Skip to content

Commit d647152

Browse files
christophercorlmenge
christopherco
and
rlmenge
authored
Enable signature verification of kexec kernel and use new Mariner Trusted Base CA in trusted keyring (#10961)
Signed-off-by: Chris Co <chrco@microsoft.com> Co-authored-by: Rachel Menge <rachelmenge@microsoft.com>
1 parent 33ddc96 commit d647152

14 files changed

Lines changed: 75 additions & 47 deletions

File tree

SPECS-SIGNED/kernel-signed/kernel-signed.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
Summary: Signed Linux Kernel for %{buildarch} systems
1111
Name: kernel-signed-%{buildarch}
1212
Version: 6.6.57.1
13-
Release: 2%{?dist}
13+
Release: 3%{?dist}
1414
License: GPLv2
1515
Vendor: Microsoft Corporation
1616
Distribution: Azure Linux
@@ -145,6 +145,9 @@ echo "initrd of kernel %{uname_r} removed" >&2
145145
%exclude /module_info.ld
146146

147147
%changelog
148+
* Tue Nov 05 2024 Chris Co <chrco@microsoft.com> - 6.6.57.1-3
149+
- Bump release to match kernel
150+
148151
* Wed Oct 30 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.57.1-2
149152
- Bump release to match kernel
150153

SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
Summary: Signed Unified Kernel Image for %{buildarch} systems
77
Name: kernel-uki-signed-%{buildarch}
88
Version: 6.6.57.1
9-
Release: 2%{?dist}
9+
Release: 3%{?dist}
1010
License: GPLv2
1111
Vendor: Microsoft Corporation
1212
Distribution: Azure Linux
@@ -68,6 +68,9 @@ popd
6868
/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
6969

7070
%changelog
71+
* Tue Nov 05 2024 Chris Co <chrco@microsoft.com> - 6.6.57.1-3
72+
- Bump release to match kernel
73+
7174
* Wed Oct 30 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.57.1-2
7275
- Bump release to match kernel
7376

SPECS/kernel-headers/kernel-headers.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414
Summary: Linux API header files
1515
Name: kernel-headers
1616
Version: 6.6.57.1
17-
Release: 2%{?dist}
17+
Release: 3%{?dist}
1818
License: GPLv2
1919
Vendor: Microsoft Corporation
2020
Distribution: Azure Linux
@@ -75,6 +75,9 @@ done
7575
%endif
7676

7777
%changelog
78+
* Tue Nov 05 2024 Chris Co <chrco@microsoft.com> - 6.6.57.1-3
79+
- Bump release to match kernel
80+
7881
* Wed Oct 30 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.57.1-2
7982
- Bump release to match kernel
8083

SPECS/kernel/azurelinux-ca-20230216.pem

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIGtjCCBJ6gAwIBAgITMwAAAAJjlHB6Ftnx2gAAAAAAAjANBgkqhkiG9w0BAQ0F
3+
ADBaMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u
4+
MSswKQYDVQQDEyJNaWNyb3NvZnQgTWFyaW5lciBSU0EgUm9vdCBDQSAyMDIzMB4X
5+
DTIzMDIxNjE5MzkwMloXDTM4MDIwOTIxMjU1M1owYDELMAkGA1UEBhMCVVMxHjAc
6+
BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjExMC8GA1UEAxMoTWFyaW5lciBU
7+
cnVzdGVkIEJhc2UgUlNBIENvZGUgU2lnbmluZyBDQTCCAiIwDQYJKoZIhvcNAQEB
8+
BQADggIPADCCAgoCggIBAL+8TFnwSX6pE1J6Eb4fdVJy0pLmFrY1G8oqxfPqY0l0
9+
rezoei1p8hZrPAsk1l/lp+BIDrYl/0TiZOSkVBMod569/JDntohvjycZtCKK+9PY
10+
MophsyD5XvsK7xNaRixxTTOLJ561iKQqny29bJNgO/N909s9pXFa1chQKWm3Ib8I
11+
SiZwj0CixWTwfGmTqa9pR1mwQydUK8HS4uO5i2WqB065b1R48rEGmC0m4WYX37Od
12+
EFU7ZzorMrdG8tYFL+rCfZExkBoqcUD6So3Zsz/KQenxTNKyv3UIV3szTP7W8gLG
13+
+3KTr4YS6U+6zztTp+at3DlH0GFBIoGMNnxns/7tZoUL2Ee9CL91gX5FEQ1iyc53
14+
szYhQ82LjwQ+MRVRppbsDTduTCrl49xp+Ofd7vQusNw8t2mDA4bdoXgPOrHHv+0A
15+
kR4yXDwxdhWMMQ7prUKO9lYGDJL97b44B0rlyBPpqMYZshgZCGGYhzw+UXcOQ1hz
16+
M+gAKcSX/iMl12RGGeqd41SeeysXXefQLfJlyVsjr4Tx7RjemWfiwJiL5RrM3MXf
17+
UmRhZJPPDd0QTM+7LCohuPh3C142FctB3DSszHN5OWxcHGLVFsw73UtD+jLhZ2WD
18+
43Yqb+iHKafjY3hTBULQdozk14jVLTe2xfTlr8TTUilIoAdoE02LiVtL5VUqZq9x
19+
AgMBAAGjggFtMIIBaTAOBgNVHQ8BAf8EBAMCAYYwEAYJKwYBBAGCNxUBBAMCAQAw
20+
HQYDVR0OBBYEFHVUsV99cPzwjbkPqmp1wb60in5cMBkGCSsGAQQBgjcUAgQMHgoA
21+
UwB1AGIAQwBBMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU7bP/DNX8DLvF
22+
HUX1cl9wFfnIxqYwZQYDVR0fBF4wXDBaoFigVoZUaHR0cDovL3d3dy5taWNyb3Nv
23+
ZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwTWFyaW5lciUyMFJTQSUyMFJv
24+
b3QlMjBDQSUyMDIwMjMuY3JsMHIGCCsGAQUFBwEBBGYwZDBiBggrBgEFBQcwAoZW
25+
aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQl
26+
MjBNYXJpbmVyJTIwUlNBJTIwUm9vdCUyMENBJTIwMjAyMy5jcnQwDQYJKoZIhvcN
27+
AQENBQADggIBAGCiLo+kLmHETBNIjwNBCpRyamuzfXjG54bMYrS0kPjAWD8vaxA4
28+
GzaXyM/yk2q50xmEbRdDlhfdk/PkmYOFTvI+4Dd33kltMCy2/lwf1Ci8XIlYAH/e
29+
IiO4lKqIk2Dbfn2eMCMeFFx0BQ0zvxHJYUMWz/kqdTxR57LZclBUGPn+Q/2pDZYf
30+
uXGsS1rQqFBV6yxSgDLAAO9AuBvz32rwlGyichrufHEM1+YfjP8w6wpi0u/JHTeq
31+
A6zFshkXxXQYL7R8IjlCUVWIG9vBA0YgdcaYXY5MT1WctMcWCCu12gWtU3fOC86X
32+
rf+A++UtCYXAL1h4g0YOpZIL6LRh7CiR5Kh7cw9ylYv93+YESQHY2VAwCs+j/xRe
33+
xkv5oWRGkzAqESSv0iJfZg7DzvyE+9XbIYKGoS2NrPyGCStZsXl7B3QpA4dAvj0o
34+
ye5YZXbFtIgHS4uGyUYvEYYedNC4/ujZ7tcBvxKB3BzKJry7MkLtUJhfqQnVDFkY
35+
8wpy24yem9IDR0n2Ua1a9/kbmxDT+lJ4q7fMxPJf2QnTkdQXSuNejz6N4yUqiX22
36+
2HLmkDFdheq2hMY0oi5PkivsnYn7b4sDclyuen04BFBIwfy0RwRSWEfzwTfdrGT6
37+
V/XT/3n9twDIFZyK8oRjUlwo0GAiq8r0uwPOKnLQPpKJpWC4ICs1LjkB
38+
-----END CERTIFICATE-----

SPECS/kernel/cbl-mariner-ca-20211013.pem

Lines changed: 0 additions & 29 deletions
This file was deleted.

SPECS/kernel/config

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -296,7 +296,9 @@ CONFIG_KEXEC_CORE=y
296296
CONFIG_HAVE_IMA_KEXEC=y
297297
# CONFIG_KEXEC is not set
298298
CONFIG_KEXEC_FILE=y
299-
# CONFIG_KEXEC_SIG is not set
299+
CONFIG_KEXEC_SIG=y
300+
# CONFIG_KEXEC_SIG_FORCE is not set
301+
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
300302
CONFIG_CRASH_DUMP=y
301303
CONFIG_CRASH_HOTPLUG=y
302304
CONFIG_CRASH_MAX_MEMORY_RANGES=8192
@@ -7697,7 +7699,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y
76977699
# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set
76987700
CONFIG_PKCS7_MESSAGE_PARSER=y
76997701
# CONFIG_PKCS7_TEST_KEY is not set
7700-
# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
7702+
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
77017703
# CONFIG_FIPS_SIGNATURE_SELFTEST is not set
77027704

77037705
#

SPECS/kernel/config_aarch64

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -275,7 +275,8 @@ CONFIG_KEXEC_CORE=y
275275
CONFIG_HAVE_IMA_KEXEC=y
276276
# CONFIG_KEXEC is not set
277277
CONFIG_KEXEC_FILE=y
278-
# CONFIG_KEXEC_SIG is not set
278+
CONFIG_KEXEC_SIG=y
279+
CONFIG_KEXEC_IMAGE_VERIFY_SIG=y
279280
CONFIG_CRASH_DUMP=y
280281
# end of Kexec and crash features
281282
# end of General setup
@@ -10791,7 +10792,7 @@ CONFIG_X509_CERTIFICATE_PARSER=y
1079110792
# CONFIG_PKCS8_PRIVATE_KEY_PARSER is not set
1079210793
CONFIG_PKCS7_MESSAGE_PARSER=y
1079310794
# CONFIG_PKCS7_TEST_KEY is not set
10794-
# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set
10795+
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
1079510796
# CONFIG_FIPS_SIGNATURE_SELFTEST is not set
1079610797

1079710798
#

SPECS/kernel/kernel-uki.spec

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
Summary: Unified Kernel Image
1414
Name: kernel-uki
1515
Version: 6.6.57.1
16-
Release: 2%{?dist}
16+
Release: 3%{?dist}
1717
License: GPLv2
1818
Vendor: Microsoft Corporation
1919
Distribution: Azure Linux
@@ -70,6 +70,9 @@ cp %{buildroot}/boot/vmlinuz-uki-%{kernelver}.efi %{buildroot}/boot/efi/EFI/Linu
7070
/boot/efi/EFI/Linux/vmlinuz-uki-%{kernelver}.efi
7171

7272
%changelog
73+
* Tue Nov 05 2024 Chris Co <chrco@microsoft.com> - 6.6.57.1-3
74+
- Bump release to match kernel
75+
7376
* Wed Oct 30 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.57.1-2
7477
- Remove noxsaves parameter from cmdline
7578

SPECS/kernel/kernel.signatures.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
{
22
"Signatures": {
3-
"cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0",
4-
"config": "5636a263f1802641e806b6971303eb28f77167ef42ece09782b4638c75bf03b5",
5-
"config_aarch64": "bac4a99b57ce11f25ef8bce844ed6285932aa29139b85ccde850acaabafdcffd",
3+
"azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
4+
"config": "00c9071da520dd42e8465fd8d9f36945a4f6127798c16a45f5200cfd7256ed1e",
5+
"config_aarch64": "e0d92980c9388de35b7dde65a385865ef3207f4c50b0e9988f90394e8d627c77",
66
"cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
77
"cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
88
"sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",

SPECS/kernel/kernel.spec

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@
3030
Summary: Linux Kernel
3131
Name: kernel
3232
Version: 6.6.57.1
33-
Release: 2%{?dist}
33+
Release: 3%{?dist}
3434
License: GPLv2
3535
Vendor: Microsoft Corporation
3636
Distribution: Azure Linux
@@ -40,7 +40,7 @@ Source0: https://github.com/microsoft/CBL-Mariner-Linux-Kernel/archive/ro
4040
Source1: config
4141
Source2: config_aarch64
4242
Source3: sha512hmac-openssl.sh
43-
Source4: cbl-mariner-ca-20211013.pem
43+
Source4: azurelinux-ca-20230216.pem
4444
Source5: cpupower
4545
Source6: cpupower.service
4646
Patch0: 0001-add-mstflint-kernel-%{mstflintver}.patch
@@ -407,6 +407,10 @@ echo "initrd of kernel %{uname_r} removed" >&2
407407
%{_sysconfdir}/bash_completion.d/bpftool
408408

409409
%changelog
410+
* Tue Nov 05 2024 Chris Co <chrco@microsoft.com> - 6.6.57.1-3
411+
- Enable kexec signature verification
412+
- Introduce new azurelinux-ca-20230216.pem
413+
410414
* Wed Oct 30 2024 Thien Trung Vuong <tvuong@microsoft.com> - 6.6.57.1-2
411415
- UKI: remove noxsaves parameter from cmdline
412416

0 commit comments

Comments
 (0)