Skip to content

Commit

Permalink
chore: add kernel module signtaure verification
Browse files Browse the repository at this point in the history
Add kernel module signature verification for out of tree kernel modules.

Fixes: siderolabs#7049

Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
frezbo committed Apr 10, 2023
1 parent 5176d27 commit e0a37fa
Show file tree
Hide file tree
Showing 12 changed files with 317 additions and 31 deletions.
6 changes: 3 additions & 3 deletions .drone.jsonnet
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ local save_artifacts = {
commands: [
'az login --service-principal -u "$${AZURE_STORAGE_USER}" -p "$${AZURE_STORAGE_PASS}" --tenant "$${AZURE_TENANT}"',
'az storage container create --metadata ci=true -n ${CI_COMMIT_SHA}${DRONE_TAG//./-}',
'az storage blob upload-batch --overwrite -s _out -d ${CI_COMMIT_SHA}${DRONE_TAG//./-}'
'az storage blob upload-batch --overwrite -s _out -d ${CI_COMMIT_SHA}${DRONE_TAG//./-}',
],
volumes: volumes.ForStep(),
depends_on: [build.name, images_essential.name, iso.name, talosctl_cni_bundle.name],
Expand All @@ -297,7 +297,7 @@ local load_artifacts = {
commands: [
'az login --service-principal -u "$${AZURE_STORAGE_USER}" -p "$${AZURE_STORAGE_PASS}" --tenant "$${AZURE_TENANT}"',
'az storage blob download-batch --overwrite true -d _out -s ${CI_COMMIT_SHA}${DRONE_TAG//./-}',
'chmod +x _out/clusterctl _out/integration-test-linux-amd64 _out/kubectl _out/kubestr _out/helm _out/cilium _out/talosctl*'
'chmod +x _out/clusterctl _out/integration-test-linux-amd64 _out/module-sig-verify-linux-amd64 _out/kubectl _out/kubestr _out/helm _out/cilium _out/talosctl*',
],
volumes: volumes.ForStep(),
depends_on: [setup_ci.name],
Expand Down Expand Up @@ -347,7 +347,7 @@ local extensions_patch_manifest = {
// create a patch file to pass to the downstream build
// ignore nvidia extensions, testing nvidia extensions needs a machine with nvidia graphics card
// ignore nut extensions, needs extra config files
'jq -R < _out/extensions-metadata | jq -s \'[{"op":"add","path":"/machine/install/extensions","value":[{"image": map(select(. | contains("nvidia") or contains("nut") | not)) | .[]}]},{"op":"add","path":"/machine/sysctls","value":{"user.max_user_namespaces": "11255"}}]\' > _out/extensions-patch.json',
'jq -R < _out/extensions-metadata | jq -s -f hack/test/extensions/extension-patch-filter.jq > _out/extensions-patch.json',
'cat _out/extensions-patch.json',
],
depends_on: [extensions_artifacts.name],
Expand Down
52 changes: 31 additions & 21 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -118,8 +118,7 @@ RUN --mount=type=cache,target=/.cache go install k8s.io/code-generator/cmd/deepc
ARG VTPROTOBUF_VERSION
RUN --mount=type=cache,target=/.cache go install github.com/planetscale/vtprotobuf/cmd/protoc-gen-go-vtproto@${VTPROTOBUF_VERSION} \
&& mv /go/bin/protoc-gen-go-vtproto /toolchain/go/bin/protoc-gen-go-vtproto
# fix vulncheck at a previous version, as it seems to break in the latest commits
RUN --mount=type=cache,target=/.cache go install golang.org/x/vuln/cmd/govulncheck@05fb7250142cc6010c39968839f2f3710afdd918 \
RUN --mount=type=cache,target=/.cache go install golang.org/x/vuln/cmd/govulncheck@latest \
&& mv /go/bin/govulncheck /toolchain/go/bin/govulncheck
RUN --mount=type=cache,target=/.cache go install github.com/uber/prototool/cmd/prototool@v1.10.0 \
&& mv /go/bin/prototool /toolchain/go/bin/prototool
Expand Down Expand Up @@ -252,23 +251,24 @@ RUN mkdir -p pkg/machinery/gendata/data && \
echo -n ${PKGS} > pkg/machinery/gendata/data/pkgs && \
echo -n ${TAG} > pkg/machinery/gendata/data/tag && \
echo -n ${ARTIFACTS} > pkg/machinery/gendata/data/artifacts
RUN mkdir -p _out && \
echo PKGS=${PKGS} >> _out/talos-metadata && \
echo TAG=${TAG} >> _out/talos-metadata && \
echo EXTRAS=${EXTRAS} >> _out/talos-metadata

FROM scratch AS embed
COPY --from=embed-generate /src/pkg/machinery/gendata/data /pkg/machinery/gendata/data
COPY --from=embed-generate /src/_out/talos-metadata /_out/talos-metadata

FROM embed-generate AS embed-abbrev-generate
ARG ABBREV_TAG
RUN echo -n "undefined" > pkg/machinery/gendata/data/sha && \
echo -n ${ABBREV_TAG} > pkg/machinery/gendata/data/tag
RUN mkdir -p _out && \
echo PKGS=${PKGS} >> _out/talos-metadata && \
echo TAG=${TAG} >> _out/talos-metadata && \
echo EXTRAS=${EXTRAS} >> _out/talos-metadata
COPY --from=pkg-kernel /certs/signing_key.x509 _out/signing_key.x509

FROM scratch AS embed-abbrev
COPY --from=embed-abbrev-generate /src/pkg/machinery/gendata/data /pkg/machinery/gendata/data
COPY --from=embed-abbrev-generate /src/_out/talos-metadata /_out/talos-metadata
COPY --from=embed-abbrev-generate /src/_out/signing_key.x509 /_out/signing_key.x509

FROM --platform=${BUILDPLATFORM} scratch AS generate
COPY --from=proto-format-build /src/api /api/
Expand Down Expand Up @@ -777,6 +777,21 @@ RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64}
FROM scratch AS integration-test-provision-linux
COPY --from=integration-test-provision-linux-build /src/integration.test /integration-test-provision-linux-amd64

# The module-sig-verify targets builds module-sig-verify binary.

FROM build-go AS module-sig-verify-linux-build
ARG GO_BUILDFLAGS
ARG GO_LDFLAGS
ARG GOAMD64
WORKDIR /src/module-sig-verify
COPY ./hack/module-sig-verify/go.mod ./hack/module-sig-verify/go.sum .
RUN --mount=type=cache,target=/.cache go mod download
COPY ./hack/module-sig-verify/main.go .
RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64} go build -o module-sig-verify .

FROM scratch AS module-sig-verify-linux
COPY --from=module-sig-verify-linux-build /src/module-sig-verify/module-sig-verify /module-sig-verify-linux-amd64

# The lint target performs linting on the source code.

FROM base AS lint-go
Expand Down Expand Up @@ -886,19 +901,14 @@ RUN --mount=type=cache,target=/.cache go install github.com/psampaz/go-mod-outda
COPY ./hack/cloud-image-uploader ./hack/cloud-image-uploader
COPY ./hack/docgen ./hack/docgen
COPY ./hack/gotagsrewrite ./hack/gotagsrewrite
COPY ./hack/protoc-gen-doc ./hack/protoc-gen-doc
COPY ./hack/module-sig-verify ./hack/module-sig-verify
COPY ./hack/structprotogen ./hack/structprotogen
# fail always to get the output back
RUN --mount=type=cache,target=/.cache \
echo -e "\n>>>> pkg/machinery:" && \
(cd pkg/machinery && go list -u -m -json all | go-mod-outdated -update -direct) && \
echo -e "\n>>>> .:" && \
(go list -u -m -json all | go-mod-outdated -update -direct) && \
echo -e "\n>>>> hack/cloud-image-uploader:" && \
(cd hack/cloud-image-uploader && go list -u -m -json all | go-mod-outdated -update -direct) && \
echo -e "\n>>>> hack/docgen:" && \
(cd hack/docgen && go list -u -m -json all | go-mod-outdated -update -direct) && \
echo -e "\n>>>> hack/gotagsrewrite:" && \
(cd hack/gotagsrewrite && go list -u -m -json all | go-mod-outdated -update -direct) && \
echo -e "\n>>>> hack/structprotogen:" && \
(cd hack/structprotogen && go list -u -m -json all | go-mod-outdated -update -direct)
RUN --mount=type=cache,target=/.cache <<EOF
for project in pkg/machinery . hack/cloud-image-uploader hack/docgen hack/gotagsrewrite hack/module-sig-verify hack/structprotogen; do
echo -e "\n>>>> ${project}:" && \
(cd "${project}" && go list -u -m -json all | go-mod-outdated -update -direct)
done

exit 1
EOF
12 changes: 9 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ NAME = Talos

ARTIFACTS := _out
TOOLS ?= ghcr.io/siderolabs/tools:v1.5.0-alpha.0
PKGS ?= v1.5.0-alpha.0-3-g174f8fc
PKGS ?= v1.5.0-alpha.0-4-g4eae958
EXTRAS ?= v1.5.0-alpha.0
# renovate: datasource=github-tags depName=golang/go
GO_VERSION ?= 1.20
Expand Down Expand Up @@ -46,6 +46,7 @@ TEXTLINT_RULE_ONE_SENTENCE_PER_LINE_VERSION ?= 2.0.0
OPERATING_SYSTEM := $(shell uname -s | tr "[:upper:]" "[:lower:]")
TALOSCTL_DEFAULT_TARGET := talosctl-$(OPERATING_SYSTEM)
INTEGRATION_TEST_DEFAULT_TARGET := integration-test-$(OPERATING_SYSTEM)
MODULE_SIG_VERIFY_DEFAULT_TARGET := module-sig-verify-$(OPERATING_SYSTEM)
INTEGRATION_TEST_PROVISION_DEFAULT_TARGET := integration-test-provision-$(OPERATING_SYSTEM)
# renovate: datasource=github-releases depName=kubernetes/kubernetes
KUBECTL_VERSION ?= v1.27.0-rc.1
Expand Down Expand Up @@ -337,7 +338,7 @@ check-dirty: ## Verifies that source tree is not dirty
@if test -n "`git status --porcelain`"; then echo "Source tree is dirty"; git status; exit 1 ; fi

go-mod-outdated: ## Runs the go-mod-oudated to show outdated dependencies.
@$(MAKE) target-go-mod-outdated PLATFORM=linux/amd64 PROGRESS=text
@$(MAKE) target-go-mod-outdated PLATFORM=linux/amd64

# Tests

Expand All @@ -355,6 +356,9 @@ $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64:
$(ARTIFACTS)/$(INTEGRATION_TEST_PROVISION_DEFAULT_TARGET)-amd64:
@$(MAKE) local-$(INTEGRATION_TEST_PROVISION_DEFAULT_TARGET) DEST=$(ARTIFACTS) PLATFORM=linux/amd64 WITH_RACE=true NAME=Client

$(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64:
@$(MAKE) local-$(MODULE_SIG_VERIFY_DEFAULT_TARGET) DEST=$(ARTIFACTS) PLATFORM=linux/amd64

$(ARTIFACTS)/kubectl:
@mkdir -p $(ARTIFACTS)
@curl -L -o $(ARTIFACTS)/kubectl "$(KUBECTL_URL)"
Expand All @@ -380,7 +384,7 @@ $(ARTIFACTS)/cilium:
@curl -L "$(CILIUM_CLI_URL)" | tar xzf - -C $(ARTIFACTS) cilium
@chmod +x $(ARTIFACTS)/cilium

external-artifacts: $(ARTIFACTS)/kubectl $(ARTIFACTS)/clusterctl $(ARTIFACTS)/kubestr $(ARTIFACTS)/helm $(ARTIFACTS)/cilium
external-artifacts: $(ARTIFACTS)/kubectl $(ARTIFACTS)/clusterctl $(ARTIFACTS)/kubestr $(ARTIFACTS)/helm $(ARTIFACTS)/cilium $(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64

e2e-%: $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 external-artifacts ## Runs the E2E test for the specified platform (e.g. e2e-docker).
@$(MAKE) hack-test-$@ \
Expand All @@ -393,6 +397,8 @@ e2e-%: $(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 external-artifacts
ARTIFACTS=$(ARTIFACTS) \
TALOSCTL=$(PWD)/$(ARTIFACTS)/$(TALOSCTL_DEFAULT_TARGET)-amd64 \
INTEGRATION_TEST=$(PWD)/$(ARTIFACTS)/$(INTEGRATION_TEST_DEFAULT_TARGET)-amd64 \
MODULE_SIG_VERIFY=$(PWD)/$(ARTIFACTS)/$(MODULE_SIG_VERIFY_DEFAULT_TARGET)-amd64 \
KERNEL_MODULE_SIGNING_PUBLIC_KEY=$(PWD)/$(ARTIFACTS)/signing_key.x509 \
SHORT_INTEGRATION_TEST=$(SHORT_INTEGRATION_TEST) \
CUSTOM_CNI_URL=$(CUSTOM_CNI_URL) \
KUBECTL=$(PWD)/$(ARTIFACTS)/kubectl \
Expand Down
2 changes: 2 additions & 0 deletions go.work
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,9 @@ go 1.19
use (
.
./hack/cloud-image-uploader
./hack/docgen
./hack/gotagsrewrite
./hack/module-sig-verify
./hack/structprotogen
./pkg/machinery
)
2 changes: 1 addition & 1 deletion hack/docgen/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ go 1.20

// forked go-yaml that introduces RawYAML interface, which can be used to populate YAML fields using bytes
// which are then encoded as a valid YAML blocks with proper indentiation
replace gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b
replace gopkg.in/yaml.v3 => github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c

require (
github.com/gomarkdown/markdown v0.0.0-20230322041520-c84983bdbf2a
Expand Down
4 changes: 2 additions & 2 deletions hack/docgen/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ github.com/siderolabs/gen v0.4.3/go.mod h1:wS8tFq7sn5vqKAuyS30vJUig3tX5v6q79VG4K
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.1-0.20190311161405-34c6fa2dc709/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b h1:8pnPjZJU0SYanlmHnhMTeR8OR148K9yStwBz1GsjBsQ=
github.com/unix4ever/yaml v0.0.0-20210315173758-8fb30b8e5a5b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c h1:Vn6nVVu9MdOYvXPkJP83iX5jVIfvxFC9v9xIKb+DlaQ=
github.com/unix4ever/yaml v0.0.0-20220527175918-f17b0f05cf2c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
Expand Down
5 changes: 5 additions & 0 deletions hack/module-sig-verify/go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
module module-sig-verify

go 1.20

require go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
2 changes: 2 additions & 0 deletions hack/module-sig-verify/go.sum
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
Loading

0 comments on commit e0a37fa

Please sign in to comment.