-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[secure boot] Support rw files allowlist #4585
Changes from 4 commits
05c5daa
09f568a
1619d51
38aef30
90c05df
528953b
355e1d0
4bdaf29
c8f7fde
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
home/.* | ||
var/core/.* | ||
var/log/.* | ||
etc/group | ||
etc/gshadow | ||
etc/hostname | ||
etc/hosts | ||
etc/machine-id | ||
etc/network/interfaces | ||
etc/nsswitch.conf | ||
etc/pam.d/common-auth-sonic | ||
etc/pam.d/sshd | ||
etc/pam.d/login | ||
etc/passwd | ||
etc/rsyslog.conf | ||
etc/shadow | ||
etc/sonic/acl.json | ||
etc/sonic/config_db.json | ||
etc/sonic/minigraph.xml | ||
etc/sonic/snmp.yml | ||
etc/sonic/updategraph.conf | ||
etc/ssh/ssh_host_rsa_key.pub | ||
etc/ssh/ssh_host_rsa_key | ||
etc/subgid | ||
etc/subuid | ||
etc/tacplus_nss.conf | ||
etc/tacplus_user | ||
lib/systemd/system/serial-getty@.service | ||
yxieca marked this conversation as resolved.
Show resolved
Hide resolved
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Configuration Guide | ||
It is the patterns of the relative paths in /host/image-{{hash}}/rw folder. | ||
The patterns will not be used if the Sonic Secure Boot feature is not enabled. | ||
The files that are not in the whitelist will be removed when the Sonic System cold reboot. | ||
|
||
### Example to whitelist all the files in a folder | ||
home/.* | ||
|
||
### Example to whitelist a file | ||
etc/nsswitch.conf | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -39,10 +39,38 @@ set_tmpfs_log_partition_size() | |
[ $maxsize -le $varlogsize ] && varlogsize=$maxsize | ||
} | ||
|
||
whitelist_rw_folder() | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sh code is not easy to understand, add some comments? #Closed |
||
{ | ||
image_dir=$1 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If it doesn't bother you too much. can you switch to 4 space indentation? Most of our files are 4 space indentations. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed. |
||
whitelist_file=${rootmnt}/host/$image_dir/whitelist_paths.conf | ||
|
||
# Return if the whitelist file does not exist | ||
if ! test -f "${whitelist_file}"; then | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this check be moved down or add as a protection of accessing the file? If secure boot is enabled and this file is missing, should you at least whitelist rw_dir? I understand that is not enough. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The file should not be missing, it is extracted from the image every time in boot0. |
||
return | ||
fi | ||
|
||
# Return if the secure_boot_enable option is not set | ||
if ! (cat /proc/cmdline | grep -i -q "secure_boot_enable=[y1]"); then | ||
return | ||
fi | ||
|
||
rw_dir=${rootmnt}/host/$image_dir/rw | ||
|
||
# Set the grep pattern file | ||
whitelist_pattern_file=${rootmnt}/host/$image_dir/whitelist_paths.pattern | ||
grep -v "^\s*$" ${whitelist_file} | awk -v rw_dir="$rw_dir" '{print rw_dir"/"$0"$"}' > $whitelist_pattern_file | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Can we use awk to handle empty line https://stackoverflow.com/a/11687266/2514803 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed. |
||
|
||
# Find the files in the rw folder, and remove the files not in the whitelist | ||
find ${rw_dir} -type f | grep -v -f $whitelist_pattern_file | xargs /bin/rm -f | ||
rm -f $whitelist_pattern_file | ||
} | ||
|
||
## Mount the overlay file system: rw layer over squashfs | ||
image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/') | ||
mkdir -p ${rootmnt}/host/$image_dir/rw | ||
mkdir -p ${rootmnt}/host/$image_dir/work | ||
## Whitelist rw folder | ||
whitelist_rw_folder "$image_dir" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. suggest name change to reflect the fact that files are removed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Changed to remove_not_whitelist_files There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
If there is any executable files inside However, user's home directory should keep as is. #Closed There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fixed. |
||
mount -n -o lowerdir=${rootmnt},upperdir=${rootmnt}/host/$image_dir/rw,workdir=${rootmnt}/host/$image_dir/work -t overlay root-overlay ${rootmnt} | ||
## Check if the root block device is still there | ||
[ -b ${ROOT} ] || mdev -s | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment and code does not match, is it supposed to be "secure_boot_enable=true" or "secure_boot_enable=y"?