-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable signature verification of kexec kernel and use new Mariner Trusted Base CA in trusted keyring #10961
Conversation
Signed-off-by: Chris Co <[email protected]>
Signed-off-by: Chris Co <[email protected]>
Signed-off-by: Chris Co <[email protected]>
We still leave in the older certificate for the time being, until we switch fully to the new azurelinux CA Signed-off-by: Chris Co <[email protected]>
Remove the old CBL-Mariner Secureboot .pem in favor of only having the new azurelinux-ca-20230216.pem. This new key should appear as "Microsoft Corporation: Mariner Trusted Base RSA Code Signing CA" in the keyring.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added new commit to replace the old key completely rather than appending to it.
Verification steps:
New BuddyBuild with removing the old key
Tests performed
- copied kernel-6.6.57.1-3 rpm from buddybuild to both arm and x86
- copied an unsigned
vmlinuz-6.6.35.1-5.azl3
and a signed armvmlinuz-6.6.57.1-3.azl3
and a signed x86vmlinuz-6.6.57.1-1000.azl3
- installed "kexec-tools" and "keyutils"
- confirmed only 2 keys in keyring: autogenerated and Mariner Trusted Base RSA
- confirmed can only
kexec --load
the signed image
@@ -296,7 +296,9 @@ CONFIG_KEXEC_CORE=y | |||
CONFIG_HAVE_IMA_KEXEC=y | |||
# CONFIG_KEXEC is not set | |||
CONFIG_KEXEC_FILE=y | |||
# CONFIG_KEXEC_SIG is not set | |||
CONFIG_KEXEC_SIG=y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -296,7 +296,9 @@ CONFIG_KEXEC_CORE=y | |||
CONFIG_HAVE_IMA_KEXEC=y | |||
# CONFIG_KEXEC is not set | |||
CONFIG_KEXEC_FILE=y | |||
# CONFIG_KEXEC_SIG is not set | |||
CONFIG_KEXEC_SIG=y | |||
# CONFIG_KEXEC_SIG_FORCE is not set |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only available on x86: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/blob/rolling-lts/mariner-3/6.6.57.1/arch/x86/Kconfig#L2038
Requires that signatures ALWAYS be checked. KEXEC_SIG only checks when a signature is present
(Note not supported on arm64: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/blob/rolling-lts/mariner-3/6.6.57.1/arch/arm64/Kconfig)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Clarification: for this PR we are simply enabling kexec signature validation as an option and not forcing for now
@@ -7697,7 +7699,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y | |||
# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set | |||
CONFIG_PKCS7_MESSAGE_PARSER=y | |||
# CONFIG_PKCS7_TEST_KEY is not set | |||
# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set | |||
CONFIG_SIGNED_PE_FILE_VERIFICATION=y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# CONFIG_KEXEC_SIG is not set | ||
CONFIG_KEXEC_SIG=y | ||
# CONFIG_KEXEC_SIG_FORCE is not set | ||
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new .pem is aligned with the changes in the upcoming Shim 15.8 release: #10995
And the required updates to our pipeline: https://dev.azure.com/mariner-org/mariner/_git/CBL-Mariner-Pipelines/pullRequest/21027#1732229328
Approving as the initial changes look good but will get more eyes as I also updated the key in this PR :)
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./LICENSES-AND-NOTICES/SPECS/data/licenses.json
,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
Currently, kexec and features that utilize kexec like kdump are blocked from executing due to IMA apprasial runtime policies introduced in this commit 3e0884c . However, since we utilize Secure Boot PE verification of the kernel, the expectation should be that our official signed kernels are verified by a key that is trusted in the kernel's trusted keyring.
So this change enables signature verification of kexec kernel, utilizing PE file signature verification method to verify the kernel is signed by an x.509 cert in the kernel keyring, and append our updated Azure Linux (aka Mariner) Trusted Base CA into the kernel's trusted keyring.
Signed-off-by: Chris Co [email protected]
Does this affect the toolchain?
YES
Associated issues
Test Methodology