File grub2-s390x-secure-execution-support.patch of Package grub2

Overview Repositories Revisions Requests Users Attributes Meta

File grub2-s390x-secure-execution-support.patch of Package grub2

From 023b569648eece7a7fe2ae38d731185a1f2abeb5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 23 Aug 2024 09:57:03 +0800
Subject: [PATCH] s390x: add Secure Execution support

To support Secure Execution, 2 extra files and 5 environment variables
are introduced.

- se-parm.conf.in
  The template file for the kernel parameter to be used by 'genprotimg'

- se-zipl2grub.conf.in
  The template file of zipl.conf for secure execution

- SUSE_S390_SE_ENABLE
  The variable to enable s390x Secure Execution

- SUSE_S390_SE_HOST_KEY
  The variable to set the file list to the host key documents

- SUSE_S390_SE_HOST_KEY_SIGNING_KEY
  The variable to set the file list to the signing key certificates

- SUSE_S390_SE_CA_CERT
  The variable to set the file path to the CA certificate

- SUSE_S390_SE_REVOCATION_LIST
  The variable to set the file list of the host key revocation lists

When enabling Secure Execution, the zipl initrd is generated in
"/dev/shm/zipl-se" instead of "/boot/zipl" because the zipl initrd
may contain the LUKS key for the encrypted root partition. Then,
'genprotimg' stores the encrypted image, a combination of the zipl
kernel, zipl initrd, and the kernel parameters, as
"/boot/secure-linux-$version". To make the image ready for zipl,
it is copied to "/boot/zipl/secure-linux-$version" and linked to
"/boot/zipl/secure-linux" which is expected by the zipl config.
---
 Makefile.util.def               |  17 +++
 util/s390x/se-parm.conf.in      |   1 +
 util/s390x/se-zipl2grub.conf.in |  17 +++
 util/s390x/zipl2grub.pl.in      | 202 ++++++++++++++++++++++++++------
 4 files changed, 198 insertions(+), 39 deletions(-)
 create mode 100644 util/s390x/se-parm.conf.in
 create mode 100644 util/s390x/se-zipl2grub.conf.in

diff --git a/Makefile.util.def b/Makefile.util.def
index ffedea24a..722542933 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -796,6 +796,23 @@ data = {
   emu_condition = COND_s390x;
 };
 
+data = {
+  name = se-parm.conf.in;
+  common = util/s390x/se-parm.conf.in;
+  installdir = grubconf;
+  enable = emu;
+  emu_condition = COND_s390x;
+};
+
+data = {
+  name = se-zipl2grub.conf.in;
+  common = util/s390x/se-zipl2grub.conf.in;
+  installdir = grubconf;
+  enable = emu;
+  emu_condition = COND_s390x;
+};
+
+
 script = {
   name = dracut-module-setup.sh;
   common = util/s390x/dracut-module-setup.sh.in;
diff --git a/util/s390x/se-parm.conf.in b/util/s390x/se-parm.conf.in
new file mode 100644
index 000000000..63959b753
--- /dev/null
+++ b/util/s390x/se-parm.conf.in
@@ -0,0 +1 @@
+root=@GRUB_DEVICE@ @GRUB_EMU_CONMODE@ @GRUB_CMDLINE_LINUX@ @GRUB_CMDLINE_LINUX_DEFAULT@ initgrub quiet splash=silent plymouth.enable=0
diff --git a/util/s390x/se-zipl2grub.conf.in b/util/s390x/se-zipl2grub.conf.in
new file mode 100644
index 000000000..e9feeb9b6
--- /dev/null
+++ b/util/s390x/se-zipl2grub.conf.in
@@ -0,0 +1,17 @@
+## This is the template for '@zipldir@/config' and is subject to
+## rpm's %config file handling in case of grub2-s390x-emu package update.
+
+[defaultboot]
+defaultmenu = menu
+
+[grub2-secure]
+    target = @zipldir@
+    image = @zipldir@/secure-linux
+
+:menu
+    target = @zipldir@
+    timeout = 60
+    default = 1
+    prompt = 0
+    secure = @SUSE_SECURE_BOOT@
+    1 = grub2-secure
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
index 46b902209..930ecc4cd 100644
--- a/util/s390x/zipl2grub.pl.in
+++ b/util/s390x/zipl2grub.pl.in
@@ -12,10 +12,19 @@ my $definitrd = "/boot/initrd";
 my $Image = "$defimage";
 my $previous = ".prev";
 my $zipldir = "";
+my $imgdir = "";
 my $running = "";
 my $refresh = 1; # needs to default to "on" until most bugs are shaken out!
 my $force = 0;
 my $hostonly = 1;
+my $secure_exec = 0;
+my $sehostkey = "";
+my $sesignkey = "";
+my $secacert = "";
+my $serevoke = "";
+my $separm= "";
+my $se_zipconf = '@sysconfdir@/default/se-zipl2grub.conf.in';
+my $se_kernparm = '@sysconfdir@/default/se-parm.conf.in';
 my $verbose = 0;
 my $debug = 0;
 my $miss = 0;
@@ -183,6 +192,55 @@ sub ChkInitrd($$) {
   return $found;
 }
 
+sub GenSEImage($$$$) {
+  my( $kernel, $initrd, $parm, $out_image) = @_;
+
+  # genprotimg -i <kernel-image-file> \
+  #            -r <initrd-file>> \
+  #            -p <parm-file> \
+  #            --host-key-document <host-key-doc> \
+  #            --cert ibm-z-host-key-signing.crt \
+  #            --cert DigiCertCA.crt \
+  #            --crl revocation.crl \
+  #            -o /boot/zipl/secure-linux
+
+  my @C = ( "genprotimg", "-i", $kernel, "-r", $initrd, "-p", $parm,
+	    "--cert", $secacert);
+
+  # Handle the host key document list
+  if ($sehostkey) {
+    my @sehostkey_list = split('[,\s]+', $sehostkey);
+    my $hkd;
+    foreach $hkd (@sehostkey_list) {
+      Panic( 1, "$C: host key document '$hkd' not readable!?\n") unless (-r $hkd);
+      push @C, "--host-key-document", $hkd;
+    }
+  }
+
+  # Handle the signing key list
+  if ($sesignkey) {
+    my @sesignkey_list = split('[,\s]+', $sesignkey);
+    my $signkey;
+    foreach $signkey (@sesignkey_list) {
+      Panic( 1, "$C: signing key '$signkey' not readable!?\n") unless (-r $signkey);
+      push @C, "--cert", $signkey;
+    }
+  }
+
+  # Handle the revocation list files
+  if ($serevoke) {
+    my @serevoke_list = split('[,\s]+', $serevoke);
+    my $crl;
+    foreach $crl (@serevoke_list) {
+      Panic( 1, "$C: revocation list '$crl' not readable!?\n") unless (-r $crl);
+      push @C, "--crl", $crl;
+    }
+  }
+
+  push @C, "-o", "$out_image";
+  System( @C);
+}
+
 sub Usage($) {
   my @cat = ("",
 	"Parameter error.",
@@ -401,49 +459,91 @@ if ( $debug && $verbose > 2 ) {
   }
 }
 
-open( IN, "< $in") ||
-   Panic( 1, "$C: Failed to open 'zipl.conf' template: $!.\n");
-while ( <IN> ) {
-  Info( 4, "$.. <$_$.. >");
-  if ( $. == 1 && m{^## This} ) {
-    $_ = "## This file was written by 'grub2-install/$C'\n" .
-	 "## filling '$in' as template\n";
-  } elsif ( $. == 2 && m{^## rpm's} ) {
-    $_ = "## with values from '$default'.\n" .
-	 "## In-place modifications will eventually go missing!\n";
+#
+# s390x Secure Execution variables
+#
+# SUSE_S390_SE_ENABLE: enabling s390x Secure Execution
+# SUSE_S390_SE_HOST_KEY: the host key
+# SUSE_S390_SE_HOST_KEY_SIGNING_KEY: the signing key of the host key
+# SUSE_S390_SE_CA_CERT: the CA certificate
+# SUSE_S390_SE_REVOCATION_LIST: the revocation list
+#
+if ( -r $C{SUSE_S390_SE_HOST_KEY} && -r $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY} &&
+     -r $C{SUSE_S390_SE_CA_CERT}) {
+
+  $sehostkey = $C{SUSE_S390_SE_HOST_KEY};
+  $sesignkey = $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY};
+  $secacert = $C{SUSE_S390_SE_CA_CERT};
+
+  $serevoke = $C{SUSE_S390_SE_REVOCATION_LIST} if $C{SUSE_S390_SE_REVOCATION_LIST};
+
+  if ( $C{SUSE_S390_SE_ENABLE} =~ m{^(yes|true|1)$} ) {
+    $secure_exec = 1;
   }
-  while ( m{\@([^\@\s]+)\@} ) {
-    my $k = $1;
-    my $v;
-    if ( exists( $C{$k}) ) {
-      $v = $C{$k};
-    } elsif ( exists( $Mandatory{$k}) ) {
-      $v =  "$k";
-      $miss++;
-    } else {
-      $v = "";
+}
+
+sub MkConfig($$) {
+  my( $template, $name) = @_;
+  open( IN, "< $template") ||
+     Panic( 1, "$C: Failed to open '$name' template: $!.\n");
+  while ( <IN> ) {
+    Info( 4, "$.. <$_$.. >");
+    if ( $. == 1 && m{^## This} ) {
+      $_ = "## This file was written by 'grub2-install/$C'\n" .
+	   "## filling '$template' as template\n";
+    } elsif ( $. == 2 && m{^## rpm's} ) {
+      $_ = "## with values from '$default'.\n" .
+	   "## In-place modifications will eventually go missing!\n";
     }
-    if ($k eq "GRUB_DEVICE") {
-      if (($v !~ /^UUID/ && ! -e $v) ||
-          (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
-          $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
-        s{root=\@$k\@}{}g;
-        next;
+    while ( m{\@([^\@\s]+)\@} ) {
+      my $k = $1;
+      my $v;
+      if ( exists( $C{$k}) ) {
+	$v = $C{$k};
+      } elsif ( exists( $Mandatory{$k}) ) {
+	$v =  "$k";
+	$miss++;
+      } else {
+	$v = "";
+      }
+      if ($k eq "GRUB_DEVICE") {
+	if (($v !~ /^UUID/ && ! -e $v) ||
+	  (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
+	  $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
+	    s{root=\@$k\@}{}g;
+	    next;
+	}
       }
+      s{\@$k\@}{$v}g;
     }
-    s{\@$k\@}{$v}g;
+    Info( 3, $_);
+    $cfg .= $_;
+  }
+  if ( $miss ) {
+    Info( 1, "Partially filled config:\n===\n$cfg===\n");
+    Panic( 1, "$C: '$name' template could not be filled. \n");
   }
-  Info( 3, $_);
-  $cfg .= $_;
 }
-if ( $miss ) {
-  Info( 1, "Partially filled config:\n===\n$cfg===\n");
-  Panic( 1, "$C: 'zipl.conf' template could not be filled. \n");
+
+if ( $secure_exec ) {
+  # create the kernel parameter file
+  MkConfig($se_kernparm, "parm.conf");
+  $separm = $cfg;
+
+  # clean up $cfg to reuse the variable for zipl.conf
+  $cfg = "";
+  MkConfig($se_zipconf, "zipl.conf");
+  $imgdir = "/dev/shm/zipl-se";
+
+  mkdir ($imgdir, 0700) unless (-d $imgdir);
+} else {
+  MkConfig($in, "zipl.conf");
+  $imgdir = $zipldir;
 }
 
 # copy out kernel and initrd
-my $ziplimage = "$zipldir/image";
-my $ziplinitrd = "$zipldir/initrd";
+my $ziplimage = "$imgdir/image";
+my $ziplinitrd = "$imgdir/initrd";
 
 if ( ! $running && ! $force ) {
   chomp( $running = qx{uname -r});
@@ -478,18 +578,42 @@ my $initrd = "initrd-$version";
 $image = "image-$version";
 
 if ( ! -r $ziplimage || ! -r $ziplinitrd || $refresh ) {
-  BootCopy( $Image, $image, $zipldir, "image");
-  BootCopy( $initrd, $initrd, $zipldir, "initrd")
+  BootCopy( $Image, $image, $imgdir, "image");
+  BootCopy( $initrd, $initrd, $imgdir, "initrd")
     if (-r "/boot/$initrd" && ! exists( $fsdev{"/boot"}));
 }
-if ( $refresh || ChkInitrd( $zipldir, "initrd") <= 0 ) {
-  MkInitrd( $initrd, $zipldir, $version);
+if ( $refresh || ChkInitrd( $imgdir, "initrd") <= 0 ) {
+  MkInitrd( $initrd, $imgdir, $version);
 }
-if ( ChkInitrd( $zipldir, "initrd") == 0 ) {
+if ( ChkInitrd( $imgdir, "initrd") == 0 ) {
   Info( 0, "$C: dracut does not work as expected! Help needed!\n");
   $miss++;
 }
 
+if ( $secure_exec ) {
+  my $seimage = "secure-linux-$version";
+  my $parmconf = "$imgdir/parm.conf";
+  my $bootseimg = "/boot/$seimage";
+
+  # write parm.conf
+  if ( ! $debug ) {
+    open( OUT, "> $parmconf") || die;
+    print( OUT $separm) || die;
+    close( OUT);
+  } else {
+    print( STDERR $separm);
+  }
+
+  # Create the secure-execution image in /boot first
+  GenSEImage( $ziplimage, $ziplinitrd, $parmconf, $bootseimg );
+
+  # check /boot/$seimage
+  Panic( 1, "$C: Secure Image '$bootseimg' not readable!?\n") unless (-r "$bootseimg");
+
+  # copy /boot/$seimage to $zipldir
+  BootCopy($seimage, $seimage, $zipldir, "secure-linux");
+}
+
 # write zipl config file
 my $ziplconf = "$zipldir/config";
 $cfg =~ s{#@}{}g if ( -r "$ziplimage$previous"  && -r "$ziplinitrd$previous" );
-- 
2.43.0

Places

File grub2-s390x-secure-execution-support.patch of Package grub2

Places