From aa072b84261eec2f4c1faaf1f8ba177313fa0e37 Mon Sep 17 00:00:00 2001 From: jinlun Date: Thu, 28 Nov 2024 14:05:53 +0800 Subject: fix some bugs --- secconf/check/check_dim | 8 +++- secconf/check/check_secure_boot | 36 ++++++++++++-- secconf/dim.go | 6 +-- secconf/gen/gen_dim | 19 ++++---- secconf/gen/gen_ima | 4 +- secconf/gen/gen_secure_boot | 10 ++-- secconf/gen_comm.sh | 85 +++++++++++++++++++-------------- 7 files changed, 107 insertions(+), 61 deletions(-) diff --git a/secconf/check/check_dim b/secconf/check/check_dim index 3c392fa..bfad32d 100644 --- a/secconf/check/check_dim +++ b/secconf/check/check_dim @@ -23,6 +23,10 @@ dim_comm() return 1 fi elif [ "{{.}}" == "kernel" ]; then + if [ ! -f /etc/dim/digest_list/kernel.hash ]; then + echo "Error! The policy file doesn't match the configuration file!" + return 1 + fi grep "measure obj=KERNEL_TEXT" /etc/dim/policy &> /dev/null if [ $? -ne 0 ]; then echo "Error! The policy file doesn't match the configuration file!" @@ -55,9 +59,9 @@ dim_comm() echo "Environment doesn't support tpm, measure_pcr configuration is invalid!" fi {{end}}{{ if .Signature }} - get_usr_input "openssl is about to installed?【Y/N】" + check_rpm_package openssl if [ $? -eq 1 ]; then - yum install -y openssl || exit 1 + return 1 fi echo "Checking whether the certificate is configured..." if [ -f /etc/keys/x509_dim.der ]; then diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot index 905c2e0..22d5590 100644 --- a/secconf/check/check_secure_boot +++ b/secconf/check/check_secure_boot @@ -5,15 +5,15 @@ secure_boot_comm() get_usr_input "The current system doesn't support secure boot!" return 1 fi - get_usr_input "Pesign is about to be installed?【Y/N】" + check_rpm_package pesign if [ $? -eq 1 ]; then - yum install -y pesign || exit 1 + return 1 fi - get_usr_input "Mokutil is about to be installed?【Y/N】" + check_rpm_package mokutil if [ $? -eq 1 ]; then - yum install -y mokutil || exit 1 + return 1 fi - if [ ! -f /boot/efi/EFI/secure_boot.der ]; then + if [ ! -s /boot/efi/EFI/secure_boot.der ]; then get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】" if [ $? -eq 1 ]; then wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null @@ -34,6 +34,32 @@ secure_boot_comm() return 1 fi done + if [ -s /boot/vmlinuz-"$(uname -r)" ]; then + check_rpm_package gzip + if [ $? -eq 1 ]; then + return 1 + fi + if [ $(arch) == "aarch64" ]; then + cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)".gz + gzip -df vmlinuz-"$(uname -r)".gz + if [ $? -ne 0 ]; then + echo "failed to gzip vmlinuz, stop check" + rm -f vmlinuz-"$(uname -r)".gz + return 1 + fi + else + cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)" + fi + pesigcheck -i vmlinuz-"$(uname -r)" -n 0 -c /boot/efi/EFI/secure_boot.der + if [ $? -ne 0 ]; then + echo "$vmlinuz-"$(uname -r)" signature verification failed!" + else + echo "The kernel of the current version has been verified" + fi + rm -f vmlinuz-"$(uname -r)" + else + echo "The vmlinuz was not found, please check the signature manually" + fi mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN" if [ $? -ne 0 ]; then diff --git a/secconf/dim.go b/secconf/dim.go index 220abde..a37915b 100644 --- a/secconf/dim.go +++ b/secconf/dim.go @@ -15,12 +15,12 @@ type Dim struct { DimIsEnable bool `default:"false" yaml:"enable"` MeasureList []string `yaml:"measure_list"` BaselineIsEnable bool `default:"false" yaml:"auto_baseline"` - MeasureLogCapacity uint64 `default:"100000" yaml:"log_cap"` + MeasureLogCapacity uint32 `default:"100000" yaml:"log_cap"` MeasureHash string `default:"sha256" yaml:"hash"` CorePcr uint16 `default:"0" yaml:"core_pcr"` MonitorPcr uint16 `default:"0" yaml:"monitor_pcr"` - MeasureSchedule uint64 `default:"0" yaml:"schedule"` - MeasureInterval uint64 `default:"0" yaml:"interval"` + MeasureSchedule uint32 `default:"0" yaml:"schedule"` + MeasureInterval uint32 `default:"0" yaml:"interval"` Signature bool `default:"false" yaml:"signature"` } diff --git a/secconf/gen/gen_dim b/secconf/gen/gen_dim index b310eaf..9174a92 100644 --- a/secconf/gen/gen_dim +++ b/secconf/gen/gen_dim @@ -1,9 +1,9 @@ dim_comm() { {{ with .Dim }}{{if .DimIsEnable}} - get_usr_input "dim is about to install?【Y/N】" + check_rpm_package dim if [ $? -eq 1 ]; then - yum install -y dim || exit 1 + return 1 fi get_usr_input "New static baseline file and policy will be created at /etc/dim?【Y/N】" if [ $? -eq 1 ]; then @@ -19,14 +19,15 @@ dim_comm() return 1 fi - get_usr_input "dim_tools is about to install?【Y/N】" + check_rpm_package dim_tools if [ $? -eq 1 ]; then - yum install -y dim_tools || exit 1 + return 1 fi + dimHash={{.MeasureHash}} {{range .MeasureList}} if [ -f "{{.}}" ] ; then echo "Establishing static baseline:" {{.}} - dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash + dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash -a $dimHash if [ $? -ne 0 ]; then echo "Error! Static baseline establishment failed" {{.}} return 1 @@ -34,7 +35,7 @@ dim_comm() echo "measure obj=BPRM_TEXT path={{.}}" >> /etc/dim/policy elif [ "{{.}}" == "kernel" ]; then echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy - dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/test.hash /boot/vmlinuz-6* + dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-6* -a $dimHash if [ $? -ne 0 ]; then echo "Kernel static baseline establishment failed" return 1 @@ -48,7 +49,7 @@ dim_comm() xz -d -k $moduleFilePath moduleFilePath=${moduleFilePath%.*} fi - dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash + dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash -a $dimHash if [ $? -ne 0 ]; then echo "Static baseline establishment failed" {{.}} return 1 @@ -73,9 +74,9 @@ dim_comm() return 1 fi {{if .Signature}} - get_usr_input "openssl is about to install?【Y/N】" + check_rpm_package openssl if [ $? -eq 1 ]; then - yum install -y openssl || exit 1 + return 1 fi get_usr_input "Generate keys and certificates automatically?【Y/N】" if [ $? -eq 1 ]; then diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima index 0657cdf..84d1b4b 100644 --- a/secconf/gen/gen_ima +++ b/secconf/gen/gen_ima @@ -16,9 +16,9 @@ measure_list+=({{.}}) needReboot=false packages=("ima-evm-utils" "digest-list-tools") for pkg in "${packages[@]}"; do - get_usr_input "${pkg} is about to installed?【Y/N】" + check_rpm_package ${pkg} if [ $? -eq 1 ]; then - yum install -y ${pkg} || exit 1 + return 1 fi done diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot index 4decd48..a1e0d36 100644 --- a/secconf/gen/gen_secure_boot +++ b/secconf/gen/gen_secure_boot @@ -3,26 +3,26 @@ secure_boot_comm() {{ with .SecureBoot }} {{if .SecureBootIsEnable}} if [ ! -d /sys/firmware/efi ]; then - get_usr_input "Error! The current environment does not support secure boot." + get_usr_input "The current environment does not support secure boot." return 1 fi - get_usr_input "mokutil is about to install?【Y/N】" + check_rpm_package mokutil if [ $? -eq 1 ]; then - yum install -y mokutil || exit 1 + return 1 fi mokutil --sb | grep enabled if [ $? -ne 0 ]; then mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN" if [ $? -ne 0 ]; then echo "Secure boot certificate is not saved in DB!" - if [ -f /boot/efi/EFI/secure_boot.der ]; then + if [ -s /boot/efi/EFI/secure_boot.der ]; then echo "The file already exists. Please restart and import the file to the BIOS." else get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】" if [ $? -eq 1 ]; then wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate if [ $? -ne 0 ]; then - echo "Error! Certificate downloaded failed. Please obtain the certificate manually!" + echo "Certificate downloaded failed. Please obtain the certificate manually!" return 1 fi echo "The certificate download is successful. Please restart later and enter the bios, then import the certificate into the DB!" diff --git a/secconf/gen_comm.sh b/secconf/gen_comm.sh index f28dba7..ec19cf5 100644 --- a/secconf/gen_comm.sh +++ b/secconf/gen_comm.sh @@ -1,52 +1,67 @@ set_skip_usr_input=0 set_reboot=0 +check_rpm_package() +{ + rpm -q $1 &> /dev/null + if [ $? -ne 0 ]; then + get_usr_input "$1 is about to install?【Y/N】" + if [ $? -eq 1 ]; then + yum install -y $1 || exit 1 + else + echo "The $1 does not exit, skip." + return 1 + fi + fi + return 0 +} + get_usr_input() { - echo $1 - if [ $set_skip_usr_input -eq 0 ]; then - read -r userInput - else - userInput=Y - fi + echo $1 + if [ $set_skip_usr_input -eq 0 ]; then + read -r userInput + else + userInput=Y + fi - if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then - return 0 - else - return 1 - fi + if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then + return 0 + else + return 1 + fi } usage() { - echo "Usage: $(basename $0) [OPTION]" - echo " -s, --skip 设置跳过询问" - echo " -r, --run 正常执行" - echo " -h, --help 显示帮助信息" + echo "Usage: $(basename $0) [OPTION]" + echo " -s, --skip 设置跳过询问" + echo " -r, --run 正常执行" + echo " -h, --help 显示帮助信息" } while true do - case "$1" in - -s|--skip) - set_skip_usr_input=1 -{{range .ShellFuns}} {{.}} + case "$1" in + -s|--skip) + set_skip_usr_input=1 +{{range .ShellFuns}} {{.}} {{ end }} - exit 0 - ;; - -r|--run) -{{range .ShellFuns}} {{.}} + exit 0 + ;; + -r|--run) +{{range .ShellFuns}} {{.}} {{ end }} - exit 0 - ;; - -h|--help) - usage - exit $? - ;; - *) - echo -e "Need Correct Arguments!\n" - usage - exit $LA_ERR - ;; - esac + exit 0 + ;; + -h|--help) + usage + exit $? + ;; + *) + echo -e "Need Correct Arguments!\n" + usage + exit $LA_ERR + ;; + esac done -- 2.33.0