From 79684606b5e2513d681559211079abfbf81858f1 Mon Sep 17 00:00:00 2001 From: Can Wong Date: Fri, 20 Mar 2026 10:45:37 -0500 Subject: [PATCH] Secure Boot Implementation --- classes/grub-uefi-sign.bbclass | 91 +++++++ classes/kernel-uefi-sign.bbclass | 91 +++++++ conf/distro/REMOTE-SIGNING.md | 197 ++++++++++++++ conf/distro/nilrt.inc | 3 + conf/distro/remote-signing-example.conf | 45 ++++ conf/distro/remote-signing.inc | 38 +++ conf/distro/secureboot.inc | 114 ++++++++ conf/templates/default/bblayers.conf.sample | 1 + recipes-bsp/grub/grub-efi_2.%.bbappend | 3 + .../uefi-signing/files/remote-sign-efi.py | 245 ++++++++++++++++++ .../uefi-signing/uefi-remote-signing_1.0.bb | 17 ++ recipes-core/images/nilrt-runmode-rootfs.bb | 11 + recipes-core/images/nilrt-safemode-rootfs.bb | 21 +- recipes-core/images/rauc/nilrt-base-image.bb | 3 + recipes-kernel/linux/linux-nilrt%.bbappend | 7 + recipes-kernel/linux/linux-nilrt-ima.inc | 18 ++ recipes-kernel/linux/linux-nilrt.inc | 3 + .../linux/linux-nilrt/features/ima/ima.cfg | 8 + .../linux/linux-nilrt/features/ima/ima.scc | 4 + 19 files changed, 917 insertions(+), 3 deletions(-) create mode 100644 classes/grub-uefi-sign.bbclass create mode 100644 classes/kernel-uefi-sign.bbclass create mode 100644 conf/distro/REMOTE-SIGNING.md create mode 100644 conf/distro/remote-signing-example.conf create mode 100644 conf/distro/remote-signing.inc create mode 100644 conf/distro/secureboot.inc create mode 100644 recipes-bsp/uefi-signing/files/remote-sign-efi.py create mode 100644 recipes-bsp/uefi-signing/uefi-remote-signing_1.0.bb create mode 100644 recipes-kernel/linux/linux-nilrt%.bbappend create mode 100644 recipes-kernel/linux/linux-nilrt-ima.inc create mode 100644 recipes-kernel/linux/linux-nilrt/features/ima/ima.cfg create mode 100644 recipes-kernel/linux/linux-nilrt/features/ima/ima.scc diff --git a/classes/grub-uefi-sign.bbclass b/classes/grub-uefi-sign.bbclass new file mode 100644 index 000000000..dad3ea410 --- /dev/null +++ b/classes/grub-uefi-sign.bbclass @@ -0,0 +1,91 @@ +# Class for signing GRUB EFI binaries for UEFI Secure Boot +# Supports both local signing (with sbsign) and remote signing via secure server + +# Sign GRUB EFI binaries after they're installed +do_sign_grub() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'true', 'false', d)}" = "true" ]; then + + # Sign both the default GRUB image and the NILRT-specific image + for GRUB_UNSIGNED in "${D}/boot/efi/EFI/BOOT/${GRUB_IMAGE}" "${D}/boot/efi/nilrt/${GRUB_IMAGE}"; do + if [ ! -f "${GRUB_UNSIGNED}" ]; then + bbnote "GRUB image not found: ${GRUB_UNSIGNED}, skipping" + continue + fi + + GRUB_SIGNED="${GRUB_UNSIGNED}.signed" + + # Check if remote signing is enabled + if [ "${UEFI_REMOTE_SIGNING}" = "1" ]; then + bbnote "Using remote signing server for GRUB image: ${GRUB_UNSIGNED}" + + if [ -z "${UEFI_SIGNING_SERVER_URL}" ]; then + bbfatal "UEFI_REMOTE_SIGNING is enabled but UEFI_SIGNING_SERVER_URL is not set" + fi + + # Build remote-sign-efi command + REMOTE_SIGN_CMD="remote-sign-efi" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD '${GRUB_UNSIGNED}' '${GRUB_SIGNED}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --server-url '${UEFI_SIGNING_SERVER_URL}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --auth-method '${UEFI_SIGNING_AUTH_METHOD}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --component-type 'grub'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --timeout '${UEFI_SIGNING_TIMEOUT}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --retries '${UEFI_SIGNING_RETRIES}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --retry-delay '${UEFI_SIGNING_RETRY_DELAY}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --verify '${UEFI_VERIFY_SIGNED}'" + + if [ "${UEFI_SIGNING_AUTH_METHOD}" = "token" ] && [ -n "${UEFI_SIGNING_AUTH_TOKEN}" ]; then + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --auth-token '${UEFI_SIGNING_AUTH_TOKEN}'" + fi + + if [ "${UEFI_SIGNING_AUTH_METHOD}" = "cert" ]; then + if [ -n "${UEFI_SIGNING_CLIENT_CERT}" ]; then + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --client-cert '${UEFI_SIGNING_CLIENT_CERT}'" + fi + if [ -n "${UEFI_SIGNING_CLIENT_KEY}" ]; then + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --client-key '${UEFI_SIGNING_CLIENT_KEY}'" + fi + fi + + bbnote "Signing GRUB remotely: $(basename ${GRUB_UNSIGNED})" + eval $REMOTE_SIGN_CMD + + if [ $? -eq 0 ]; then + bbnote "GRUB signed successfully via remote server: $(basename ${GRUB_SIGNED})" + # Replace unsigned with signed + mv "${GRUB_SIGNED}" "${GRUB_UNSIGNED}" + else + bbfatal "Failed to sign GRUB image via remote server: ${GRUB_UNSIGNED}" + fi + + else + # Local signing with sbsign + bbnote "Using local signing with sbsign for GRUB image" + + if [ ! -f "${UEFI_SB_DB_KEY}" ] || [ ! -f "${UEFI_SB_DB_CERT}" ]; then + bbwarn "UEFI Secure Boot is enabled but keys are not found:" + bbwarn " Key: ${UEFI_SB_DB_KEY}" + bbwarn " Cert: ${UEFI_SB_DB_CERT}" + bbwarn "GRUB will not be signed. Set UEFI_REMOTE_SIGNING=1 to use remote signing." + return + fi + + bbnote "Signing GRUB image ${GRUB_UNSIGNED} for UEFI Secure Boot" + sbsign --key "${UEFI_SB_DB_KEY}" \ + --cert "${UEFI_SB_DB_CERT}" \ + --output "${GRUB_SIGNED}" \ + "${GRUB_UNSIGNED}" + + if [ $? -eq 0 ]; then + bbnote "GRUB signed successfully: $(basename ${GRUB_SIGNED})" + # Replace unsigned with signed + mv "${GRUB_SIGNED}" "${GRUB_UNSIGNED}" + else + bbfatal "Failed to sign GRUB image with sbsign: ${GRUB_UNSIGNED}" + fi + fi + done + fi +} + +do_sign_grub[depends] += "${@bb.utils.contains('UEFI_REMOTE_SIGNING', '1', 'uefi-remote-signing-native:do_populate_sysroot', '', d)}" +addtask sign_grub after do_install before do_populate_sysroot do_package diff --git a/classes/kernel-uefi-sign.bbclass b/classes/kernel-uefi-sign.bbclass new file mode 100644 index 000000000..7eb7a0b46 --- /dev/null +++ b/classes/kernel-uefi-sign.bbclass @@ -0,0 +1,91 @@ +# Class for signing kernel images for UEFI Secure Boot +# Supports both local signing (with sbsign) and remote signing via secure server + +# Sign the kernel image after it's built +do_sign_kernel() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'true', 'false', d)}" = "true" ]; then + + UNSIGNED_KERNEL="${KERNEL_OUTPUT_DIR}/${KERNEL_IMAGETYPE}" + SIGNED_KERNEL="${KERNEL_OUTPUT_DIR}/${KERNEL_IMAGETYPE}.signed" + + # Check if remote signing is enabled + if [ "${UEFI_REMOTE_SIGNING}" = "1" ]; then + bbnote "Using remote signing server for kernel image" + + if [ -z "${UEFI_SIGNING_SERVER_URL}" ]; then + bbfatal "UEFI_REMOTE_SIGNING is enabled but UEFI_SIGNING_SERVER_URL is not set" + fi + + # Build remote-sign-efi command + REMOTE_SIGN_CMD="remote-sign-efi" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD '${UNSIGNED_KERNEL}' '${SIGNED_KERNEL}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --server-url '${UEFI_SIGNING_SERVER_URL}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --auth-method '${UEFI_SIGNING_AUTH_METHOD}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --component-type '${UEFI_COMPONENT_TYPE}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --timeout '${UEFI_SIGNING_TIMEOUT}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --retries '${UEFI_SIGNING_RETRIES}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --retry-delay '${UEFI_SIGNING_RETRY_DELAY}'" + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --verify '${UEFI_VERIFY_SIGNED}'" + + if [ "${UEFI_SIGNING_AUTH_METHOD}" = "token" ] && [ -n "${UEFI_SIGNING_AUTH_TOKEN}" ]; then + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --auth-token '${UEFI_SIGNING_AUTH_TOKEN}'" + fi + + if [ "${UEFI_SIGNING_AUTH_METHOD}" = "cert" ]; then + if [ -n "${UEFI_SIGNING_CLIENT_CERT}" ]; then + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --client-cert '${UEFI_SIGNING_CLIENT_CERT}'" + fi + if [ -n "${UEFI_SIGNING_CLIENT_KEY}" ]; then + REMOTE_SIGN_CMD="$REMOTE_SIGN_CMD --client-key '${UEFI_SIGNING_CLIENT_KEY}'" + fi + fi + + bbnote "Signing kernel remotely: ${KERNEL_IMAGETYPE}" + eval $REMOTE_SIGN_CMD + + if [ $? -eq 0 ]; then + bbnote "Kernel signed successfully via remote server: ${KERNEL_IMAGETYPE}.signed" + else + bbfatal "Failed to sign kernel image via remote server" + fi + + else + # Local signing with sbsign + bbnote "Using local signing with sbsign for kernel image" + + if ! PSEUDO_UNLOAD=1 test -f "${UEFI_SB_DB_KEY}" || ! PSEUDO_UNLOAD=1 test -f "${UEFI_SB_DB_CERT}"; then + bbwarn "UEFI Secure Boot is enabled but keys are not found:" + bbwarn " Key: ${UEFI_SB_DB_KEY}" + bbwarn " Cert: ${UEFI_SB_DB_CERT}" + bbwarn "Kernel will not be signed. Set UEFI_REMOTE_SIGNING=1 to use remote signing." + return + fi + + bbnote "Signing kernel image ${UNSIGNED_KERNEL} for UEFI Secure Boot" + PSEUDO_UNLOAD=1 sbsign --key "${UEFI_SB_DB_KEY}" \ + --cert "${UEFI_SB_DB_CERT}" \ + --output "${SIGNED_KERNEL}" \ + "${UNSIGNED_KERNEL}" + + if [ $? -eq 0 ]; then + bbnote "Kernel signed successfully: ${KERNEL_IMAGETYPE}.signed" + else + bbfatal "Failed to sign kernel image with sbsign" + fi + fi + fi +} + +do_sign_kernel[depends] += "${@bb.utils.contains('UEFI_REMOTE_SIGNING', '1', 'uefi-remote-signing-native:do_populate_sysroot', '', d)}" +addtask sign_kernel after do_bundle_initramfs before do_deploy + +# Deploy the signed kernel +do_deploy:append() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'true', 'false', d)}" = "true" ]; then + if [ -f "${KERNEL_OUTPUT_DIR}/${KERNEL_IMAGETYPE}.signed" ]; then + install -m 0644 "${KERNEL_OUTPUT_DIR}/${KERNEL_IMAGETYPE}.signed" \ + "${DEPLOYDIR}/${KERNEL_IMAGETYPE}.signed" + bbnote "Deployed signed kernel: ${DEPLOYDIR}/${KERNEL_IMAGETYPE}.signed" + fi + fi +} diff --git a/conf/distro/REMOTE-SIGNING.md b/conf/distro/REMOTE-SIGNING.md new file mode 100644 index 000000000..9c872f8ad --- /dev/null +++ b/conf/distro/REMOTE-SIGNING.md @@ -0,0 +1,197 @@ +# Remote Signing for UEFI Secure Boot + +This document describes how to configure NILRT builds to use a remote signing server for UEFI Secure Boot components. + +## Overview + +Remote signing is the **recommended approach for production** because: +- Private keys never leave the secure signing server +- Reduces attack surface on build infrastructure +- Enables centralized key management and auditing +- Supports HSM (Hardware Security Module) backed signing + +## Architecture + +``` +┌─────────────┐ ┌──────────────────┐ +│ Bitbake │ │ Signing Server │ +│ Build │ │ (Secure HSM) │ +├─────────────┤ ├──────────────────┤ +│ │ │ │ +│ 1. Build │ │ - Private Keys │ +│ bzImage │ │ - HSM Storage │ +│ │ │ - Audit Logs │ +│ 2. Send ──────────────────────> 3. Sign with │ +│ unsigned │ HTTPS/TLS │ UEFI keys │ +│ │ │ │ +│ 4. Receive <────────────────── 5. Return │ +│ signed │ │ signed │ +│ │ │ │ +│ 6. Deploy │ │ │ +│ to image │ │ │ +└─────────────┘ └──────────────────┘ +``` + +## Configuration + +### Step 1: Enable Remote Signing in Distro Config + +Add to `conf/distro/nilrt.conf`: + +```bitbake +require nilrt.inc +require secureboot.inc +require remote-signing.inc +``` + +### Step 2: Configure in local.conf + +Add to `build/conf/local.conf`: + +```bitbake +# Enable remote signing +UEFI_REMOTE_SIGNING = "1" + +# Signing server URL +UEFI_SIGNING_SERVER_URL = "https://signing-server.example.com/api/v1/sign" + +# Authentication +UEFI_SIGNING_AUTH_METHOD = "token" +UEFI_SIGNING_AUTH_TOKEN = "${@os.getenv('SIGNING_TOKEN', '')}" + +# Note: UEFI_COMPONENT_TYPE is automatically set by signing classes: +# - kernel-uefi-sign.bbclass sets it to "kernel" +# - grub-uefi-sign.bbclass sets it to "grub" +# You typically don't need to override this manually. +``` + +### Step 3: Set Authentication Token + +**Important:** Never commit tokens to version control! + +```bash +# Set via environment variable +export SIGNING_TOKEN="your-secret-token-here" + +# Or store in a separate file +echo "your-secret-token" > ~/.signing-token +chmod 600 ~/.signing-token + +# Reference in local.conf +UEFI_SIGNING_AUTH_TOKEN = "${@open(os.path.expanduser('~/.signing-token')).read().strip()}" +``` + +### Step 4: Build + +```bash +bitbake nilrt-safemode-rootfs +``` + +The kernel will automatically be sent to the signing server and the signed version used in the image. + +## Signing Server API + +The signing server must implement this API: + +### Endpoint + +``` +POST /api/v1/sign +``` + +### Request + +Multipart form data with: +- `file`: Binary file to sign (bzImage, grubx64.efi, etc.) +- `metadata`: JSON with: + ```json + { + "component_type": "kernel", # or "grub" for bootloader + "filename": "bzImage", + "hash_algorithm": "sha256", + "unsigned_hash": "abc123..." + } + ``` + +### Authentication + +**Token-based:** +``` +Authorization: Bearer +``` + +**Certificate-based:** +- Client certificate verification via TLS + +### Response + +- **Success (200 OK)**: Binary signed file +- **Error (4xx/5xx)**: JSON error message + +## Configuration Variables + +| Variable | Default | Description | +|----------|---------|-------------| +| `UEFI_REMOTE_SIGNING` | `0` | Enable remote signing (1=yes, 0=no) | +| `UEFI_SIGNING_SERVER_URL` | `""` | Signing server endpoint URL | +| `UEFI_SIGNING_AUTH_METHOD` | `token` | Auth method: token, cert, or none | +| `UEFI_SIGNING_AUTH_TOKEN` | `""` | Bearer token for authentication | +| `UEFI_SIGNING_CLIENT_CERT` | `""` | Client certificate for cert auth | +| `UEFI_SIGNING_CLIENT_KEY` | `""` | Client key for cert auth | +| `UEFI_COMPONENT_TYPE` | `kernel` | Component identifier (auto-set by bbclass: "kernel" or "grub") | +| `UEFI_SIGNING_TIMEOUT` | `300` | Request timeout (seconds) | +| `UEFI_SIGNING_RETRIES` | `3` | Number of retry attempts | +| `UEFI_SIGNING_RETRY_DELAY` | `5` | Delay between retries (seconds) | +| `UEFI_VERIFY_SIGNED` | `1` | Verify signature after signing | + +## Security Best Practices + +1. **Use HTTPS**: Always use TLS for signing server communication +2. **Rotate Tokens**: Regularly rotate authentication tokens +3. **Audit Logs**: Enable server-side audit logging of all signing requests +4. **Network Isolation**: Place signing server in isolated network segment +5. **Rate Limiting**: Implement rate limiting on signing endpoint +6. **HSM Storage**: Store private keys in Hardware Security Module +7. **Access Control**: Restrict signing server access by IP/certificate + +## Troubleshooting + +### Build fails with "signing server timeout" +- Check network connectivity to signing server +- Increase `UEFI_SIGNING_TIMEOUT` +- Check signing server logs + +### Build fails with "authentication failed" +- Verify `UEFI_SIGNING_AUTH_TOKEN` is set correctly +- Check token hasn't expired +- Verify token has permissions for signing + +### Signed binary verification fails +- Check server is using correct signing key +- Verify certificate chain is valid +- Check `UEFI_SB_DB_CERT` matches server's signing certificate + +## Local Signing (Development Only) + +For development/testing, you can use local signing: + +```bitbake +# Disable remote signing +UEFI_REMOTE_SIGNING = "0" + +# Set local keys +UEFI_SB_DB_KEY = "/path/to/db.key" +UEFI_SB_DB_CERT = "/path/to/db.crt" +``` + +**Warning:** Local signing requires private keys on the build server. Only use for development! + +## Example Signing Server Implementation + +See `scripts/signing-server-example/` for a reference Flask-based signing server implementation. + +## See Also + +- [secureboot.inc](secureboot.inc) - Main secure boot configuration +- [remote-signing.inc](remote-signing.inc) - Remote signing variables +- [kernel-uefi-sign.bbclass](../../classes/kernel-uefi-sign.bbclass) - Kernel signing class diff --git a/conf/distro/nilrt.inc b/conf/distro/nilrt.inc index 4eea713c9..647e9b8f8 100644 --- a/conf/distro/nilrt.inc +++ b/conf/distro/nilrt.inc @@ -20,6 +20,7 @@ DISTRO_FEATURES += "\ ptest \ selinux \ virtualization \ + uefi-secure-boot \ " # Enable TPM2 features for x64 architectures @@ -171,3 +172,5 @@ IPK_FEED_URIS += "\ NIOE-${TUNE_PKGARCH}##${NILRT_LOCAL_FEED_URI}/${TUNE_PKGARCH} \ NI-main-software##${NILRT_MACHINE_FEED_URI_nimain} \ " + +include ${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'secureboot.inc', '', d)} diff --git a/conf/distro/remote-signing-example.conf b/conf/distro/remote-signing-example.conf new file mode 100644 index 000000000..4ee383be1 --- /dev/null +++ b/conf/distro/remote-signing-example.conf @@ -0,0 +1,45 @@ +# Example local.conf configuration for remote signing +# Copy these settings to your build/conf/local.conf and customize + +# ===================================================================== +# Remote Signing Configuration +# ===================================================================== + +# Enable remote signing (recommended for production) +UEFI_REMOTE_SIGNING = "1" + +# Signing server URL +# Replace with your actual signing server endpoint +UEFI_SIGNING_SERVER_URL = "https://signing-server.example.com/api/v1/sign" + +# Authentication method: "token", "cert", or "none" +UEFI_SIGNING_AUTH_METHOD = "token" + +# Authentication token (keep this secret!) +# DO NOT commit this to version control +# Set via environment variable or read from secret file +UEFI_SIGNING_AUTH_TOKEN = "${@os.getenv('SIGNING_TOKEN', '')}" + +# Alternative: Certificate-based authentication +# UEFI_SIGNING_AUTH_METHOD = "cert" +# UEFI_SIGNING_CLIENT_CERT = "/path/to/client-cert.pem" +# UEFI_SIGNING_CLIENT_KEY = "/path/to/client-key.pem" + +# Component type identifier +# This tells the signing server which key to use +UEFI_COMPONENT_TYPE = "nilrt-kernel" + +# Timeout and retry settings +UEFI_SIGNING_TIMEOUT = "300" +UEFI_SIGNING_RETRIES = "3" +UEFI_SIGNING_RETRY_DELAY = "5" + +# Verify signatures after signing +UEFI_VERIFY_SIGNED = "1" + +# ===================================================================== +# For development with local signing, set: +# ===================================================================== +# UEFI_REMOTE_SIGNING = "0" +# UEFI_SB_DB_KEY = "/path/to/db.key" +# UEFI_SB_DB_CERT = "/path/to/db.crt" diff --git a/conf/distro/remote-signing.inc b/conf/distro/remote-signing.inc new file mode 100644 index 000000000..d35829b41 --- /dev/null +++ b/conf/distro/remote-signing.inc @@ -0,0 +1,38 @@ +# Remote signing server configuration for UEFI Secure Boot +# Set these variables in your local.conf to enable remote signing + +# Enable remote signing instead of local signing +# Set to "1" to use a remote signing server +UEFI_REMOTE_SIGNING ?= "0" + +# Signing server URL +# Example: "https://signing-server.example.com/api/sign" +UEFI_SIGNING_SERVER_URL ?= "" + +# Authentication method: "token", "cert", or "none" +UEFI_SIGNING_AUTH_METHOD ?= "token" + +# Authentication token (for token-based auth) +# This should be set in local.conf, not committed to git +UEFI_SIGNING_AUTH_TOKEN ?= "" + +# Client certificate and key (for cert-based auth) +UEFI_SIGNING_CLIENT_CERT ?= "" +UEFI_SIGNING_CLIENT_KEY ?= "" + +# Signing timeout in seconds +UEFI_SIGNING_TIMEOUT ?= "300" + +# Component type identifier sent to server +# Helps server route to appropriate signing key +# Valid values: "kernel", "grub", or custom types +# Note: kernel-uefi-sign.bbclass uses "kernel" +# grub-uefi-sign.bbclass uses "grub" +UEFI_COMPONENT_TYPE ?= "kernel" + +# Retry configuration +UEFI_SIGNING_RETRIES ?= "3" +UEFI_SIGNING_RETRY_DELAY ?= "5" + +# Verify signed binaries (recommended) +UEFI_VERIFY_SIGNED ?= "1" diff --git a/conf/distro/secureboot.inc b/conf/distro/secureboot.inc new file mode 100644 index 000000000..5aec5b4e1 --- /dev/null +++ b/conf/distro/secureboot.inc @@ -0,0 +1,114 @@ +# Secure Boot configuration for NILRT +# Include this file in your distro configuration to enable secure boot features +# + +# Enable UEFI Secure Boot +DISTRO_FEATURES:append:x64 = " uefi-secure-boot" + +# Enable kernel module signing +DISTRO_FEATURES:append = " module-signing" + +# Enable integrity and IMA/EVM features (requires meta-integrity layer) +# These features are enabled when uefi-secure-boot is active and meta-integrity layer is present +DISTRO_FEATURES:append = "\ + ${@bb.utils.contains('BBFILE_COLLECTIONS', 'integrity', ' integrity ima', '', d)} \ +" + +# ===================================================================== +# Key Management Configuration +# ===================================================================== +# IMPORTANT: The paths below use debug keys from meta-security. +# These keys are PUBLIC and should NEVER be used in production! +# +# For production use, generate your own keys following these steps: +# 1. Create a secure directory for your keys (outside the build tree) +# 2. Run: bitbake openssl-native +# 3. Run: bitbake -c devshell openssl-native +# 4. In the devshell, navigate to your key directory and run: +# ${INTEGRITY_BASE}/scripts/ima-gen-local-ca.sh +# ${INTEGRITY_BASE}/scripts/ima-gen-CA-signed.sh +# 5. Update the paths below to point to your keys +# 6. Keep the private keys secure and never commit them to version control +# ===================================================================== + +# IMA/EVM keys for filesystem integrity +# When uefi-secure-boot is enabled and meta-integrity layer is present, these keys are used +IMA_EVM_KEY_DIR ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'integrity', '${INTEGRITY_BASE}/data/debug-keys', '', d)}" +IMA_EVM_PRIVKEY ?= "${IMA_EVM_KEY_DIR}/privkey_ima.pem" +IMA_EVM_X509 ?= "${IMA_EVM_KEY_DIR}/x509_ima.der" +IMA_EVM_ROOT_CA ?= "${IMA_EVM_KEY_DIR}/ima-local-ca.pem" + +# IMA policy - enforce signatures on all files +# Available policies (in meta-security/meta-integrity/recipes-security/): +# - ima_policy_simple: Basic measurement only +# - ima_policy_hashed: Measurement with hashing +# - ima_policy_appraise_all: Full appraisal (most secure) +IMA_EVM_POLICY ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'integrity', '${INTEGRITY_BASE}/recipes-security/ima_policy_appraise_all/files/ima_policy_appraise_all', '', d)}" + +# Kernel module signing keys +# These should be different from IMA keys for better security separation +MODULE_SIG_KEY_DIR ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'integrity', '${INTEGRITY_BASE}/data/debug-keys', '', d)}" +MODSIGN_PRIVKEY ?= "${MODULE_SIG_KEY_DIR}/privkey_modsign.pem" +MODSIGN_X509 ?= "${MODULE_SIG_KEY_DIR}/x509_modsign.crt" + +# UEFI Secure Boot keys (for x64 platforms) +# For production, generate UEFI Secure Boot keys using tools like: +# - efi-keytool +# - sbsigntool +# Keys needed: +# - Platform Key (PK) +# - Key Exchange Key (KEK) +# - Database key (db) - for signing bootloaders and kernels +# - Forbidden database key (dbx) - for revoked keys +UEFI_SB_KEYS_DIR ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'integrity', '${INTEGRITY_BASE}/data/debug-keys', '', d)}" +UEFI_SB_DB_KEY ?= "${UEFI_SB_KEYS_DIR}/db.key" +UEFI_SB_DB_CERT ?= "${UEFI_SB_KEYS_DIR}/db.crt" + +# ===================================================================== +# Secure Boot Build Options +# ===================================================================== + +# Sign kernel modules during build +KERNEL_MODULE_SIG = "${@bb.utils.contains('DISTRO_FEATURES', 'module-signing', '1', '0', d)}" +KERNEL_MODULE_SIG_ALL = "${@bb.utils.contains('DISTRO_FEATURES', 'module-signing', '1', '0', d)}" +KERNEL_MODULE_SIG_HASH = "sha256" + +# Additional security hardening +# Note: read-only-rootfs is commented out as it's incompatible with some NILRT +# runtime requirements. Enable per-image if needed. +# EXTRA_IMAGE_FEATURES:append = " read-only-rootfs" + +# Ensure grub-efi is built with secure boot support +# These modules are needed for signature verification and cryptographic operations +GRUB_BUILDIN:append = " pgp gcry_sha256 gcry_sha512 gcry_rsa" + +# ===================================================================== +# UEFI Secure Boot Binary Signing +# ===================================================================== +# Two signing modes are supported: +# +# 1. LOCAL SIGNING (Development): +# - Uses sbsign with local private keys +# - Keys stored in ${UEFI_SB_KEYS_DIR} +# - Default mode when UEFI_REMOTE_SIGNING = "0" +# +# 2. REMOTE SIGNING (Production - RECOMMENDED): +# - Sends binaries to secure signing server +# - Private keys never leave signing server +# - Enable with: UEFI_REMOTE_SIGNING = "1" +# - Configure server with remote-signing.inc +# +# To enable remote signing: +# 1. Add to distro config: require remote-signing.inc +# 2. Set in local.conf: +# UEFI_REMOTE_SIGNING = "1" +# UEFI_SIGNING_SERVER_URL = "https://signing.example.com/api/sign" +# UEFI_SIGNING_AUTH_TOKEN = "your-secret-token" +# +# Components automatically signed: +# - Kernel (bzImage) → Signed during kernel build +# - GRUB bootloader (grubx64.efi) → Signed during GRUB build +# - Images use signed binaries when available +# +# For enhanced security, consider using shim bootloader as first-stage bootloader +# to enable fallback and revocation capabilities. diff --git a/conf/templates/default/bblayers.conf.sample b/conf/templates/default/bblayers.conf.sample index d718d210a..be8a1b0ad 100644 --- a/conf/templates/default/bblayers.conf.sample +++ b/conf/templates/default/bblayers.conf.sample @@ -25,6 +25,7 @@ BBLAYERS ?= " \ ${GIT_REPODIR}/meta-rauc \ ${GIT_REPODIR}/meta-sdr \ ${GIT_REPODIR}/meta-security \ + ${GIT_REPODIR}/meta-security/meta-integrity \ ${GIT_REPODIR}/meta-security/meta-tpm \ ${GIT_REPODIR}/meta-selinux \ ${GIT_REPODIR}/meta-virtualization \ diff --git a/recipes-bsp/grub/grub-efi_2.%.bbappend b/recipes-bsp/grub/grub-efi_2.%.bbappend index 185a1fac8..77c8e11ed 100644 --- a/recipes-bsp/grub/grub-efi_2.%.bbappend +++ b/recipes-bsp/grub/grub-efi_2.%.bbappend @@ -8,6 +8,9 @@ GRUB_BUILDIN += "smbios chain multiboot efi_uga font gfxterm gfxmenu terminal \ # Downstream NI-branch code quality is not yet ready to build with -Werror CFLAGS:append = " -Wno-error" +# Enable GRUB signing for UEFI Secure Boot +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'grub-uefi-sign', '', d)} + PACKAGES:prepend = "${PN}-nilrt " do_install:append:class-target() { diff --git a/recipes-bsp/uefi-signing/files/remote-sign-efi.py b/recipes-bsp/uefi-signing/files/remote-sign-efi.py new file mode 100644 index 000000000..5da711529 --- /dev/null +++ b/recipes-bsp/uefi-signing/files/remote-sign-efi.py @@ -0,0 +1,245 @@ +#!/usr/bin/env python3 +""" +Remote signing client for UEFI Secure Boot components. +Sends unsigned binaries to a signing server and receives signed versions. +""" + +import sys +import os +import argparse +import json +import time +import hashlib +import subprocess +from urllib.request import Request, urlopen +from urllib.error import URLError, HTTPError + + +def calculate_hash(filepath, algorithm='sha256'): + """Calculate hash of a file.""" + h = hashlib.new(algorithm) + with open(filepath, 'rb') as f: + while chunk := f.read(8192): + h.update(chunk) + return h.hexdigest() + + +def sign_remote(unsigned_file, signed_file, config): + """Send file to remote signing server and receive signed version.""" + + server_url = config['server_url'] + auth_method = config['auth_method'] + component_type = config['component_type'] + timeout = int(config['timeout']) + retries = int(config['retries']) + retry_delay = int(config['retry_delay']) + + # Calculate hash of unsigned file for verification + unsigned_hash = calculate_hash(unsigned_file) + + # Read unsigned binary + with open(unsigned_file, 'rb') as f: + binary_data = f.read() + + # Prepare request payload + payload = { + 'component_type': component_type, + 'filename': os.path.basename(unsigned_file), + 'hash_algorithm': 'sha256', + 'unsigned_hash': unsigned_hash, + } + + # Create multipart/form-data request + boundary = '----WebKitFormBoundary' + os.urandom(16).hex() + body = [] + + # Add JSON metadata + body.append(f'--{boundary}'.encode()) + body.append(b'Content-Disposition: form-data; name="metadata"') + body.append(b'Content-Type: application/json') + body.append(b'') + body.append(json.dumps(payload).encode()) + + # Add binary file + body.append(f'--{boundary}'.encode()) + body.append(f'Content-Disposition: form-data; name="file"; filename="{os.path.basename(unsigned_file)}"'.encode()) + body.append(b'Content-Type: application/octet-stream') + body.append(b'') + body.append(binary_data) + body.append(f'--{boundary}--'.encode()) + body.append(b'') + + body_bytes = b'\r\n'.join(body) + + # Prepare headers + headers = { + 'Content-Type': f'multipart/form-data; boundary={boundary}', + 'Content-Length': str(len(body_bytes)), + } + + # Add authentication + if auth_method == 'token': + token = config.get('auth_token', '') + if token: + headers['Authorization'] = f'Bearer {token}' + else: + print("ERROR: Token-based auth enabled but UEFI_SIGNING_AUTH_TOKEN not set", file=sys.stderr) + return 1 + + # Retry loop + for attempt in range(retries): + try: + print(f"Sending {unsigned_file} to signing server (attempt {attempt + 1}/{retries})...") + + req = Request(server_url, data=body_bytes, headers=headers) + + # Handle client certificates for cert-based auth + if auth_method == 'cert': + # Python's urllib doesn't support client certs well, use curl + return sign_remote_curl(unsigned_file, signed_file, config) + + with urlopen(req, timeout=timeout) as response: + if response.status == 200: + signed_data = response.read() + + # Write signed binary + with open(signed_file, 'wb') as f: + f.write(signed_data) + + print(f"Successfully received signed binary: {signed_file}") + + # Verify if requested + if config.get('verify', '1') == '1': + if verify_signature(signed_file): + print("Signature verification: PASSED") + return 0 + else: + print("ERROR: Signature verification FAILED", file=sys.stderr) + return 1 + + return 0 + else: + print(f"ERROR: Server returned status {response.status}", file=sys.stderr) + + except HTTPError as e: + print(f"HTTP Error: {e.code} - {e.reason}", file=sys.stderr) + if e.code == 401: + print("Authentication failed. Check UEFI_SIGNING_AUTH_TOKEN", file=sys.stderr) + return 1 + + except URLError as e: + print(f"URL Error: {e.reason}", file=sys.stderr) + + except Exception as e: + print(f"Error: {str(e)}", file=sys.stderr) + + # Retry with delay + if attempt < retries - 1: + print(f"Retrying in {retry_delay} seconds...") + time.sleep(retry_delay) + + print(f"ERROR: Failed to sign after {retries} attempts", file=sys.stderr) + return 1 + + +def sign_remote_curl(unsigned_file, signed_file, config): + """Use curl for signing with client certificates.""" + + server_url = config['server_url'] + component_type = config['component_type'] + timeout = config['timeout'] + client_cert = config.get('client_cert', '') + client_key = config.get('client_key', '') + retries = int(config['retries']) + + unsigned_hash = calculate_hash(unsigned_file) + + curl_cmd = [ + 'curl', + '-X', 'POST', + '-F', f'file=@{unsigned_file}', + '-F', f'metadata={{"component_type":"{component_type}","hash_algorithm":"sha256","unsigned_hash":"{unsigned_hash}"}}', + '--max-time', timeout, + '--retry', str(retries - 1), + '--retry-delay', config['retry_delay'], + '-o', signed_file, + ] + + if client_cert and client_key: + curl_cmd.extend(['--cert', client_cert, '--key', client_key]) + + if config['auth_method'] == 'token' and config.get('auth_token'): + curl_cmd.extend(['-H', f'Authorization: Bearer {config["auth_token"]}']) + + curl_cmd.append(server_url) + + print(f"Signing with curl: {' '.join(curl_cmd[:5])}...") + result = subprocess.run(curl_cmd, capture_output=True) + + if result.returncode == 0: + print(f"Successfully received signed binary: {signed_file}") + if config.get('verify', '1') == '1': + if verify_signature(signed_file): + print("Signature verification: PASSED") + return 0 + else: + print("ERROR: Signature verification FAILED", file=sys.stderr) + return 1 + return 0 + else: + print(f"ERROR: curl failed: {result.stderr.decode()}", file=sys.stderr) + return 1 + + +def verify_signature(signed_file): + """Verify the signature on a signed EFI binary.""" + try: + # Use sbverify if available + result = subprocess.run( + ['sbverify', '--list', signed_file], + capture_output=True, + text=True + ) + return result.returncode == 0 + except FileNotFoundError: + # sbverify not available, skip verification + print("Warning: sbverify not found, skipping signature verification") + return True + + +def main(): + parser = argparse.ArgumentParser(description='Remote signing client for UEFI Secure Boot') + parser.add_argument('unsigned_file', help='Path to unsigned binary') + parser.add_argument('signed_file', help='Path to write signed binary') + parser.add_argument('--server-url', required=True, help='Signing server URL') + parser.add_argument('--auth-method', default='token', choices=['token', 'cert', 'none'], + help='Authentication method') + parser.add_argument('--auth-token', help='Authentication token') + parser.add_argument('--client-cert', help='Client certificate for cert-based auth') + parser.add_argument('--client-key', help='Client key for cert-based auth') + parser.add_argument('--component-type', default='kernel', help='Component type identifier') + parser.add_argument('--timeout', default='300', help='Request timeout in seconds') + parser.add_argument('--retries', default='3', help='Number of retry attempts') + parser.add_argument('--retry-delay', default='5', help='Delay between retries in seconds') + parser.add_argument('--verify', default='1', choices=['0', '1'], help='Verify signature after signing') + + args = parser.parse_args() + + config = { + 'server_url': args.server_url, + 'auth_method': args.auth_method, + 'auth_token': args.auth_token, + 'client_cert': args.client_cert, + 'client_key': args.client_key, + 'component_type': args.component_type, + 'timeout': args.timeout, + 'retries': args.retries, + 'retry_delay': args.retry_delay, + 'verify': args.verify, + } + + return sign_remote(args.unsigned_file, args.signed_file, config) + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/recipes-bsp/uefi-signing/uefi-remote-signing_1.0.bb b/recipes-bsp/uefi-signing/uefi-remote-signing_1.0.bb new file mode 100644 index 000000000..869248e33 --- /dev/null +++ b/recipes-bsp/uefi-signing/uefi-remote-signing_1.0.bb @@ -0,0 +1,17 @@ +SUMMARY = "Remote signing tools for UEFI Secure Boot" +DESCRIPTION = "Python-based tool for sending EFI binaries to a remote signing server" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +SRC_URI = "file://remote-sign-efi.py" + +S = "${WORKDIR}" + +RDEPENDS:${PN} = "python3-core" + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}/remote-sign-efi.py ${D}${bindir}/remote-sign-efi +} + +BBCLASSEXTEND = "native nativesdk" diff --git a/recipes-core/images/nilrt-runmode-rootfs.bb b/recipes-core/images/nilrt-runmode-rootfs.bb index a78030576..ca95947f8 100644 --- a/recipes-core/images/nilrt-runmode-rootfs.bb +++ b/recipes-core/images/nilrt-runmode-rootfs.bb @@ -31,6 +31,14 @@ PACKAGE_EXCLUDE += "rauc rauc-mark-good" CUSTOM_KERNEL_PATH:x64 ?= "/boot/tmp/runmode" bootimg_fixup_x64() { + # Use signed kernel if UEFI Secure Boot is enabled + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'true', 'false', d)}" = "true" ]; then + if [ -e "${DEPLOY_DIR_IMAGE}/bzImage.signed" ]; then + bbnote "Using UEFI Secure Boot signed kernel: ${DEPLOY_DIR_IMAGE}/bzImage.signed" + install -m 0644 "${DEPLOY_DIR_IMAGE}/bzImage.signed" "${IMAGE_ROOTFS}/${KERNEL_IMAGEDEST}/bzImage" + fi + fi + install -m 0644 "${THISDIR}/files/bootimage.ini" "${IMAGE_ROOTFS}/boot/runmode/bootimage.ini" sed -i "s/%component_version%/${BUILDNAME}/" "${IMAGE_ROOTFS}/boot/runmode/bootimage.ini" @@ -47,3 +55,6 @@ IMAGE_PREPROCESS_COMMAND:append:x64 = " bootimg_fixup_x64; " IMAGE_PREPROCESS_COMMAND:append:xilinx-zynq = " bootimg_fixup_arm; " IMAGE_FSTYPES += "squashfs ${NILRT_BSI_FSTYPE}" + +# Enable IMA/EVM signing for secure boot +IMAGE_CLASSES += "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'ima-evm-rootfs', '', d)}" diff --git a/recipes-core/images/nilrt-safemode-rootfs.bb b/recipes-core/images/nilrt-safemode-rootfs.bb index db82721e3..9d2a83251 100644 --- a/recipes-core/images/nilrt-safemode-rootfs.bb +++ b/recipes-core/images/nilrt-safemode-rootfs.bb @@ -27,6 +27,19 @@ RAMDISK_IMAGE = "nilrt-safemode-initramfs" do_rootfs[depends] += "${RAMDISK_IMAGE}:do_image_complete" bootimg_fixup() { + # Use signed kernel if UEFI Secure Boot is enabled + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'true', 'false', d)}" = "true" ]; then + if [ -e "${DEPLOY_DIR_IMAGE}/bzImage.signed" ]; then + bbnote "Using UEFI Secure Boot signed kernel: ${DEPLOY_DIR_IMAGE}/bzImage.signed" + KERNEL_SOURCE="${DEPLOY_DIR_IMAGE}/bzImage.signed" + else + bbwarn "UEFI Secure Boot enabled but no signed kernel found, using unsigned kernel" + KERNEL_SOURCE="$(realpath ${IMAGE_ROOTFS}/${KERNEL_IMAGEDEST}/bzImage)" + fi + else + KERNEL_SOURCE="$(realpath ${IMAGE_ROOTFS}/${KERNEL_IMAGEDEST}/bzImage)" + fi + install -m 0644 "${DEPLOY_DIR_IMAGE}/${RAMDISK_IMAGE}-${MACHINE}.cpio.xz" "${IMAGE_ROOTFS}/boot/ramdisk.xz" install -m 0755 "${THISDIR}/files/${BPN}.preinst" "${IMAGE_ROOTFS}/boot/preinst" @@ -42,10 +55,9 @@ bootimg_fixup() { # The kernel was installed with a symbolic link from 'bzImage' # to the actual versioned file. Remove the redirection so that - # we just have a 'bzImage' - mv "$(realpath ${IMAGE_ROOTFS}/${KERNEL_IMAGEDEST}/bzImage)" "${IMAGE_ROOTFS}/${KERNEL_IMAGEDEST}/bzImage.real" + # we just have a 'bzImage'. Use signed kernel if available. rm -f "${IMAGE_ROOTFS}/boot/bzImage" - mv "${IMAGE_ROOTFS}/${KERNEL_IMAGEDEST}/bzImage.real" "${IMAGE_ROOTFS}/boot/bzImage" + install -m 0644 "${KERNEL_SOURCE}" "${IMAGE_ROOTFS}/boot/bzImage" rm -rf "${IMAGE_ROOTFS}/${KERNEL_IMAGEDEST}" install -m 0644 "${THISDIR}/files/bootimage.ini" "${IMAGE_ROOTFS}/boot/bootimage.ini" @@ -88,3 +100,6 @@ ensure_expected_files() { IMAGE_PREPROCESS_COMMAND += " bootimg_fixup; ensure_expected_files; " inherit image + +# Enable IMA/EVM signing for secure boot +IMAGE_CLASSES += "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'ima-evm-rootfs', '', d)}" diff --git a/recipes-core/images/rauc/nilrt-base-image.bb b/recipes-core/images/rauc/nilrt-base-image.bb index f7971e938..fcb77a9bb 100644 --- a/recipes-core/images/rauc/nilrt-base-image.bb +++ b/recipes-core/images/rauc/nilrt-base-image.bb @@ -22,3 +22,6 @@ require includes/nilrt-image-base.inc require includes/nilrt-initramfs.inc IMAGE_FSTYPES += "squashfs" + +# Enable IMA/EVM signing for secure boot +IMAGE_CLASSES += "${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'ima-evm-rootfs', '', d)}" diff --git a/recipes-kernel/linux/linux-nilrt%.bbappend b/recipes-kernel/linux/linux-nilrt%.bbappend new file mode 100644 index 000000000..705c7ce40 --- /dev/null +++ b/recipes-kernel/linux/linux-nilrt%.bbappend @@ -0,0 +1,7 @@ +# Enable IMA/EVM and secure boot features for NILRT kernels +# This mirrors the configuration from meta-security/meta-integrity + +FILESEXTRAPATHS:prepend := "${THISDIR}/linux-nilrt:" + +# Include IMA/EVM configuration when integrity features are enabled +require ${@bb.utils.contains_any('DISTRO_FEATURES', 'integrity ', 'linux-nilrt-ima.inc', '', d)} diff --git a/recipes-kernel/linux/linux-nilrt-ima.inc b/recipes-kernel/linux/linux-nilrt-ima.inc new file mode 100644 index 000000000..ee20dca0f --- /dev/null +++ b/recipes-kernel/linux/linux-nilrt-ima.inc @@ -0,0 +1,18 @@ +# IMA/EVM kernel configuration for NILRT +# Based on meta-security/meta-integrity/recipes-kernel/linux/linux_ima.inc + +do_configure:append() { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'yes', '', d)}" = "yes" ] && [ -f .config ] ; then + # Configure the kernel to trust the IMA/EVM root CA + sed -i "s|^CONFIG_SYSTEM_TRUSTED_KEYS=.*|CONFIG_SYSTEM_TRUSTED_KEYS=\"${IMA_EVM_ROOT_CA}\"|" .config + fi +} + +SRC_URI:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' file://features/ima/ima.scc file://features/ima/ima.cfg', '', d)}" + +# Add IMA/EVM kernel feature fragments when enabled +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', ' features/ima/modsign.scc', '', d)}" +KERNEL_FEATURES:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ima', ' ima.scc', '', d)}" + +# Inherit kernel module signing class when module-signing is enabled +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'modsign', 'kernel-modsign', '', d)} diff --git a/recipes-kernel/linux/linux-nilrt.inc b/recipes-kernel/linux/linux-nilrt.inc index e88f76ae9..e73c2ea20 100644 --- a/recipes-kernel/linux/linux-nilrt.inc +++ b/recipes-kernel/linux/linux-nilrt.inc @@ -1,6 +1,9 @@ inherit kernel require recipes-kernel/linux/linux-yocto.inc +# Enable UEFI Secure Boot kernel signing when configured +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'uefi-secure-boot', 'kernel-uefi-sign', '', d)} + KBRANCH = "nilrt/${NI_RELEASE_VERSION}/${LINUX_VERSION}" GIT_KERNEL_REPO = "linux.git" diff --git a/recipes-kernel/linux/linux-nilrt/features/ima/ima.cfg b/recipes-kernel/linux/linux-nilrt/features/ima/ima.cfg new file mode 100644 index 000000000..529d5ce0f --- /dev/null +++ b/recipes-kernel/linux/linux-nilrt/features/ima/ima.cfg @@ -0,0 +1,8 @@ +CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_IMA=y +CONFIG_IMA_READ_POLICY=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_APPRAISE_BOOTPARAM=y +CONFIG_EVM=y diff --git a/recipes-kernel/linux/linux-nilrt/features/ima/ima.scc b/recipes-kernel/linux/linux-nilrt/features/ima/ima.scc new file mode 100644 index 000000000..ef3dced4f --- /dev/null +++ b/recipes-kernel/linux/linux-nilrt/features/ima/ima.scc @@ -0,0 +1,4 @@ +define KFEATURE_DESCRIPTION "Enable IMA/EVM" +define KFEATURE_COMPATIBILITY board + +kconf non-hardware ima.cfg