Currently if signed-boot is enabled in configure the presence of the
LOCKDOWN_FILE is used as a runtime determination to perform the actual
verification. In some environments this may be acceptable or even the
intended operation but in other environments could be a security hole
since the removal of the file will then cause boot task verification.
Add a 'hard_lockdown' enable flag to generate a HARD_LOCKDOWN
preprocessor definition to force the system to always do a signed boot
verification for each boot task, which in the case of a missing file the
boot will fail.
Signed-off-by: Brett Grandbois <brett.grandbois@opengear.com>
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
AS_IF([test "x$VERIFY_DIGEST" = x], [VERIFY_DIGEST="sha256"])
AC_DEFINE_UNQUOTED(VERIFY_DIGEST, "$VERIFY_DIGEST", [openssl verify dgst])
+AC_ARG_ENABLE([hard-lockdown],
+ [AS_HELP_STRING([--enable-hard-lockdown],
+ [if signed boot configured, the absence of the
+ LOCKDOWN_FILE does not disable signed boot at
+ runtime @<:@default=no@:>@])],
+ [AC_DEFINE(HARD_LOCKDOWN, 1, [Enable hard lockdown])],
+ [])
+
AC_ARG_ENABLE(
[busybox],
[AS_HELP_STRING(
AC_ARG_ENABLE(
[busybox],
[AS_HELP_STRING(
/* assume most restrictive lockdown type */
int ret = PB_LOCKDOWN_SIGN;
/* assume most restrictive lockdown type */
int ret = PB_LOCKDOWN_SIGN;
+#if !defined(HARD_LOCKDOWN)
if (access(LOCKDOWN_FILE, F_OK) == -1)
return PB_LOCKDOWN_NONE;
if (access(LOCKDOWN_FILE, F_OK) == -1)
return PB_LOCKDOWN_NONE;
/* determine lockdown type */
FILE *authorized_signatures_handle = NULL;
/* determine lockdown type */
FILE *authorized_signatures_handle = NULL;
int ret = PB_LOCKDOWN_SIGN;
PKCS12 *p12 = NULL;
int ret = PB_LOCKDOWN_SIGN;
PKCS12 *p12 = NULL;
+#if !defined(HARD_LOCKDOWN)
if (access(LOCKDOWN_FILE, F_OK) == -1)
return PB_LOCKDOWN_NONE;
if (access(LOCKDOWN_FILE, F_OK) == -1)
return PB_LOCKDOWN_NONE;
/* determine lockdown type */
/* determine lockdown type */
fclose(authorized_signatures_handle);
}
fclose(authorized_signatures_handle);
}
return NULL;
#if defined(SIGNED_BOOT)
return NULL;
#if defined(SIGNED_BOOT)
+#if !defined(HARD_LOCKDOWN)
if (access(LOCKDOWN_FILE, F_OK) == -1)
boot_editor->use_signature_files = false;
else
if (access(LOCKDOWN_FILE, F_OK) == -1)
boot_editor->use_signature_files = false;
else
boot_editor->use_signature_files = true;
#else
boot_editor->use_signature_files = false;
boot_editor->use_signature_files = true;
#else
boot_editor->use_signature_files = false;
static bool lockdown_active(void)
{
static bool lockdown_active(void)
{
+#if defined(SIGNED_BOOT) && defined(HARD_LOCKDOWN)
+ return true;
+#else
bool lockdown = false;
if (access(LOCKDOWN_FILE, F_OK) != -1)
lockdown = true;
return lockdown;
bool lockdown = false;
if (access(LOCKDOWN_FILE, F_OK) != -1)
lockdown = true;
return lockdown;
}
static void cui_start(void)
}
static void cui_start(void)