packages/secpaver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secpaver/fix-some-bugs.patch

348 lines
12 KiB
Diff
Raw Normal View History

fix some bugs
2024-12-10 14:11:16 +08:00
From aa072b84261eec2f4c1faaf1f8ba177313fa0e37 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Thu, 28 Nov 2024 14:05:53 +0800
Subject: fix some bugs
---
secconf/check/check_dim | 8 +++-
secconf/check/check_secure_boot | 36 ++++++++++++--
secconf/dim.go | 6 +--
secconf/gen/gen_dim | 19 ++++----
secconf/gen/gen_ima | 4 +-
secconf/gen/gen_secure_boot | 10 ++--
secconf/gen_comm.sh | 85 +++++++++++++++++++--------------
7 files changed, 107 insertions(+), 61 deletions(-)
diff --git a/secconf/check/check_dim b/secconf/check/check_dim
index 3c392fa..bfad32d 100644
--- a/secconf/check/check_dim
+++ b/secconf/check/check_dim
@@ -23,6 +23,10 @@ dim_comm()
return 1
fi
elif [ "{{.}}" == "kernel" ]; then
+ if [ ! -f /etc/dim/digest_list/kernel.hash ]; then
+ echo "Error! The policy file doesn't match the configuration file!"
+ return 1
+ fi
grep "measure obj=KERNEL_TEXT" /etc/dim/policy &> /dev/null
if [ $? -ne 0 ]; then
echo "Error! The policy file doesn't match the configuration file!"
@@ -55,9 +59,9 @@ dim_comm()
echo "Environment doesn't support tpm, measure_pcr configuration is invalid!"
fi
{{end}}{{ if .Signature }}
- get_usr_input "openssl is about to installed?【Y/N】"
+ check_rpm_package openssl
if [ $? -eq 1 ]; then
- yum install -y openssl || exit 1
+ return 1
fi
echo "Checking whether the certificate is configured..."
if [ -f /etc/keys/x509_dim.der ]; then
diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot
index 905c2e0..22d5590 100644
--- a/secconf/check/check_secure_boot
+++ b/secconf/check/check_secure_boot
@@ -5,15 +5,15 @@ secure_boot_comm()
get_usr_input "The current system doesn't support secure boot!"
return 1
fi
- get_usr_input "Pesign is about to be installed?【Y/N】"
+ check_rpm_package pesign
if [ $? -eq 1 ]; then
- yum install -y pesign || exit 1
+ return 1
fi
- get_usr_input "Mokutil is about to be installed?【Y/N】"
+ check_rpm_package mokutil
if [ $? -eq 1 ]; then
- yum install -y mokutil || exit 1
+ return 1
fi
- if [ ! -f /boot/efi/EFI/secure_boot.der ]; then
+ if [ ! -s /boot/efi/EFI/secure_boot.der ]; then
get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】"
if [ $? -eq 1 ]; then
wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null
@@ -34,6 +34,32 @@ secure_boot_comm()
return 1
fi
done
+ if [ -s /boot/vmlinuz-"$(uname -r)" ]; then
+ check_rpm_package gzip
+ if [ $? -eq 1 ]; then
+ return 1
+ fi
+ if [ $(arch) == "aarch64" ]; then
+ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)".gz
+ gzip -df vmlinuz-"$(uname -r)".gz
+ if [ $? -ne 0 ]; then
+ echo "failed to gzip vmlinuz, stop check"
+ rm -f vmlinuz-"$(uname -r)".gz
+ return 1
+ fi
+ else
+ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)"
+ fi
+ pesigcheck -i vmlinuz-"$(uname -r)" -n 0 -c /boot/efi/EFI/secure_boot.der
+ if [ $? -ne 0 ]; then
+ echo "$vmlinuz-"$(uname -r)" signature verification failed!"
+ else
+ echo "The kernel of the current version has been verified"
+ fi
+ rm -f vmlinuz-"$(uname -r)"
+ else
+ echo "The vmlinuz was not found, please check the signature manually"
+ fi
mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN"
if [ $? -ne 0 ]; then
diff --git a/secconf/dim.go b/secconf/dim.go
index 220abde..a37915b 100644
--- a/secconf/dim.go
+++ b/secconf/dim.go
@@ -15,12 +15,12 @@ type Dim struct {
DimIsEnable bool `default:"false" yaml:"enable"`
MeasureList []string `yaml:"measure_list"`
BaselineIsEnable bool `default:"false" yaml:"auto_baseline"`
- MeasureLogCapacity uint64 `default:"100000" yaml:"log_cap"`
+ MeasureLogCapacity uint32 `default:"100000" yaml:"log_cap"`
MeasureHash string `default:"sha256" yaml:"hash"`
CorePcr uint16 `default:"0" yaml:"core_pcr"`
MonitorPcr uint16 `default:"0" yaml:"monitor_pcr"`
- MeasureSchedule uint64 `default:"0" yaml:"schedule"`
- MeasureInterval uint64 `default:"0" yaml:"interval"`
+ MeasureSchedule uint32 `default:"0" yaml:"schedule"`
+ MeasureInterval uint32 `default:"0" yaml:"interval"`
Signature bool `default:"false" yaml:"signature"`
}
diff --git a/secconf/gen/gen_dim b/secconf/gen/gen_dim
index b310eaf..9174a92 100644
--- a/secconf/gen/gen_dim
+++ b/secconf/gen/gen_dim
@@ -1,9 +1,9 @@
dim_comm()
{
{{ with .Dim }}{{if .DimIsEnable}}
- get_usr_input "dim is about to install?【Y/N】"
+ check_rpm_package dim
if [ $? -eq 1 ]; then
- yum install -y dim || exit 1
+ return 1
fi
get_usr_input "New static baseline file and policy will be created at /etc/dim?【Y/N】"
if [ $? -eq 1 ]; then
@@ -19,14 +19,15 @@ dim_comm()
return 1
fi
- get_usr_input "dim_tools is about to install?【Y/N】"
+ check_rpm_package dim_tools
if [ $? -eq 1 ]; then
- yum install -y dim_tools || exit 1
+ return 1
fi
+ dimHash={{.MeasureHash}}
{{range .MeasureList}}
if [ -f "{{.}}" ] ; then
echo "Establishing static baseline" {{.}}
- dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash
+ dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash -a $dimHash
if [ $? -ne 0 ]; then
echo "Error! Static baseline establishment failed" {{.}}
return 1
@@ -34,7 +35,7 @@ dim_comm()
echo "measure obj=BPRM_TEXT path={{.}}" >> /etc/dim/policy
elif [ "{{.}}" == "kernel" ]; then
echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy
- dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/test.hash /boot/vmlinuz-6*
+ dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-6* -a $dimHash
if [ $? -ne 0 ]; then
echo "Kernel static baseline establishment failed"
return 1
@@ -48,7 +49,7 @@ dim_comm()
xz -d -k $moduleFilePath
moduleFilePath=${moduleFilePath%.*}
fi
- dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash
+ dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash -a $dimHash
if [ $? -ne 0 ]; then
echo "Static baseline establishment failed" {{.}}
return 1
@@ -73,9 +74,9 @@ dim_comm()
return 1
fi
{{if .Signature}}
- get_usr_input "openssl is about to install?【Y/N】"
+ check_rpm_package openssl
if [ $? -eq 1 ]; then
- yum install -y openssl || exit 1
+ return 1
fi
get_usr_input "Generate keys and certificates automatically?【Y/N】"
if [ $? -eq 1 ]; then
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 0657cdf..84d1b4b 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -16,9 +16,9 @@ measure_list+=({{.}})
needReboot=false
packages=("ima-evm-utils" "digest-list-tools")
for pkg in "${packages[@]}"; do
- get_usr_input "${pkg} is about to installed?【Y/N】"
+ check_rpm_package ${pkg}
if [ $? -eq 1 ]; then
- yum install -y ${pkg} || exit 1
+ return 1
fi
done
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index 4decd48..a1e0d36 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -3,26 +3,26 @@ secure_boot_comm()
{{ with .SecureBoot }}
{{if .SecureBootIsEnable}}
if [ ! -d /sys/firmware/efi ]; then
- get_usr_input "Error! The current environment does not support secure boot."
+ get_usr_input "The current environment does not support secure boot."
return 1
fi
- get_usr_input "mokutil is about to install?【Y/N】"
+ check_rpm_package mokutil
if [ $? -eq 1 ]; then
- yum install -y mokutil || exit 1
+ return 1
fi
mokutil --sb | grep enabled
if [ $? -ne 0 ]; then
mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN"
if [ $? -ne 0 ]; then
echo "Secure boot certificate is not saved in DB!"
- if [ -f /boot/efi/EFI/secure_boot.der ]; then
+ if [ -s /boot/efi/EFI/secure_boot.der ]; then
echo "The file already exists. Please restart and import the file to the BIOS."
else
get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】"
if [ $? -eq 1 ]; then
wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate
if [ $? -ne 0 ]; then
- echo "Error! Certificate downloaded failed. Please obtain the certificate manually!"
+ echo "Certificate downloaded failed. Please obtain the certificate manually!"
return 1
fi
echo "The certificate download is successful. Please restart later and enter the bios, then import the certificate into the DB!"
diff --git a/secconf/gen_comm.sh b/secconf/gen_comm.sh
index f28dba7..ec19cf5 100644
--- a/secconf/gen_comm.sh
+++ b/secconf/gen_comm.sh
@@ -1,52 +1,67 @@
set_skip_usr_input=0
set_reboot=0
+check_rpm_package()
+{
+ rpm -q $1 &> /dev/null
+ if [ $? -ne 0 ]; then
+ get_usr_input "$1 is about to install?【Y/N】"
+ if [ $? -eq 1 ]; then
+ yum install -y $1 || exit 1
+ else
+ echo "The $1 does not exit, skip."
+ return 1
+ fi
+ fi
+ return 0
+}
+
get_usr_input()
{
- echo $1
- if [ $set_skip_usr_input -eq 0 ]; then
- read -r userInput
- else
- userInput=Y
- fi
+ echo $1
+ if [ $set_skip_usr_input -eq 0 ]; then
+ read -r userInput
+ else
+ userInput=Y
+ fi
- if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then
- return 0
- else
- return 1
- fi
+ if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then
+ return 0
+ else
+ return 1
+ fi
}
usage()
{
- echo "Usage: $(basename $0) [OPTION]"
- echo " -s, --skip 设置跳过询问"
- echo " -r, --run 正常执行"
- echo " -h, --help 显示帮助信息"
+ echo "Usage: $(basename $0) [OPTION]"
+ echo " -s, --skip 设置跳过询问"
+ echo " -r, --run 正常执行"
+ echo " -h, --help 显示帮助信息"
}
while true
do
- case "$1" in
- -s|--skip)
- set_skip_usr_input=1
-{{range .ShellFuns}} {{.}}
+ case "$1" in
+ -s|--skip)
+ set_skip_usr_input=1
+{{range .ShellFuns}} {{.}}
{{ end }}
- exit 0
- ;;
- -r|--run)
-{{range .ShellFuns}} {{.}}
+ exit 0
+ ;;
+ -r|--run)
+{{range .ShellFuns}} {{.}}
{{ end }}
- exit 0
- ;;
- -h|--help)
- usage
- exit $?
- ;;
- *)
- echo -e "Need Correct Arguments!\n"
- usage
- exit $LA_ERR
- ;;
- esac
+ exit 0
+ ;;
+ -h|--help)
+ usage
+ exit $?
+ ;;
+ *)
+ echo -e "Need Correct Arguments!\n"
+ usage
+ exit $LA_ERR
+ ;;
+ esac
done
--
2.33.0
Reference in New Issue Copy Permalink