packages/secpaver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secpaver/add-the-wget-timeout-mechanism-and-optimize-the-dim-.patch
jinlun 58a2ac093d fix some bugs
2024-12-10 14:11:16 +08:00

108 lines
4.8 KiB
Diff
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 59722538bfc1c500ba6124aca3533ff6811c6616 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Thu, 5 Dec 2024 20:27:36 +0800
Subject: add the wget timeout mechanism and optimize the dim
check the modsign script is optimized.
---
secconf/check/check_dim | 3 ++-
secconf/check/check_modsign | 4 ++--
secconf/check/check_secure_boot | 2 +-
secconf/gen/gen_modsign | 4 ++--
secconf/gen/gen_secure_boot | 2 +-
5 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/secconf/check/check_dim b/secconf/check/check_dim
index bfad32d..0166a97 100644
--- a/secconf/check/check_dim
+++ b/secconf/check/check_dim
@@ -82,7 +82,7 @@ dim_comm()
else
echo "Skip the baseline file consistency check."
fi
-{{end}}{{ if .BaselineIsEnable }}
+{{end}}
echo "Checking whether the DIM kernel module is loaded"
lsmod | grep dim_monitor &> /dev/null
if [ $? -eq 0 ]; then
@@ -98,6 +98,7 @@ dim_comm()
echo "Error! dim_core is not loaded!"
return 1
fi
+{{ if .BaselineIsEnable }}
echo "Checking if baseline is configured..."
cat /sys/kernel/security/dim/monitor_ascii_runtime_measurements | wc -l | grep 2 &> /dev/null
if [ $? -ne 0 ]; then
diff --git a/secconf/check/check_modsign b/secconf/check/check_modsign
index 99d7a00..143d319 100644
--- a/secconf/check/check_modsign
+++ b/secconf/check/check_modsign
@@ -7,7 +7,7 @@ modsign_comm()
grub_path="/boot/efi/EFI/openEuler/grub.cfg"
fi
{{ if .Enable }}
- grep sig_enforce $grub_path &> /dev/null
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
if [ $? -eq 0 ]; then
echo "Kernel Module Signature Verification has been configured."
fi
@@ -18,7 +18,7 @@ modsign_comm()
echo "Kernel Module Signature Verification hasn't benn activated. Please restart to activate!"
fi
{{ else }}
- grep sig_enforce $grub_path &> /dev/null
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
if [ $? -eq 0 ]; then
echo "Kernel Module Signature Verification is not disable."
fi
diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot
index 22d5590..587deaf 100644
--- a/secconf/check/check_secure_boot
+++ b/secconf/check/check_secure_boot
@@ -16,7 +16,7 @@ secure_boot_comm()
if [ ! -s /boot/efi/EFI/secure_boot.der ]; then
get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】"
if [ $? -eq 1 ]; then
- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null
+ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
if [ $? -ne 0 ]; then
echo "Secure Boot cerificate download failedPlease obtain the certificate in other ways"
return 1
diff --git a/secconf/gen/gen_modsign b/secconf/gen/gen_modsign
index 2917ea1..dc20ee3 100644
--- a/secconf/gen/gen_modsign
+++ b/secconf/gen/gen_modsign
@@ -6,14 +6,14 @@ modsign_comm()
else
grub_path="/boot/efi/EFI/openEuler/grub.cfg"
fi
- grep sig_enforce $grub_path &> /dev/null
+ grep "vmlinuz-$(uname -r) .*sig_enforce" $grub_path &> /dev/null
{{ if .Enable }}
if [ $? -eq 0 ]; then
echo "Kernel module verification has been set and does not need to be set again."
else
get_usr_input "Check whether the grub.cfg file is modified to enable forcible signature verification in the kernel.【Y/N】"
if [ $? -eq 1 ]; then
- sed -i '/vmlinuz/s/$/ module\.sig_enforce/' $grub_path
+ sed -i "/vmlinuz-$(uname -r)/ s/$/ module\.sig_enforce/" "${grub_path}"
if [ $? -eq 0 ]; then
echo "The kernel module verification is successful when the OS is started. The verification takes effect after the OS is restarted."
else
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index 9ace5e0..bd78d7e 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -20,7 +20,7 @@ secure_boot_comm()
else
get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】"
if [ $? -eq 1 ]; then
- wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate
+ wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate --timeout=30 --tries=3 &> /dev/null
if [ $? -ne 0 ]; then
echo "Certificate downloaded failed. Please obtain the certificate manually!"
return 1
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink