Develop (#41)

* Added defense-in-depth strategy to mitigate the faulTPM attack
* Added module signing blocklist in tpmsbsigntool
* Added Ubuntu release upgrade support
* Added Debian 12 support
* Updated UEFI revocation list to version May 9, 2023

.gitignore

@@ -3,4 +3,5 @@
 /debian/.debhelper
 /debian/debhelper-build-stamp
 /debian/files
-/debian/sectpmctl*
+/debian/sectpmctl*
+/sectpmctl-hash

AUTHORS

@@ -0,0 +1,3 @@
+Heike Pesch <[email protected]>
+Richard Robert Reitz <[email protected]>
+

Dockerfile

@@ -0,0 +1,14 @@
+FROM ghcr.io/telekom-mms/deb-builder-base:jammy
+ARG USER_ID
+
+RUN useradd user -u ${USER_ID}
+RUN set -eu ; \
+  export DEBIAN_FRONTEND=noninteractive ; \
+  apt-get update -y && \
+  apt-get install --no-install-recommends -y \
+  gcc-multilib \
+  build-essential \
+  libargon2-dev \
+  binutils-dev \
+  pkg-config \
+  wget

Makefile

@@ -1,5 +1,14 @@
+CFLAGS=-O2 -g0 -Wall -Wextra $$(pkg-config --cflags libargon2)
+LDFLAGS=$$(pkg-config --libs libargon2)
+CC=gcc
+
 all: 
 
+sectpmctl-hash: src/usr/libexec/sectpmctl/sectpmctl-hash.c
+	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS)
+
+compile: sectpmctl-hash
+
 install:
 	install -d $(DESTDIR)/usr/sbin
 	install -m 0755 src/usr/sbin/sectpmctl $(DESTDIR)/usr/sbin
@@ -11,6 +20,7 @@ install:
 	install -m 0755 src/usr/lib/sectpmctl/boot.conf $(DESTDIR)/usr/lib/sectpmctl
 	install -d $(DESTDIR)/usr/lib/sectpmctl/keys
 	install -m 0644 src/usr/lib/sectpmctl/keys/canonical-master-public.pem $(DESTDIR)/usr/lib/sectpmctl/keys
+	install -m 0644 src/usr/lib/sectpmctl/keys/debian-prod-2022-linux.pem $(DESTDIR)/usr/lib/sectpmctl/keys
 	install -m 0644 src/usr/lib/sectpmctl/keys/dbxupdate_x64.bin $(DESTDIR)/usr/lib/sectpmctl/keys
 	install -m 0644 src/usr/lib/sectpmctl/keys/MicCorUEFCA2011_2011-06-27.crt $(DESTDIR)/usr/lib/sectpmctl/keys
 	install -m 0644 src/usr/lib/sectpmctl/keys/MicWinProPCA2011_2011-10-19.crt $(DESTDIR)/usr/lib/sectpmctl/keys
@@ -31,14 +41,17 @@ install:
 	ln -s ../postinst.d/zz-update-sectpmctl-boot $(DESTDIR)/etc/kernel/postrm.d/zz-update-sectpmctl-boot
 	install -d $(DESTDIR)/etc/initramfs/post-update.d
 	ln -s ../../kernel/postinst.d/zz-update-sectpmctl-boot $(DESTDIR)/etc/initramfs/post-update.d/zz-update-sectpmctl-boot
+	install -d $(DESTDIR)/usr/libexec/sectpmctl
+	install -m 0755 sectpmctl-hash $(DESTDIR)/usr/libexec/sectpmctl/sectpmctl-hash
 
-package_build: package_clean generate_changelog
+package_build: package_clean generate_changelog compile
 	debuild -i -uc -us -b
 
 generate_changelog:
-	curl -sL https://raw.githubusercontent.com/telekom-mms/deb-builder-base/main/git-dch.sh | /usr/bin/bash -s -- $(DIST) $(TAG)
+	wget -qO - https://raw.githubusercontent.com/telekom-mms/deb-builder-base/main/git-dch.sh | /usr/bin/bash -s -- $(DIST) $(TAG)
 
 package_clean:
+	-rm sectpmctl-hash
 	-rm -Rf debian/.debhelper
 	-rm -Rf debian/$(firstword $(subst _, ,$(lastword $(subst /, ,$(shell pwd)))))*
 	-rm debian/debhelper-build-stamp debian/files

debian/control

@@ -2,12 +2,12 @@ Source: sectpmctl
 Section: misc
 Priority: optional
 Maintainer: Richard Robert Reitz <[email protected]>
-Build-Depends: curl, debhelper (>= 10)
+Build-Depends: debhelper (>= 10), build-essential, pkg-config, libargon2-dev
 Standards-Version: 4.1.2
 
 Package: sectpmctl
 Architecture: any
-Depends: ${misc:Depends}, efibootmgr, efitools, sbsigntool, tpmsbsigntool, binutils, mokutil, dkms, systemd, udev, util-linux (>= 2.34), gdisk, openssl, uuid-runtime, tpm2-tools, coreutils (>= 8.32), bash (>= 5.1), xxd
+Depends: ${misc:Depends}, ${shlibs:Depends}, efibootmgr, efitools, sbsigntool, tpmsbsigntool, binutils, mokutil, dkms, udev, util-linux (>= 2.34), gdisk, openssl, uuid-runtime, tpm2-tools, coreutils (>= 8.32), bash (>= 5.1), libargon2-1, jq, xxd, systemd-boot-efi | systemd (<< 250)
 Provides: grub, grub2, grub2-common, grub-common, grub-efi, grub-efi-amd64, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-pc, grub-pc-bin, lilo, os-prober, shim, shim-signed
 Conflicts: grub, grub2, grub2-common, grub-common, grub-efi, grub-efi-amd64, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-pc, grub-pc-bin, lilo, os-prober, shim, shim-signed
 Replaces: grub, grub2, grub2-common, grub-common, grub-efi, grub-efi-amd64, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-pc, grub-pc-bin, lilo, os-prober, shim, shim-signed

debian/postinst

@@ -13,7 +13,7 @@ case "$1" in
     install -d /var/lib/sectpmctl/scripts
     install -d /etc/sectpmctl
     if [ ! -f /etc/sectpmctl/boot.conf ]; then
-      install -m 0755 /usr/lib/sectpmctl/boot.conf /etc/sectpmctl/boot.conf
+      install -m 0644 /usr/lib/sectpmctl/boot.conf /etc/sectpmctl/boot.conf
     fi
     if [ ! -f /var/lib/sectpmctl/kernel_extra_options ]; then
       install -m 1640 /usr/share/sectpmctl/examples/kernel_extra_options.example /var/lib/sectpmctl/kernel_extra_options

docker.sh

@@ -1,2 +1,12 @@
 #!/usr/bin/bash
-curl -sL https://raw.githubusercontent.com/telekom-mms/deb-builder-base/main/docker.sh | /usr/bin/bash -s -- $@
+[[ -d "build" ]] && rm -rf build
+mkdir build
+shopt -s extglob
+cp -R !(build) build
+docker build --rm -t sectpmctl-builder --build-arg="USER_ID=$UID" .
+docker run --user=$UID --rm -v ./:/work sectpmctl-builder /usr/bin/bash -c "cd /work/build && make package_build"
+rm -rf build
+rm *.build
+rm *.buildinfo
+rm *.changes
+rm *.ddeb

src/etc/kernel/postinst.d/zz-update-sectpmctl-boot

@@ -1,5 +1,7 @@
 #!/bin/sh
 
+# SECTPMCTL
+
 set -e
 
 exec </dev/null >&2

src/usr/lib/sectpmctl/boot.conf

@@ -30,9 +30,9 @@ DEFAULT_KERNEL_CMDLINE="root=$(df / | tail -n 1 | awk '{print $1}') ro"
 BOOT_ENTRY_PREFIX="SECTPMCTL $(lsb_release -si) $(lsb_release -sr)"
 
 # SKIP_UNSIGNED_KERNELS
-# Add only kernels signed by Canonical. Enabled by default to prevent using of
-# eventually not locked kernels. The mainline kernels for example doesn't enfore
-# signed kernel modules which is generally bad. Disble this option only for
+# Add only kernels signed by Canonical or Debian. Enabled by default to prevent using
+# of eventually not locked kernels. The mainline kernels for example doesn't enfore
+# signed kernel modules which is generally bad. Disable this option only for
 # specific reasons.
 # Default: SKIP_UNSIGNED_KERNELS="true"
 SKIP_UNSIGNED_KERNELS="true"

src/usr/lib/sectpmctl/keys/debian-prod-2022-linux.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQzCCAiugAwIBAgIUMqAof4QaA2+jk8HgZcQ65rJCJkMwDQYJKoZIhvcNAQEL
+BQAwIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTIyMDgxODE3
+MzIzN1oXDTMyMDgxNTE3MzIzN1owMTEvMC0GA1UEAwwmRGViaWFuIFNlY3VyZSBC
+b290IFNpZ25lciAyMDIyIC0gbGludXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQCv6LgqfsYKPyGcgP12nHWFbtEJDUdixV8n+gOWMgLANs9+NjexyJ4o
+V3iG3qTDqm1VGIdQfnf0cEmh3bS1tuoPDZcGU9HaDKq8oPjYyJd9G/aO6sGHKCc3
+aIAvLnPkfH7EfiaxshFwthOeH3yt/K54ICnT6aCWQjDsJz2TCr3s+1izRuv6/VJ8
+/aNPI+RySpeUVtdKT1CQjb4N8HphWS7ZkDbWwVW0dHsZHPXhq0Gd729ctKo0/003
+Is7cw3TSSUHKCatRjVIImTwUiGNqlQe386dIBMjFzTddh19spvU0ootdCkiGShId
+Hz6YoDscyb+SQsmIaiXo1nwd2SABFlRLAgMBAAGjZDBiMAsGA1UdDwQEAwIHgDAT
+BgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFAESScJnXqjlFIVCICAFgQWE
+sl8wHwYDVR0jBBgwFoAUbM7OfkxsDR9hSfPdJ9/MXLtBnqEwDQYJKoZIhvcNAQEL
+BQADggEBAJg1omf+js6HaUsZvSBIwEu9qHyEjMcjo0yvc22dKi5Kzxclo+Vmr99/
+rpXjsXMlskPeWIQS7iUOvS/oupmqQq9+0rHMXu/lTP2ITh9IjHwEx2zWEPIOlmYJ
+wCYpta7YeX5YExb32f9wJYIJZidHy9p5I0jOIgAInv8J4NZUG14LPxI6I4hfYI1p
+mruMdxPS0hllzPbs6rZ2LwWVtNjuPhfmMt4eMKOl4ThXWhoiwvkTOJpDkaCPgnzT
+h507wBcDBquUKtDwGnQcQdPWfxMyA8b2v05PXMQS2cH/xJ5th8M+IU4DUfigYGYN
+ce00ryZ2rpZIqHs1H1Xc5xJpusY1Q+w=
+-----END CERTIFICATE-----

src/usr/lib/sectpmctl/scripts/dkms_sign_helper.sh

@@ -1,11 +1,19 @@
 #!/bin/bash
 
 # SECTPMCTL
-# AUTHORS: Heike Pesch <[email protected]>
-#          Richard Robert Reitz <[email protected]>
+# As dkms offers to kind of sign helpers, this script will support both of them:
+# When used as sign_tool, the second parameter will contain the module to sign and
+# when used as sign_file, the forth parameter will contain the module to sign
 
 # Path's
 SECTPMCTL_KEYS="/var/lib/sectpmctl/keys"
 
-/usr/lib/sectpmctl/scripts/kmodsign.sh sha256 "${SECTPMCTL_KEYS}/db.obj" "${SECTPMCTL_KEYS}/db.cer" "$2"
+if [[ $# -eq 2 ]]; then
+  /usr/lib/sectpmctl/scripts/kmodsign.sh sha256 "${SECTPMCTL_KEYS}/db.obj" "${SECTPMCTL_KEYS}/db.cer" "$2"
+elif [[ $# -eq 4 ]]; then
+  /usr/lib/sectpmctl/scripts/kmodsign.sh sha256 "${SECTPMCTL_KEYS}/db.obj" "${SECTPMCTL_KEYS}/db.cer" "$4"
+else
+  echo /usr/lib/sectpmctl/scripts/dkms_sign_helper.sh Unknown parameters given
+  exit 1
+fi
 

src/usr/lib/sectpmctl/scripts/kmodsign_obj.sh

@@ -1,8 +1,6 @@
 #!/bin/bash
 
 # SECTPMCTL
-# AUTHORS: Heike Pesch <[email protected]>
-#          Richard Robert Reitz <[email protected]>
 
 if [[ $# -lt 5 ]]; then
   KBUILD_SIGN_PIN="$(cat "/var/lib/sectpmctl/keys/db.pwd")" tpmkmodsign -P tpm2 -P default -Q "?provider=tpm2,tpm2.digest!=yes" sha256 "object:${2}?pass" "${3}" "${4}"

src/usr/lib/sectpmctl/scripts/sbsign_obj.sh

@@ -1,8 +1,6 @@
 #!/bin/bash
 
 # SECTPMCTL
-# AUTHORS: Heike Pesch <[email protected]>
-#          Richard Robert Reitz <[email protected]>
 
 KBUILD_SIGN_PIN="$(cat "/var/lib/sectpmctl/keys/db.pwd")" tpmsbsign --provider tpm2 --provider default --propquery ?provider=tpm2,tpm2.digest!=yes --key "object:${2}?pass" "${3}" "${4}" "${5}" "${6}" "${7}"