packages/kernel
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update signature for vmlinux and module

Browse Source 
Support generating module/kernel signature with openEuler signature
platform:
1. Insert openEuler kernel certificate into trusted keyring.
2. Sign kernel modules and kernel image with openEuler signature
platform when the RPM macro openEuler_sign_rsa is set.

Signed-off-by: Jin Lun <jinlun@huawei.com>
This commit is contained in:
jinlun 2024-04-02 11:30:19 +08:00
parent 7b23e406d6
commit 7eb6754956
3 changed files with 97 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
kernel.spec
View File

@ -25,7 +25,7 @@
%global upstream_sublevel 0 %global upstream_sublevel 0
%global devel_release 15 %global devel_release 15
%global maintenance_release .0.0 %global maintenance_release .0.0
%global pkg_release .13 %global pkg_release .14
%define with_debuginfo 1 %define with_debuginfo 1
# Do not recompute the build-id of vmlinux in find-debuginfo.sh # Do not recompute the build-id of vmlinux in find-debuginfo.sh
@ -69,6 +69,11 @@ Source12: extra_certificates
Source13: RPM-GPG-KEY-openEuler-compass-ci Source13: RPM-GPG-KEY-openEuler-compass-ci
Source14: process_pgp_certs.sh Source14: process_pgp_certs.sh
%if 0%{?openEuler_sign_rsa}
Source15: openeuler_kernel_cert.cer
Source16: sign-modules-openeuler
%endif
%if 0%{?with_kabichk} %if 0%{?with_kabichk}
Source18: check-kabi Source18: check-kabi
Source20: Module.kabi_aarch64 Source20: Module.kabi_aarch64
@ -116,10 +121,6 @@ BuildRequires: rpm-build, elfutils
BuildRequires: numactl-devel python3-devel glibc-static python3-docutils BuildRequires: numactl-devel python3-devel glibc-static python3-docutils
BuildRequires: perl-generators perl(Carp) libunwind-devel gtk2-devel libbabeltrace-devel java-1.8.0-openjdk java-1.8.0-openjdk-devel perl-devel BuildRequires: perl-generators perl(Carp) libunwind-devel gtk2-devel libbabeltrace-devel java-1.8.0-openjdk java-1.8.0-openjdk-devel perl-devel
%if 0%{?openEuler_sign_rsa}
BuildRequires: sign-openEuler
%endif
AutoReq: no AutoReq: no
AutoProv: yes AutoProv: yes
@ -394,6 +395,14 @@ sed -i 's/# CONFIG_LTO_CLANG_FULL is not set/CONFIG_LTO_CLANG_FULL=y/' .config
sed -i 's/CONFIG_LTO_NONE=y/# CONFIG_LTO_NONE is not set/' .config sed -i 's/CONFIG_LTO_NONE=y/# CONFIG_LTO_NONE is not set/' .config
%endif %endif
%if 0%{?openEuler_sign_rsa}
cp %{SOURCE15} ./certs/openeuler-cert.pem
# close kernel native signature
sed -i 's/CONFIG_MODULE_SIG_KEY=.*$/CONFIG_MODULE_SIG_KEY=""/g' .config
sed -i 's/CONFIG_SYSTEM_TRUSTED_KEYS=.*$/CONFIG_SYSTEM_TRUSTED_KEYS="certs\/openeuler-cert.pem"/g' .config
sed -i 's/CONFIG_MODULE_SIG_ALL=y$/CONFIG_MODULE_SIG_ALL=n/g' .config
%endif
TargetImage=$(basename $(make -s image_name)) TargetImage=$(basename $(make -s image_name))
%{make} ARCH=%{Arch} $TargetImage %{?_smp_mflags} %{make} ARCH=%{Arch} $TargetImage %{?_smp_mflags}
@ -522,14 +531,16 @@ install -m 755 $(make -s image_name) $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
echo "start sign" echo "start sign"
%ifarch %arm aarch64 %ifarch %arm aarch64
gunzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi gunzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi
mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
gzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} gzip -c $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip>$RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
rm -f $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip rm -f $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.unzip
%endif %endif
%ifarch x86_64 %ifarch x86_64
mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
/opt/sign-openEuler/client --config /opt/sign-openEuler/config.toml add --key-name default-x509ee --file-type efi-image --key-type x509ee --sign-type authenticode $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi sh /usr/lib/rpm/brp-ebs-sign --efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi.sig $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi
mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer} mv $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}.efi $RPM_BUILD_ROOT/boot/vmlinuz-%{KernelVer}
%endif %endif
%endif %endif
@ -614,6 +625,15 @@ popd
find $RPM_BUILD_ROOT/lib/modules/ -type f -name '*.ko' | xargs -n1 -P`nproc --all` xz; \ find $RPM_BUILD_ROOT/lib/modules/ -type f -name '*.ko' | xargs -n1 -P`nproc --all` xz; \
%{nil} %{nil}
%if 0%{?openEuler_sign_rsa}
%define __modsign_install_post \
if [ "%{with_signmodules}" -eq "1" ];then \
sh %{SOURCE16} $RPM_BUILD_ROOT/lib/modules/%{KernelVer} || exit 1 \
fi \
find $RPM_BUILD_ROOT/lib/modules/ -type f -name '*.ko' | xargs -n1 -P`nproc --all` xz; \
%{nil}
%endif
# deal with header # deal with header
%{make} ARCH=%{Arch} INSTALL_HDR_PATH=$RPM_BUILD_ROOT/usr KBUILD_SRC= headers_install %{make} ARCH=%{Arch} INSTALL_HDR_PATH=$RPM_BUILD_ROOT/usr KBUILD_SRC= headers_install
find $RPM_BUILD_ROOT/usr/include -name "\.*" -exec rm -rf {} \; find $RPM_BUILD_ROOT/usr/include -name "\.*" -exec rm -rf {} \;
@ -978,6 +998,9 @@ fi
%endif %endif
%changelog %changelog
* Tue Apr 2 2024 Jin Lun <jinlun@huawei.com> - 6.6.0-15.0.0.14
- Support generating moudle/kernel signature with openEuler signature platform
* Sat Mar 30 2024 Liu Jian <liujian56@huawei.com> - 6.6.0-15.0.0.13 * Sat Mar 30 2024 Liu Jian <liujian56@huawei.com> - 6.6.0-15.0.0.13
- And net-acc tool to kernel-tools. - And net-acc tool to kernel-tools.

35
openeuler_kernel_cert.cer Normal file
View File

@ -0,0 +1,35 @@
-----BEGIN CERTIFICATE-----
MIIGDzCCA/egAwIBAgIRAKnq386vzCkrb//p0VpXwOEwDQYJKoZIhvcNAQELBQAw
ZTELMAkGA1UEAwwCQ0ExDjAMBgNVBAsMBUluZnJhMRIwEAYDVQQKDAlvcGVuRXVs
ZXIxETAPBgNVBAcMCFNoZW5aaGVuMRIwEAYDVQQIDAlHdWFuZ0RvbmcxCzAJBgNV
BAYTAkNOMB4XDTI0MDMxMjAyNDMzMVoXDTM0MDIyODAyNDMzMVoweTEfMB0GA1UE
AwwWb3BlbkV1bGVyIGtlcm5lbCBJQ0EgMTEOMAwGA1UECwwFSW5mcmExEjAQBgNV
BAoMCW9wZW5FdWxlcjERMA8GA1UEBwwIU2hlblpoZW4xEjAQBgNVBAgMCUd1YW5n
RG9uZzELMAkGA1UEBhMCQ04wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCuGUP8/b1zxFAGV/3Vj/1B40SY9vnmkb8Kk+F8tRUEB1k36WxnxTQ3REb70ViM
Y69L0ITzyC4qwmyEjvEyKF5/H13q0u7f6jwrBxD6J3yaePY7W60NlzO1XB5n0Ul0
Q4FSzjLEXpL9dEcdvVHQX7DCdCxHguOf02UCrbS+QGY4ZqV4joESCo7dxn7Dpe89
nNlvaoB/lJ2zTyk7L4/iv7nhRDpt1anI08yOYVxhf37fVeYD8YL4NnES7RvQWANA
VEe0/UYukO14xhD27NrmYX1u96FCOtThH8GuuPqHC1Pd9hWdlHRnLXNC6JOaBPkF
cIdwMoRiC1pryKUH5dJCFrtfN8906rq9A63eA0OMAwJ+DCotgm4qzeSUVYWrA/DM
5ZpAqnKp55MkOHif32jtFzNfplNN9QzcTHe9eSAUClhPtPbWbQ1U1K9EPQblbrNy
y1o+/WH5zYomLc5fnvSmiAY92YLS0i0IkLwWc/sEKV7KmYqxdUU7pSadwNR1xRyz
7f5iWV7biWdluHBeGmVYQaMia/OJ03Gslt/lRKk4GoUdnqi0LzpTK+2fwFZfDpC1
GyFt8d7WoDUI8E5IeGqdVFQj1rYr5mlH83bacWw9AGWsuTbgoxuOhhg8WKKorZcs
Nj9DULBbKlS+aAc86aBGIc+W6AarU1tPrPtq9ZupsNaLgwIDAQABo4GlMIGiMBIG
A1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJC7Z+tLV+tiv2+Gfk9WvU4Z59BB
MB8GA1UdIwQYMBaAFB4bqpJoNc3ZSRnUM8NEAaLl9T35MA4GA1UdDwEB/wQEAwIB
hjApBglghkgBhvhCAQ0EHBYaU2lnbmF0cnVzdCBJbnRlcm1lZGlhdGUgQ0EwEQYJ
YIZIAYb4QgEBBAQDAgABMA0GCSqGSIb3DQEBCwUAA4ICAQBDICG0Jjcjt+aKxE0E
TK0sdl0CE0e8O/8wY5DWNkU79g2+LqU6T4g0JAV41lR/tFtrth+kP/S1H1FS50fe
xIiWN+/RbcyB1QgOKnCWzutsozqPryKtl0dBLcD/KJepH89thWSTtCNPlCwsP10d
VDeNEwpvLw9R7Uedl5WbXdfcv8up9g9UC0mCDAUUGonAl+1Q3fmOtfwSYd3MvslR
sSda83kfYrMZY9av4MgyV4IyRAi97wvFY14jPjevZEr7Hfg67t85kiEthSFH5z0/
v8U/pJ1d/HuIf9Sz+FbTeZM13OttdBlPvqw+N3oVCWuomC00DDQoznKySfd+pHEz
PInSb3IQcAhQY0gTc+GILd0FQpahb7WCXjd3xs1S/oNsHgfjEFif80c4nG/GDVpk
vIKwSxxGQ6GfGLw/VTOwRUta4n5WNzdIsPRi/tEz7Dpn0ay9IEh1q+sl2yLAxMUQ
xUrEYKz1izPYgWAzUKZ3NXtCFRLhBvowj5REJXs6xIthOrDpa1Qfx5Q18pMfc+qW
kEBLiNqEDYe2aBiWaTZKL39U9M8i3ND4JMQODgEiUrZLhACKLa6r2Vs8y61dMMs4
ATKSZtuzfPaE7b+oKv/f47jvzG0BJM+mq0rC9A9hElztDSNfLnLgh9OJ3jHM7caF
/V6mKr3gR8aQytJy+1JBXKzjyw==
-----END CERTIFICATE-----

32
sign-modules-openeuler Normal file
View File

@ -0,0 +1,32 @@
#! /bin/bash
sign_module()
{
sh /usr/lib/rpm/brp-ebs-sign --module $1 &> /dev/null
mv $1.sig $1
}
sign_module_list()
{
IFS=$'\n'
for m in $1; do
sign_module $m &
done
wait
}
moddir=$1
find $moddir -name *.ko > module_openeuler_unsign.list
row_num=`wc -l module_openeuler_unsign.list | awk '{print $1}'`
for((i=1;i<$row_num;i+=10)); do
IFS=""
sign_module_list $(sed -n "$i,$((i+9))p" module_openeuler_unsign.list)
done
RANDOMMOD=$(find $moddir -type f -name '*.ko' | sort -R | tail -n 1)
if [ "~Module signature appended~" != "$(tail -c 28 $RANDOMMOD)" ]; then
echo "*** Modules are unsigned! ***"
exit 1
fi
exit 0