108 lines
4.8 KiB
Diff
108 lines
4.8 KiB
Diff
|
From 59722538bfc1c500ba6124aca3533ff6811c6616 Mon Sep 17 00:00:00 2001
|
|||
|
|
From: jinlun <jinlun@huawei.com>
|
|||
|
|
Date: Thu, 5 Dec 2024 20:27:36 +0800
|
|||
|
|
Subject: add the wget timeout mechanism and optimize the dim
|
|||
|
|
check the modsign script is optimized.
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
secconf/check/check_dim | 3 ++-
|
|||
|
|
secconf/check/check_modsign | 4 ++--
|
|||
|
|
secconf/check/check_secure_boot | 2 +-
|
|||
|
|
secconf/gen/gen_modsign | 4 ++--
|
|||
|
|
secconf/gen/gen_secure_boot | 2 +-
|
|||
|
|
5 files changed, 8 insertions(+), 7 deletions(-)
|
|||
|
|
|
|||
|
|
diff --git a/secconf/check/check_dim b/secconf/check/check_dim
|
|||
|
|
index bfad32d..0166a97 100644
|
|||
|
|
--- a/secconf/check/check_dim
|
|||
|
|
+++ b/secconf/check/check_dim
|
|||
|
|
@@ -82,7 +82,7 @@ dim_comm()
|
|||
|
|
else
|
|||
|
|
echo "Skip the baseline file consistency check."
|
|||
|
|
fi
|
|||
|
|
-{{end}}{{ if .BaselineIsEnable }}
|
|||
|
|
+{{end}}
|
|||
|
|
echo "Checking whether the DIM kernel module is loaded"
|
|||
|
|
lsmod | grep dim_monitor &> /dev/null
|
|||
|
|
if [ $? -eq 0 ]; then
|
|||
|
|
@@ -98,6 +98,7 @@ dim_comm()
|
|||
|
|
echo "Error! dim_core is not loaded!"
|
|||
|
|
return 1
|
|||
|
|
fi
|
|||
|
|
+{{ if .BaselineIsEnable }}
|
|||
|
|
echo "Checking if baseline is configured..."
|
|||
|
|
cat /sys/kernel/security/dim/monitor_ascii_runtime_measurements | wc -l | grep 2 &> /dev/null
|
|||
|
|
if [ $? -ne 0 ]; then
|
|||
|
|
diff --git a/secconf/check/check_modsign b/secconf/check/check_modsign
|
|||
|
|
index 99d7a00..143d319 100644
|
|||
|
|
--- a/secconf/check/check_modsign
|
|||
|
|
+++ b/secconf/check/check_modsign
|
|||
|
|
@@ -7,7 +7,7 @@ modsign_comm()
|
|||
|
|
grub_path="/boot/efi/EFI/openEuler/grub.cfg"
|
|||
|
|
fi
|
|||
|
|
{{ if .Enable }}
|
|||
|
|
- grep sig_enforce $grub_path &> /dev/null
|
|||
|
|
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
|
|||
|
|
if [ $? -eq 0 ]; then
|
|||
|
|
echo "Kernel Module Signature Verification has been configured."
|
|||
|
|
fi
|
|||
|
|
@@ -18,7 +18,7 @@ modsign_comm()
|
|||
|
|
echo "Kernel Module Signature Verification hasn't benn activated. Please restart to activate!"
|
|||
|
|
fi
|
|||
|
|
{{ else }}
|
|||
|
|
- grep sig_enforce $grub_path &> /dev/null
|
|||
|
|
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
|
|||
|
|
if [ $? -eq 0 ]; then
|
|||
|
|
echo "Kernel Module Signature Verification is not disable."
|
|||
|
|
fi
|
|||
|
|
diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot
|
|||
|
|
index 22d5590..587deaf 100644
|
|||
|
|
--- a/secconf/check/check_secure_boot
|
|||
|
|
+++ b/secconf/check/check_secure_boot
|
|||
|
|
@@ -16,7 +16,7 @@ secure_boot_comm()
|
|||
|
|
if [ ! -s /boot/efi/EFI/secure_boot.der ]; then
|
|||
|
|
get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】"
|
|||
|
|
if [ $? -eq 1 ]; then
|
|||
|
|
- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null
|
|||
|
|
+ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
|
|||
|
|
if [ $? -ne 0 ]; then
|
|||
|
|
echo "Secure Boot cerificate download failed,Please obtain the certificate in other ways"
|
|||
|
|
return 1
|
|||
|
|
diff --git a/secconf/gen/gen_modsign b/secconf/gen/gen_modsign
|
|||
|
|
index 2917ea1..dc20ee3 100644
|
|||
|
|
--- a/secconf/gen/gen_modsign
|
|||
|
|
+++ b/secconf/gen/gen_modsign
|
|||
|
|
@@ -6,14 +6,14 @@ modsign_comm()
|
|||
|
|
else
|
|||
|
|
grub_path="/boot/efi/EFI/openEuler/grub.cfg"
|
|||
|
|
fi
|
|||
|
|
- grep sig_enforce $grub_path &> /dev/null
|
|||
|
|
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
|
|||
|
|
{{ if .Enable }}
|
|||
|
|
if [ $? -eq 0 ]; then
|
|||
|
|
echo "Kernel module verification has been set and does not need to be set again."
|
|||
|
|
else
|
|||
|
|
get_usr_input "Check whether the grub.cfg file is modified to enable forcible signature verification in the kernel.【Y/N】"
|
|||
|
|
if [ $? -eq 1 ]; then
|
|||
|
|
- sed -i '/vmlinuz/s/$/ module\.sig_enforce/' $grub_path
|
|||
|
|
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ module\.sig_enforce/" "${grub_path}"
|
|||
|
|
if [ $? -eq 0 ]; then
|
|||
|
|
echo "The kernel module verification is successful when the OS is started. The verification takes effect after the OS is restarted."
|
|||
|
|
else
|
|||
|
|
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
|
|||
|
|
index 9ace5e0..bd78d7e 100644
|
|||
|
|
--- a/secconf/gen/gen_secure_boot
|
|||
|
|
+++ b/secconf/gen/gen_secure_boot
|
|||
|
|
@@ -20,7 +20,7 @@ secure_boot_comm()
|
|||
|
|
else
|
|||
|
|
get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】"
|
|||
|
|
if [ $? -eq 1 ]; then
|
|||
|
|
- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate
|
|||
|
|
+ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
|
|||
|
|
if [ $? -ne 0 ]; then
|
|||
|
|
echo "Certificate downloaded failed. Please obtain the certificate manually!"
|
|||
|
|
return 1
|
|||
|
|
--
|
|||
|
|
2.33.0
|
|||
|
|
|