-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce kernel-mshv-signed, hvloader-signed #7173
Merged
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
07523d6
Introduce kernel-mshv-signed package
Camelron 6d36a20
Introduce hvloader-signed
Camelron d78ffc3
License verified
Camelron 32fbdd3
Use expected source attribution in changelog
Camelron 7eb36b2
entangle hvloader, kernel-mshv and their signed specs
Camelron c5545b8
update CODEOWNERS to direct hvloader-signed, kernel-mshv-signed to ka…
Camelron 2cc81a3
lint licenses-map
Camelron File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
%global debug_package %{nil} | ||
%define name_github HvLoader | ||
%ifarch x86_64 | ||
%global buildarch x86_64 | ||
%endif | ||
Summary: Signed HvLoader.efi for %{buildarch} systems | ||
Name: hvloader-signed-%{buildarch} | ||
Version: 1.0.1 | ||
Release: 1%{?dist} | ||
License: MIT | ||
Vendor: Microsoft Corporation | ||
Distribution: Mariner | ||
URL: https://github.com/microsoft/HvLoader | ||
# This package's "version" and "release" must reflect the unsigned version that | ||
# was signed. | ||
# An important consequence is that when making a change to this package, the | ||
# unsigned version/release must be increased to keep the two versions consistent. | ||
# Ideally though, this spec will not change much or at all, so the version will | ||
# just track the unsigned package's version/release. | ||
# | ||
# To populate these sources: | ||
# 1. Build the unsigned packages as normal | ||
# 2. Sign the desired binary | ||
# 3. Place the unsigned package and signed binary in this spec's folder | ||
# 4. Build this spec | ||
Source0: hvloader-%{version}-%{release}.%{buildarch}.rpm | ||
Source1: HvLoader.efi | ||
ExclusiveArch: x86_64 | ||
|
||
%description | ||
This package contains the HvLoader EFI binary signed for secure boot. The package is | ||
specifically created for installing on %{buildarch} systems | ||
|
||
%package -n hvloader | ||
Summary: HvLoader.efi is an EFI application for loading an external hypervisor loader. | ||
Group: Applications/System | ||
|
||
%description -n hvloader | ||
HvLoader.efi is an EFI application for loading an external hypervisor loader. | ||
|
||
HvLoader.efi loads a given hypervisor loader binary (DLL, EFI, etc.), and | ||
calls it's entry point passing HvLoader.efi ImageHandle. This way the | ||
hypervisor loader binary has access to HvLoader.efi's command line options, | ||
and use those as configuration parameters. The first HvLoader.efi command line | ||
option is the path to hypervisor loader binary. | ||
|
||
%prep | ||
|
||
%build | ||
mkdir rpm_contents | ||
pushd rpm_contents | ||
|
||
# This spec's whole purpose is to inject the signed HvLoader binary | ||
rpm2cpio %{SOURCE0} | cpio -idmv | ||
cp %{SOURCE1} ./boot/efi/HvLoader.efi | ||
|
||
popd | ||
|
||
%install | ||
pushd rpm_contents | ||
|
||
# Don't use * wildcard. It does not copy over hidden files in the root folder... | ||
cp -rp ./. %{buildroot}/ | ||
|
||
popd | ||
|
||
%files -n hvloader | ||
%license MdeModulePkg/Application/%{name_github}-%{version}/LICENSE | ||
/boot/efi/HvLoader.efi | ||
|
||
%changelog | ||
* Thu Jan 04 2024 Cameron Baird <cameronbaird@microsoft.com> - 1.0.1-1 | ||
- Original version for CBL-Mariner. | ||
- License verified |
153 changes: 153 additions & 0 deletions
153
SPECS-SIGNED/kernel-mshv-signed/kernel-mshv-signed.spec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,153 @@ | ||
%global debug_package %{nil} | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please also update the codeowners files so @microsoft/cbl-mariner-kata-containers are automatically added as reviewers for updates to these new specs |
||
%global sha512hmac bash %{_sourcedir}/sha512hmac-openssl.sh | ||
%ifarch x86_64 | ||
%global buildarch x86_64 | ||
%endif | ||
%define uname_r %{version}-%{release} | ||
Summary: Signed MSHV-enabled Linux Kernel for %{buildarch} systems | ||
Name: kernel-mshv-signed-%{buildarch} | ||
Version: 5.15.126.mshv9 | ||
Release: 2%{?dist} | ||
License: GPLv2 | ||
Vendor: Microsoft Corporation | ||
Distribution: Mariner | ||
Group: System Environment/Kernel | ||
URL: https://github.com/microsoft/CBL-Mariner-Linux-Kernel | ||
# This spec purpose is to take an input kernel rpm and input secure-boot-signed | ||
# kernel binary from the same build and generate a new "kernel" rpm with the | ||
# signed kernel binary + all of the other original kernel files, triggers, | ||
# scriptlets, requires, provides, etc. | ||
# | ||
# We need to ensure the kernel modules and kernel binary used are from the exact | ||
# same build because at build time the kernel modules are signed with an | ||
# ephemeral key that the kernel enrolls in its keyring. We enforce kernel | ||
# module signature checking when we enable security features like kernel | ||
# lockdown so our kernel can only load those specific kernel modules at runtime. | ||
# | ||
# Additionally, to complete the UEFI Secure Boot chain, we must PE-sign the | ||
# kernel binary. Ideally we would enable secure-boot signing tools like pesign | ||
# or sbsign to be callable from inside the rpmbuild environment, that way we can | ||
# secure-boot sign the kernel binary during the kernel's rpmbuild. It is best | ||
# practice to sign as soon as possible. However there are issues getting that | ||
# secure boot signing infrastructure in place today. Hence we sign the | ||
# resulting kernel binary and "repackage" the kernel RPM (something rpm itself | ||
# actively tries to make sure you never do...generally for good reasons). | ||
# | ||
# To achive this repackaging, this spec creates a new subpackage named | ||
# "kernel-mshv". To retain all of the initial kernel-mshv package behaviors, we make sure | ||
# the subpackage has the same requires, provides, triggers, post steps, and | ||
# files as the original kernel package. | ||
# | ||
# This specific repackaging implementation leaves room for us to enable the | ||
# more ideal secure-boot signing flow in the future without introducing any | ||
# sort of breaking change or new packaging. Users still install a "kernel-mshv" | ||
# package like they normally would. | ||
# | ||
# Maintenance Notes: | ||
# - This spec's "version" and "release" must reflect the unsigned version that | ||
# was signed. An important consequence is that when making a change to this | ||
# spec or the normal kernel spec, the other spec's version version/release must | ||
# be increased to keep the two versions consistent. | ||
# | ||
# - Make sure the kernel subpackage's Requires, Provides, triggers, post/postun | ||
# scriptlets, and files match the normal kernel-mshv spec's. The kernel subpackage | ||
# should contain the same content as the input kernel package but replace the | ||
# kernel binary with our signed kernel binary. Since all the requires, provides, | ||
# etc are the same, this new kernel package can be a direct replacement for the | ||
# normal kernel package and RPM will resolve packages with kernel dependencies | ||
# correctly. | ||
# | ||
# To populate the input sources: | ||
# 1. Build the unsigned packages as normal | ||
# 2. Sign the desired binary | ||
# 3. Place the unsigned package and signed binary in this spec's folder | ||
# 4. Build this spec | ||
Source0: kernel-mshv-%{version}-%{release}.%{buildarch}.rpm | ||
Source1: vmlinuz-%{uname_r} | ||
Source2: sha512hmac-openssl.sh | ||
BuildRequires: cpio | ||
BuildRequires: openssl | ||
BuildRequires: sed | ||
|
||
%description | ||
This package contains the MSHV-enabled Linux kernel package with kernel-mshv signed with the production key | ||
|
||
%package -n kernel-mshv | ||
Summary: MSHV-enabled Linux Kernel | ||
Group: System Environment/Kernel | ||
Requires: filesystem | ||
Requires: kmod | ||
Requires(post): coreutils | ||
Requires(postun): coreutils | ||
%{?grub2_configuration_requires} | ||
ExclusiveArch: x86_64 | ||
|
||
%description -n kernel-mshv | ||
The kernel package contains the signed MSHV-enabled Linux kernel. | ||
|
||
%prep | ||
|
||
%build | ||
mkdir rpm_contents | ||
pushd rpm_contents | ||
|
||
# This spec's whole purpose is to inject the signed kernel binary | ||
rpm2cpio %{SOURCE0} | cpio -idmv | ||
cp %{SOURCE1} ./boot/vmlinuz-%{uname_r} | ||
|
||
popd | ||
|
||
%install | ||
pushd rpm_contents | ||
|
||
# Don't use * wildcard. It does not copy over hidden files in the root folder... | ||
cp -rp ./. %{buildroot}/ | ||
|
||
popd | ||
|
||
%triggerin -n kernel-mshv -- initramfs | ||
mkdir -p %{_localstatedir}/lib/rpm-state/initramfs/pending | ||
touch %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r} | ||
echo "initrd generation of kernel %{uname_r} will be triggered later" >&2 | ||
|
||
%triggerun -n kernel-mshv -- initramfs | ||
rm -rf %{_localstatedir}/lib/rpm-state/initramfs/pending/%{uname_r} | ||
rm -rf /boot/efi/initrd.img-%{uname_r} | ||
echo "initrd of kernel %{uname_r} removed" >&2 | ||
|
||
%postun -n kernel-mshv | ||
if [ ! -e /boot/mariner-mshv.cfg ] | ||
then | ||
ls /boot/linux-*.cfg 1> /dev/null 2>&1 | ||
if [ $? -eq 0 ] | ||
then | ||
list=`ls -tu /boot/linux-*.cfg | head -n1` | ||
test -n "$list" && ln -sf "$list" /boot/mariner-mshv.cfg | ||
fi | ||
fi | ||
%grub2_postun | ||
|
||
%post -n kernel-mshv | ||
/sbin/depmod -a %{uname_r} | ||
ln -sf linux-%{uname_r}.cfg /boot/mariner-mshv.cfg | ||
%grub2_post | ||
|
||
%files -n kernel-mshv | ||
%defattr(-,root,root) | ||
%license COPYING | ||
%exclude %dir /usr/lib/debug | ||
/boot/System.map-%{uname_r} | ||
/boot/config-%{uname_r} | ||
/boot/vmlinuz-%{uname_r} | ||
/boot/efi/vmlinuz-%{uname_r} | ||
%config(noreplace) /boot/linux-%{uname_r}.cfg | ||
%config(noreplace) %{_sysconfdir}/default/grub.d/50_mariner_mshv.cfg | ||
%config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} | ||
%defattr(0644,root,root) | ||
/lib/modules/%{uname_r}/* | ||
%exclude /lib/modules/%{uname_r}/build | ||
|
||
%changelog | ||
* Thu Jan 04 2024 Cameron Baird <cameronbaird@microsoft.com> - 5.15.126.mshv9-2 | ||
- Original version for CBL-Mariner. | ||
- License verified |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#!/bin/bash | ||
|
||
# Mocks sha512hmac using the openssl tool. | ||
# Only for use during RPM build. | ||
|
||
openssl sha512 -hmac FIPS-FTW-RHT2009 -hex "$1" | cut -f 2 -d ' ' | echo "$(cat -) $1" |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update the entangled spec checker script for hvloader and kernel-mshv - toolkit/scripts/check_entangled_specs.py