packages/secpaver
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
secpaver/fix-some-bugs.patch
jinlun 58a2ac093d fix some bugs
2024-12-10 14:11:16 +08:00

348 lines
12 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From aa072b84261eec2f4c1faaf1f8ba177313fa0e37 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Thu, 28 Nov 2024 14:05:53 +0800
Subject: fix some bugs
---
secconf/check/check_dim | 8 +++-
secconf/check/check_secure_boot | 36 ++++++++++++--
secconf/dim.go | 6 +--
secconf/gen/gen_dim | 19 ++++----
secconf/gen/gen_ima | 4 +-
secconf/gen/gen_secure_boot | 10 ++--
secconf/gen_comm.sh | 85 +++++++++++++++++++--------------
7 files changed, 107 insertions(+), 61 deletions(-)
diff --git a/secconf/check/check_dim b/secconf/check/check_dim
index 3c392fa..bfad32d 100644
--- a/secconf/check/check_dim
+++ b/secconf/check/check_dim
@@ -23,6 +23,10 @@ dim_comm()
return 1
fi
elif [ "{{.}}" == "kernel" ]; then
+ if [ ! -f /etc/dim/digest_list/kernel.hash ]; then
+ echo "Error! The policy file doesn't match the configuration file!"
+ return 1
+ fi
grep "measure obj=KERNEL_TEXT" /etc/dim/policy &> /dev/null
if [ $? -ne 0 ]; then
echo "Error! The policy file doesn't match the configuration file!"
@@ -55,9 +59,9 @@ dim_comm()
echo "Environment doesn't support tpm, measure_pcr configuration is invalid!"
fi
{{end}}{{ if .Signature }}
- get_usr_input "openssl is about to installed?【Y/N】"
+ check_rpm_package openssl
if [ $? -eq 1 ]; then
- yum install -y openssl || exit 1
+ return 1
fi
echo "Checking whether the certificate is configured..."
if [ -f /etc/keys/x509_dim.der ]; then
diff --git a/secconf/check/check_secure_boot b/secconf/check/check_secure_boot
index 905c2e0..22d5590 100644
--- a/secconf/check/check_secure_boot
+++ b/secconf/check/check_secure_boot
@@ -5,15 +5,15 @@ secure_boot_comm()
get_usr_input "The current system doesn't support secure boot!"
return 1
fi
- get_usr_input "Pesign is about to be installed?【Y/N】"
+ check_rpm_package pesign
if [ $? -eq 1 ]; then
- yum install -y pesign || exit 1
+ return 1
fi
- get_usr_input "Mokutil is about to be installed?【Y/N】"
+ check_rpm_package mokutil
if [ $? -eq 1 ]; then
- yum install -y mokutil || exit 1
+ return 1
fi
- if [ ! -f /boot/efi/EFI/secure_boot.der ]; then
+ if [ ! -s /boot/efi/EFI/secure_boot.der ]; then
get_usr_input "Secure Boot certificate of openeuler is about to be downloaded?【Y/N】"
if [ $? -eq 1 ]; then
wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate &> /dev/null
@@ -34,6 +34,32 @@ secure_boot_comm()
return 1
fi
done
+ if [ -s /boot/vmlinuz-"$(uname -r)" ]; then
+ check_rpm_package gzip
+ if [ $? -eq 1 ]; then
+ return 1
+ fi
+ if [ $(arch) == "aarch64" ]; then
+ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)".gz
+ gzip -df vmlinuz-"$(uname -r)".gz
+ if [ $? -ne 0 ]; then
+ echo "failed to gzip vmlinuz, stop check"
+ rm -f vmlinuz-"$(uname -r)".gz
+ return 1
+ fi
+ else
+ cp -ar /boot/vmlinuz-"$(uname -r)" ./vmlinuz-"$(uname -r)"
+ fi
+ pesigcheck -i vmlinuz-"$(uname -r)" -n 0 -c /boot/efi/EFI/secure_boot.der
+ if [ $? -ne 0 ]; then
+ echo "$vmlinuz-"$(uname -r)" signature verification failed!"
+ else
+ echo "The kernel of the current version has been verified"
+ fi
+ rm -f vmlinuz-"$(uname -r)"
+ else
+ echo "The vmlinuz was not found, please check the signature manually"
+ fi
mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN"
if [ $? -ne 0 ]; then
diff --git a/secconf/dim.go b/secconf/dim.go
index 220abde..a37915b 100644
--- a/secconf/dim.go
+++ b/secconf/dim.go
@@ -15,12 +15,12 @@ type Dim struct {
DimIsEnable bool `default:"false" yaml:"enable"`
MeasureList []string `yaml:"measure_list"`
BaselineIsEnable bool `default:"false" yaml:"auto_baseline"`
- MeasureLogCapacity uint64 `default:"100000" yaml:"log_cap"`
+ MeasureLogCapacity uint32 `default:"100000" yaml:"log_cap"`
MeasureHash string `default:"sha256" yaml:"hash"`
CorePcr uint16 `default:"0" yaml:"core_pcr"`
MonitorPcr uint16 `default:"0" yaml:"monitor_pcr"`
- MeasureSchedule uint64 `default:"0" yaml:"schedule"`
- MeasureInterval uint64 `default:"0" yaml:"interval"`
+ MeasureSchedule uint32 `default:"0" yaml:"schedule"`
+ MeasureInterval uint32 `default:"0" yaml:"interval"`
Signature bool `default:"false" yaml:"signature"`
}
diff --git a/secconf/gen/gen_dim b/secconf/gen/gen_dim
index b310eaf..9174a92 100644
--- a/secconf/gen/gen_dim
+++ b/secconf/gen/gen_dim
@@ -1,9 +1,9 @@
dim_comm()
{
{{ with .Dim }}{{if .DimIsEnable}}
- get_usr_input "dim is about to install?【Y/N】"
+ check_rpm_package dim
if [ $? -eq 1 ]; then
- yum install -y dim || exit 1
+ return 1
fi
get_usr_input "New static baseline file and policy will be created at /etc/dim?【Y/N】"
if [ $? -eq 1 ]; then
@@ -19,14 +19,15 @@ dim_comm()
return 1
fi
- get_usr_input "dim_tools is about to install?【Y/N】"
+ check_rpm_package dim_tools
if [ $? -eq 1 ]; then
- yum install -y dim_tools || exit 1
+ return 1
fi
+ dimHash={{.MeasureHash}}
{{range .MeasureList}}
if [ -f "{{.}}" ] ; then
echo "Establishing static baseline" {{.}}
- dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash
+ dim_gen_baseline {{.}} -o /etc/dim/digest_list/$(basename {{.}}).hash -a $dimHash
if [ $? -ne 0 ]; then
echo "Error! Static baseline establishment failed" {{.}}
return 1
@@ -34,7 +35,7 @@ dim_comm()
echo "measure obj=BPRM_TEXT path={{.}}" >> /etc/dim/policy
elif [ "{{.}}" == "kernel" ]; then
echo "measure obj=KERNEL_TEXT" >> /etc/dim/policy
- dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/test.hash /boot/vmlinuz-6*
+ dim_gen_baseline -k "$(uname -r)" -o /etc/dim/digest_list/kernel.hash /boot/vmlinuz-6* -a $dimHash
if [ $? -ne 0 ]; then
echo "Kernel static baseline establishment failed"
return 1
@@ -48,7 +49,7 @@ dim_comm()
xz -d -k $moduleFilePath
moduleFilePath=${moduleFilePath%.*}
fi
- dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash
+ dim_gen_baseline $moduleFilePath -o /etc/dim/digest_list/$module.hash -a $dimHash
if [ $? -ne 0 ]; then
echo "Static baseline establishment failed" {{.}}
return 1
@@ -73,9 +74,9 @@ dim_comm()
return 1
fi
{{if .Signature}}
- get_usr_input "openssl is about to install?【Y/N】"
+ check_rpm_package openssl
if [ $? -eq 1 ]; then
- yum install -y openssl || exit 1
+ return 1
fi
get_usr_input "Generate keys and certificates automatically?【Y/N】"
if [ $? -eq 1 ]; then
diff --git a/secconf/gen/gen_ima b/secconf/gen/gen_ima
index 0657cdf..84d1b4b 100644
--- a/secconf/gen/gen_ima
+++ b/secconf/gen/gen_ima
@@ -16,9 +16,9 @@ measure_list+=({{.}})
needReboot=false
packages=("ima-evm-utils" "digest-list-tools")
for pkg in "${packages[@]}"; do
- get_usr_input "${pkg} is about to installed?【Y/N】"
+ check_rpm_package ${pkg}
if [ $? -eq 1 ]; then
- yum install -y ${pkg} || exit 1
+ return 1
fi
done
diff --git a/secconf/gen/gen_secure_boot b/secconf/gen/gen_secure_boot
index 4decd48..a1e0d36 100644
--- a/secconf/gen/gen_secure_boot
+++ b/secconf/gen/gen_secure_boot
@@ -3,26 +3,26 @@ secure_boot_comm()
{{ with .SecureBoot }}
{{if .SecureBootIsEnable}}
if [ ! -d /sys/firmware/efi ]; then
- get_usr_input "Error! The current environment does not support secure boot."
+ get_usr_input "The current environment does not support secure boot."
return 1
fi
- get_usr_input "mokutil is about to install?【Y/N】"
+ check_rpm_package mokutil
if [ $? -eq 1 ]; then
- yum install -y mokutil || exit 1
+ return 1
fi
mokutil --sb | grep enabled
if [ $? -ne 0 ]; then
mokutil --db | grep "Issuer: CN=CA, OU=Infra, O=openEuler, L=ShenZhen, ST=GuangDong, C=CN"
if [ $? -ne 0 ]; then
echo "Secure boot certificate is not saved in DB!"
- if [ -f /boot/efi/EFI/secure_boot.der ]; then
+ if [ -s /boot/efi/EFI/secure_boot.der ]; then
echo "The file already exists. Please restart and import the file to the BIOS."
else
get_usr_input "Download the openeuler secure boot certificate right now?【Y/N】"
if [ $? -eq 1 ]; then
wget -O /boot/efi/EFI/secure_boot.der https://www.openeuler.org/certificates/openEuler-x509ca.cer.der --no-check-certificate
if [ $? -ne 0 ]; then
- echo "Error! Certificate downloaded failed. Please obtain the certificate manually!"
+ echo "Certificate downloaded failed. Please obtain the certificate manually!"
return 1
fi
echo "The certificate download is successful. Please restart later and enter the bios, then import the certificate into the DB!"
diff --git a/secconf/gen_comm.sh b/secconf/gen_comm.sh
index f28dba7..ec19cf5 100644
--- a/secconf/gen_comm.sh
+++ b/secconf/gen_comm.sh
@@ -1,52 +1,67 @@
set_skip_usr_input=0
set_reboot=0
+check_rpm_package()
+{
+ rpm -q $1 &> /dev/null
+ if [ $? -ne 0 ]; then
+ get_usr_input "$1 is about to install?【Y/N】"
+ if [ $? -eq 1 ]; then
+ yum install -y $1 || exit 1
+ else
+ echo "The $1 does not exit, skip."
+ return 1
+ fi
+ fi
+ return 0
+}
+
get_usr_input()
{
- echo $1
- if [ $set_skip_usr_input -eq 0 ]; then
- read -r userInput
- else
- userInput=Y
- fi
+ echo $1
+ if [ $set_skip_usr_input -eq 0 ]; then
+ read -r userInput
+ else
+ userInput=Y
+ fi
- if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then
- return 0
- else
- return 1
- fi
+ if [ "$userInput" != 'Y' ] && [ "$userInput" != 'y' ]; then
+ return 0
+ else
+ return 1
+ fi
}
usage()
{
- echo "Usage: $(basename $0) [OPTION]"
- echo " -s, --skip 设置跳过询问"
- echo " -r, --run 正常执行"
- echo " -h, --help 显示帮助信息"
+ echo "Usage: $(basename $0) [OPTION]"
+ echo " -s, --skip 设置跳过询问"
+ echo " -r, --run 正常执行"
+ echo " -h, --help 显示帮助信息"
}
while true
do
- case "$1" in
- -s|--skip)
- set_skip_usr_input=1
-{{range .ShellFuns}} {{.}}
+ case "$1" in
+ -s|--skip)
+ set_skip_usr_input=1
+{{range .ShellFuns}} {{.}}
{{ end }}
- exit 0
- ;;
- -r|--run)
-{{range .ShellFuns}} {{.}}
+ exit 0
+ ;;
+ -r|--run)
+{{range .ShellFuns}} {{.}}
{{ end }}
- exit 0
- ;;
- -h|--help)
- usage
- exit $?
- ;;
- *)
- echo -e "Need Correct Arguments!\n"
- usage
- exit $LA_ERR
- ;;
- esac
+ exit 0
+ ;;
+ -h|--help)
+ usage
+ exit $?
+ ;;
+ *)
+ echo -e "Need Correct Arguments!\n"
+ usage
+ exit $LA_ERR
+ ;;
+ esac
done
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink