[secure boot] Support rw files allowlist #4585
Conversation
files/Aboot/boot0.j2
Outdated
| @@ -395,6 +395,9 @@ write_boot_configs() { | |||
| fi | |||
| fi | |||
|
|
|||
| # setting secure_boot_enable=true when secure boot enabled | |||
| [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=true" >> /tmp/append | |||
There was a problem hiding this comment.
securebootctl secureboot -display | grep -i "Secure Boot enable" -q [](start = 33, length = 67)
Is it possible to test secure boot enabled without grep? #Pending
There was a problem hiding this comment.
I will ask Arista about it.
There was a problem hiding this comment.
The arista secure boot using the similar way.
| etc/subuid | ||
| etc/tacplus_nss.conf | ||
| etc/tacplus_user | ||
| lib/systemd/system/serial-getty@.service |
There was a problem hiding this comment.
Need to double check #Closed
build_image.sh
Outdated
| @@ -133,6 +133,7 @@ elif [ "$IMAGE_TYPE" = "aboot" ]; then | |||
| sed -i -e "s/%%IMAGE_VERSION%%/$IMAGE_VERSION/g" files/Aboot/boot0 | |||
| pushd files/Aboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE boot0; popd | |||
| pushd files/Aboot && zip -g $OLDPWD/$ABOOT_BOOT_IMAGE boot0; popd | |||
| pushd files/image_config/secureboot && zip -g $OLDPWD/$OUTPUT_ABOOT_IMAGE whitelist; popd | |||
There was a problem hiding this comment.
whitelist [](start = 78, length = 9)
Name it as whitelist_paths.txt ? #Closed
There was a problem hiding this comment.
Can we use whitelist_paths? Do we need to remove the .txt when added into the image package?
There was a problem hiding this comment.
Changed to whitelist_paths.conf
files/initramfs-tools/union-mount.j2
Outdated
| fi | ||
|
|
||
| # Return if the secure_boot_enable option is not set | ||
| if cat /proc/cmdline | grep -v -q "secure_boot_enable=true"; then |
There was a problem hiding this comment.
secure_boot_enable=true [](start = 37, length = 23)
The convention is
secure_boot_enable=[0|1]
or
secure_boot_enable=[n|y]
#Closed
files/initramfs-tools/union-mount.j2
Outdated
|
|
||
| whitelist_log=${rootmnt}/host/$image_dir/whitelist.log | ||
| rw_dir=${rootmnt}/host/$image_dir/rw | ||
| whitelist=$(cat ${rootmnt}/host/$image_dir/whitelist | grep -v "^\s*#" | awk '{$1=$1};1') |
There was a problem hiding this comment.
| grep -v "^\s*#" | awk '{$1=$1};1' [](start = 54, length = 36)
Is it only for parsing comments? If yes, we may remove the complexity. And add a whiltelist_README.md side-by-side to explain usage. #Closed
There was a problem hiding this comment.
Offline discussed, move comment out into separate file. It is not a runtime conf file.
In reply to: 424122684 [](ancestors = 424122684)
files/initramfs-tools/union-mount.j2
Outdated
| echo $file >> ${whitelist_log} | ||
| rm -f $file | ||
| fi | ||
| done |
There was a problem hiding this comment.
I am worried about the performance if rw contains many files and deep directories. Since whitelist is short, can we mv folder to a temp one, and copied back one by one.
Not sure the validation of this solution, is there any metadata / hidden files in rw for overlay?
If it working, no need to add /* for directories in whitelist. #Closed
There was a problem hiding this comment.
The find command can get hidden files, what is the metadata?
There was a problem hiding this comment.
Yes, the performance is not good enough, but it is not relative to the depth of the directories, it is the grep.
There was a problem hiding this comment.
The performance issue should be fixed. Tested on the device, reduce from 100 seconds to 1 seconds for 300 files. And checked the changed files on product, it only has about 700 changed files in max.
files/initramfs-tools/union-mount.j2
Outdated
| @@ -39,10 +39,49 @@ set_tmpfs_log_partition_size() | |||
| [ $maxsize -le $varlogsize ] && varlogsize=$maxsize | |||
| } | |||
|
|
|||
| whitelist_rw_folder() | |||
There was a problem hiding this comment.
Sh code is not easy to understand, add some comments? #Closed
jleveque
changed the title
|
FYI, I updated the PR title. |
files/initramfs-tools/union-mount.j2
Outdated
|
|
||
| # Set the grep pattern file | ||
| whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern | ||
| grep -v "^\s*$" ${whitelist_file} | awk -v rw_dir="$rw_dir" '{print rw_dir"/"$0"$"}' > $whitelist_pattern_file |
There was a problem hiding this comment.
awk [](start = 38, length = 3)
Can we use awk to handle empty line https://stackoverflow.com/a/11687266/2514803
And remove grep. #Closed
|
please add descriptions for the pr |
files/initramfs-tools/union-mount.j2
Outdated
| @@ -39,10 +39,38 @@ set_tmpfs_log_partition_size() | |||
| [ $maxsize -le $varlogsize ] && varlogsize=$maxsize | |||
| } | |||
|
|
|||
| whitelist_rw_folder() | |||
| { | |||
| image_dir=$1 | |||
There was a problem hiding this comment.
If it doesn't bother you too much. can you switch to 4 space indentation? Most of our files are 4 space indentations.
files/initramfs-tools/union-mount.j2
Outdated
| whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf | ||
|
|
||
| # Return if the whitelist file does not exist | ||
| if ! test -f "${whitelist_file}"; then |
There was a problem hiding this comment.
Should this check be moved down or add as a protection of accessing the file?
If secure boot is enabled and this file is missing, should you at least whitelist rw_dir? I understand that is not enough.
There was a problem hiding this comment.
The file should not be missing, it is extracted from the image every time in boot0.
If secure boot enabled, the file should always exist, I will improve it.
files/Aboot/boot0.j2
Outdated
| # setting secure_boot_enable=true when secure boot enabled | ||
| [ -f /bin/securebootctl ] && securebootctl secureboot -display | grep -i "Secure Boot enable" -q && echo "secure_boot_enable=y" >> /tmp/append |
There was a problem hiding this comment.
Comment and code does not match, is it supposed to be "secure_boot_enable=true" or "secure_boot_enable=y"?
files/initramfs-tools/union-mount.j2
Outdated
| ## Mount the overlay file system: rw layer over squashfs | ||
| image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/') | ||
| mkdir -p ${rootmnt}/host/$image_dir/rw | ||
| mkdir -p ${rootmnt}/host/$image_dir/work | ||
| ## Whitelist rw folder | ||
| whitelist_rw_folder "$image_dir" |
There was a problem hiding this comment.
suggest name change to reflect the fact that files are removed.
There was a problem hiding this comment.
Changed to remove_not_whitelist_files
files/initramfs-tools/union-mount.j2
Outdated
| ## Mount the overlay file system: rw layer over squashfs | ||
| image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/') | ||
| mkdir -p ${rootmnt}/host/$image_dir/rw | ||
| mkdir -p ${rootmnt}/host/$image_dir/work | ||
| ## Whitelist rw folder | ||
| whitelist_rw_folder "$image_dir" |
There was a problem hiding this comment.
$image_dir [](start = 21, length = 10)
If there is any executable files inside rw, let's chmod a-x to change it to non executables.
However, user's home directory should keep as is. #Closed
|
change code and comment/title to use |
xumia
changed the title
|
Retest mellanox please |
|
Retest mellanox please |
- Why I did it
The files without signature validation may be tempered when the switch is turned off, it is required to remove the files in the rw folder which will be executed when system starts for the secure boot. we will remove all the executable files and all the file not in the allowlist config file, only allow limited config files to improve the security.
- How I did it
The allowlist config file "files/image_config/secureboot/allowlist_paths.conf" is to control whether the rw files in root file system will be removed or not when the system reboot. The config file will be extracted from the signed and verified image in each reboot.
The Linux kernel will take the process to remove files in the union-mount just before mounting the rw folder.
- How to verify it
- Description for the changelog
Remove the files in rw folder of the overlay file system based on a allowlist config file.
- A picture of a cute animal (not mandatory but encouraged)