VBox

Timestamp:

Sep 9, 2022 2:19:56 PM (2 years ago)

Author:

vboxsync

Message:

Linux Host: vboxdrv.sh: Adjust Secure Boot related part of the script, bugref:10287.

File:

: 1 edited

trunk/src/VBox/Installer/linux/vboxdrv.sh (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/src/VBox/Installer/linux/vboxdrv.sh

-              r96407
+              r96679
 esac
+# Try to find a tool for modules signing.
+SIGN_TOOL=$(which kmodsign 2>/dev/null)
+# Attempt to use in-kernel signing tool if kmodsign not found.
+if test -z "$SIGN_TOOL"; then
+    if test -x "/lib/modules/$KERN_VER/build/scripts/sign-file"; then
+        SIGN_TOOL="/lib/modules/$KERN_VER/build/scripts/sign-file"
+    fi
+fi
+if type update-secureboot-policy >/dev/null 2>&1; then
+    HAVE_UPDATE_SECUREBOOT_POLICY_TOOL=true
+fi
 [ -r /etc/default/virtualbox ] && . /etc/default/virtualbox
 …
+}
+# Reads CONFIG_MODULE_SIG_HASH from kernel config.
+kernel_module_sig_hash()
+{
+    /lib/modules/"$KERN_VER"/build/scripts/config \
+        --file /lib/modules/"$KERN_VER"/build/.config \
+        --state CONFIG_MODULE_SIG_HASH 2>/dev/null
+}
+# Returns "1" if kernel module signature hash algorithm
+# is supported by us. Or empty string otherwise.
+module_sig_hash_supported()
+{
+    sig_hashalgo="$1"
+    [ -n "$sig_hashalgo" ] || return
+    # Go through supported list.
+    [    "$sig_hashalgo" = "sha1"   \
+      -o "$sig_hashalgo" = "sha224" \
+      -o "$sig_hashalgo" = "sha256" \
+      -o "$sig_hashalgo" = "sha384" \
+      -o "$sig_hashalgo" = "sha512" ] || return
+    echo "1"
+}
+# Returns "1" if module is signed and signature can be verified
+# with public key provided in DEB_PUB_KEY. Or empty string otherwise.
+module_signed()
+{
+    mod="$1"
+    [ -n "$mod" ] || return
+    extraction_tool=/lib/modules/"$(uname -r)"/build/scripts/extract-module-sig.pl
+    mod_path=$(module_path "$mod" 2>/dev/null)
+    openssl_tool=$(which openssl 2>/dev/null)
+    # Do not use built-in printf!
+    printf_tool=$(which printf 2>/dev/null)
+    # Make sure all the tools required for signature validation are available.
+    [ -x "$extraction_tool" ] || return
+    [ -n "$mod_path"        ] || return
+    [ -n "$openssl_tool"    ] || return
+    [ -n "$printf_tool"     ] || return
+    # Make sure openssl can handle hash algorithm.
+    sig_hashalgo=$(modinfo -F sig_hashalgo vboxdrv 2>/dev/null)
+    [ "$(module_sig_hash_supported $sig_hashalgo)" = "1" ] || return
+    # Generate file names for temporary stuff.
+    mod_pub_key=$(mktemp -u)
+    mod_signature=$(mktemp -u)
+    mod_unsigned=$(mktemp -u)
+    # Convert public key in DER format into X509 certificate form.
+    "$openssl_tool" x509 -pubkey -inform DER -in "$DEB_PUB_KEY" -out "$mod_pub_key" 2>/dev/null
+    # Extract raw module signature and convert it into binary format.
+    "$printf_tool" \\x$(modinfo -F signature "$mod" | sed -z 's/[ \t\n]//g' | sed -e "s/:/\\\x/g") 2>/dev/null > "$mod_signature"
+    # Extract unsigned module for further digest calculation.
+    "$extraction_tool" -0 "$mod_path" 2>/dev/null > "$mod_unsigned"
+    # Verify signature.
+    rc=""
+    "$openssl_tool" dgst "-$sig_hashalgo" -binary -verify "$mod_pub_key" -signature "$mod_signature" "$mod_unsigned" 2>&1 >/dev/null && rc="1"
+    # Clean up.
+    rm -f $mod_pub_key $mod_signature $mod_unsigned
+    # Check result.
+    [ "$rc" = "1" ] || return
+    echo "1"
+}
 # Returns "1" if externally built module is available in the system and its
 # version and revision number do match to current VirtualBox installation.
 …
     mod_dir="$(dirname "$mod_path" | sed 's;^.*/;;')"
     [ "$mod_dir" = "misc" ] || return
+    # In case if system is running in Secure Boot mode, check if module is signed.
+    if test -n "$HAVE_SEC_BOOT"; then
+        [ "$(module_signed "$mod")" = "1" ] || return
+    fi
     echo "1"
 …
     sync
     succ_msg "VirtualBox kernel modules built"
+    # Secure boot on Ubuntu and Debian.
+    if test -n "$HAVE_SEC_BOOT" &&
+        type update-secureboot-policy >/dev/null 2>&1; then
+        SHIM_NOTRIGGER=y update-secureboot-policy --new-key
+    fi
+    if test -f "$DEB_PUB_KEY" && test -f "$DEB_PRIV_KEY"; then
+        HAVE_DEB_KEY=true
+    # Secure boot on Ubuntu, Debian and Oracle Linux.
+    if test -n "$HAVE_SEC_BOOT"; then
+        begin_msg "Signing VirtualBox kernel modules" console
+        # Generate new signing key if needed.
+        [ -n "$HAVE_UPDATE_SECUREBOOT_POLICY_TOOL" ] && SHIM_NOTRIGGER=y update-secureboot-policy --new-key
+        # Check if signing keys are in place.
+        if test ! -f "$DEB_PUB_KEY" || ! test -f "$DEB_PRIV_KEY"; then
+            # update-secureboot-policy tool present in the system, but keys were not generated.
+            [ -n "$HAVE_UPDATE_SECUREBOOT_POLICY_TOOL" ] && failure "Unable to find signing keys, aborting"
+            # update-secureboot-policy not present in the system, recommend generate keys manually.
+            failure "
+System is running in Secure Boot mode, however your distribution
+does not provide tools for automatic generation of keys needed for
+modules signing. Please consider to generate and enroll them manually:
+    sudo mkdir -p /var/lib/shim-signed/mok
+    sudo openssl req -nodes -new -x509 -newkey rsa:2048 -outform DER -keyout $DEB_PRIV_KEY -out $DEB_PUB_KEY
+    sudo sudo mokutil --import $DEB_PUB_KEY
+    sudo reboot
+Restart \"rcvboxdrv setup\" after system is rebooted.
+"
+        fi
+        # Check if signing tool is available.
+        [ -n "$SIGN_TOOL" ] || failure "Unable to find signing tool"
+        # Get kernel signature hash algorithm from kernel config and validate it.
+        sig_hashalgo=$(kernel_module_sig_hash)
+        [ "$(module_sig_hash_supported $sig_hashalgo)" = "1" ] \
+            || failure "Unsupported kernel signature hash algorithm $sig_hashalgo"
+        # Sign modules.
         for i in $MODULE_LIST; do
+            kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv \
+                /var/lib/shim-signed/mok/MOK.der \
+                /lib/modules/"$KERN_VER"/misc/"$i".ko
+            "$SIGN_TOOL" "$sig_hashalgo" "$DEB_PRIV_KEY" "$DEB_PUB_KEY" \
+                /lib/modules/"$KERN_VER"/misc/"$i".ko 2>/dev/null || failure "Unable to sign $i.ko"
         done
+        # update-secureboot-policy "expects" DKMS modules.
+        # Work around this and talk to the authors as soon
+        # as possible to fix it.
+        mkdir -p /var/lib/dkms/vbox-temp
+        update-secureboot-policy --enroll-key 2>/dev/null ||
+            begin_msg "Failed to enroll secure boot key." console
+        rmdir -p /var/lib/dkms/vbox-temp 2>/dev/null
+        # Enroll signing key if needed.
+        if test -n "$HAVE_UPDATE_SECUREBOOT_POLICY_TOOL"; then
+            # update-secureboot-policy "expects" DKMS modules.
+            # Work around this and talk to the authors as soon
+            # as possible to fix it.
+            mkdir -p /var/lib/dkms/vbox-temp
+            update-secureboot-policy --enroll-key 2>/dev/null ||
+                begin_msg "Failed to enroll secure boot key." console
+            rmdir -p /var/lib/dkms/vbox-temp 2>/dev/null
+            # Indicate that key has been enrolled and reboot is needed.
+            HAVE_DEB_KEY=true
+        fi
+        succ_msg "Signing completed"
     fi
+}

Note: See TracChangeset for help on using the changeset viewer.

Changeset 96679 in vbox for trunk/src/VBox

Legend:

trunk/src/VBox/Installer/linux/vboxdrv.sh

Download in other formats: