN_KEY:-$SB_KEYS_DIR/db.key}"
SBSIGN_CERT="${SBSIGN_CERT:-$SB_KEYS_DIR/db.crt}"

#
# The default value of the tool argument for mk-build-deps
# is the following:
Expand Down Expand Up @@ -203,6 +232,33 @@ function kernel_build() {
# one of the .debs produced
#
logmust test -f "artifacts/linux-image-${kernel_version}_"*.deb

#
# After the build, unpackage linux-image package and sign vmlinuz
#
linux_deb=$(find artifacts -type f -name "linux-image-${kernel_version}*.deb" | head -n1)
temp_dir=$(mktemp -d -p "/var/tmp/")
logmust fakeroot dpkg-deb -R $linux_deb "$temp_dir"

bz="$temp_dir/boot/vmlinuz-${kernel_version}"
logmust sbsign --key $SBSIGN_KEY --cert $SBSIGN_CERT --output "$bz.signed" "$bz"
logmust mv "$bz.signed" "$bz"
logmust sbverify --list "$bz"

# Update md5sums
( cd "$temp_dir"
: > DEBIAN/md5sums
# print paths relative to root of package
while IFS= read -r -d '' f; do
rel="${f#./}"
md5sum "$rel" >> DEBIAN/md5sums
done < <(find . -type f ! -path './DEBIAN/*' -print0)
)

# Repack the .deb"
out_deb="artifacts/linux-image.deb"
logmust fakeroot dpkg-deb -b "$temp_dir" "$out_deb"
logmust mv "$out_deb" "$linux_deb"
}

#
Expand Down
41 changes: 41 additions & 0 deletions packages/connstat/config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,45 @@ function build() {

logmust cd "$WORKDIR/repo"
logmust mv ./*deb "$WORKDIR/artifacts/"

# Sign the module
sign_module
}

SB_KEYS_DIR="/var/tmp/sbkeys"
SBSIGN_KEY="$SB_KEYS_DIR/db.key"
SBSIGN_DER="$SB_KEYS_DIR/db.der"

# Unpack connstat module package in artifacts directory, sign, then repack
#
function sign_module() {
echo_bold "Signing constat module"
logmust mkdir -p $SB_KEYS_DIR
logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR
for connstat_pkg in $(find "$WORKDIR/artifacts" -type f -name "connstat-module-*.deb" ! -name "*-dbg*"); do
echo_bold "Processing $connstat_pkg"
temp_dir=$(mktemp -d -p "/var/tmp/")
logmust fakeroot dpkg-deb -R $connstat_pkg "$temp_dir"

connstat_mod=$(find $temp_dir -type f -name connstat.ko)

logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $connstat_mod "$connstat_mod.signed"
logmust mv "$connstat_mod.signed" "$connstat_mod"
logmust modinfo -F signer "$connstat_mod"

# Update md5sums
( cd "$temp_dir"
: > DEBIAN/md5sums
# print paths relative to root of package
while IFS= read -r -d '' f; do
rel="${f#./}"
md5sum "$rel" >> DEBIAN/md5sums
done < <(find . -type f ! -path './DEBIAN/*' ! -path './etc/depmod*' -print0)
)

# Repack the .deb"
out_deb="$WORKDIR/artifacts/connstat-module.deb"
logmust fakeroot dpkg-deb -b "$temp_dir" "$out_deb"
logmust mv "$out_deb" "$connstat_pkg"
done
}
46 changes: 46 additions & 0 deletions packages/zfs/config.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,52 @@ function build() {
done
logmust cd "$WORKDIR"
logmust mv "all-packages/"*.deb "artifacts/"

# Sign ZFS modules in all packages
sign_zfs_modules
}

SB_KEYS_DIR="/var/tmp/sbkeys"
SBSIGN_KEY="$SB_KEYS_DIR/db.key"
SBSIGN_DER="$SB_KEYS_DIR/db.der"

#
# Unpack zfs-modules packages in artifacts directory, sign, then repack
#
function sign_zfs_modules() {
echo_bold "Signing ZFS modules"
logmust mkdir -p $SB_KEYS_DIR
logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR
for zfs_pkg in $(find "$WORKDIR/artifacts" -type f -name "zfs-modules-*.deb" ! -name "*-dbg*"); do
echo_bold "Processing $zfs_pkg"
temp_dir=$(mktemp -d -p "/var/tmp/")
logmust fakeroot dpkg-deb -R $zfs_pkg "$temp_dir"

zfs=$(find $temp_dir -type f -name zfs.ko)
spl=$(find $temp_dir -type f -name spl.ko)

logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $zfs "$zfs.signed"
logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $spl "$spl.signed"
logmust mv "$zfs.signed" "$zfs"
logmust mv "$spl.signed" "$spl"
logmust modinfo -F signer "$zfs"
logmust modinfo -F signer "$spl"

# Update md5sums
( cd "$temp_dir"
: > DEBIAN/md5sums
# print paths relative to root of package
while IFS= read -r -d '' f; do
rel="${f#./}"
md5sum "$rel" >> DEBIAN/md5sums
done < <(find . -type f ! -path './DEBIAN/*' ! -path './etc/depmod*' -print0)
)

# Repack the .deb"
out_deb="$WORKDIR/artifacts/zfs-modules.deb"
logmust fakeroot dpkg-deb -b "$temp_dir" "$out_deb"
logmust mv "$out_deb" "$zfs_pkg"
done
}

function update_upstream() {
Expand Down
3 changes: 3 additions & 0 deletions resources/delphix_kernel_annotations
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
# FORMAT: 4
# ARCH: amd64
# FLAVOUR: amd64-aws amd64-azure amd64-generic amd64-gcp amd64-oracle
#
CONFIG_MODULE_SIG_KEY policy<{'amd64': '"/var/tmp/sbkeys/signing_key.pem"'}>
CONFIG_MODULE_SIG_FORCE policy<{'amd64': 'y', 'arm64': 'y'}>

#
# Disable various "net" modules which we don't use.
Expand Down
Loading