v5.2.3
This commit is contained in:
parent
ee4b0ae7fb
commit
9adcfa5737
3 changed files with 376 additions and 1 deletions
|
@ -1,3 +1,350 @@
|
|||
- commits:
|
||||
- subject: Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c
|
||||
hash: 908aaf86225d46c5e1b926ecc3670179fcca3eab
|
||||
body: Update layers/meta-balena
|
||||
footer:
|
||||
Changelog-entry: Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c
|
||||
changelog-entry: Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c
|
||||
author: Self-hosted Renovate Bot
|
||||
nested:
|
||||
- commits:
|
||||
- subject: mv docs/{,uefi-}secure-boot.md
|
||||
hash: 18e35c55cb486d93aadc43df1f5e0db0ef840c03
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "docs: secure-boot: update for PCR7 sealing"
|
||||
hash: e3c6131e6979390292c72e5e18c96d83165096fe
|
||||
body: >
|
||||
Update secure boot docs to reflect changes made for PCR7
|
||||
sealing,
|
||||
|
||||
including:
|
||||
|
||||
|
||||
* No first boot needed anymore to reach secure state
|
||||
|
||||
* PCR roles
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "os-helpers: compute_pcr7: merge event log digests"
|
||||
hash: e10d67084621e5ce10f14557f2466e91ff684b41
|
||||
body: >
|
||||
The main variables measured into PCR7 to ensure secure boot
|
||||
|
||||
configuration integrity are the state and EFI vars, including
|
||||
PK, KEK,
|
||||
|
||||
db, dbx, etc.
|
||||
|
||||
|
||||
However, some systems have firmware that will measure other,
|
||||
unexpected
|
||||
|
||||
events, such as "DMA Protection Disabled" (related to a Windows
|
||||
feature
|
||||
|
||||
[0]), or "Unknown event type" with strange data.
|
||||
|
||||
|
||||
These events can't be predicted, and other devices may have
|
||||
different
|
||||
|
||||
measured events that aren't compliant with the TCG spec, so
|
||||
attempt to
|
||||
|
||||
check the TPM event log and extend our digest with any unknown
|
||||
events
|
||||
|
||||
that fit the bill.
|
||||
|
||||
|
||||
[0]
|
||||
https://learn.microsoft.com/en-us/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: Update policy's PCR7 value in hostapp-update hook
|
||||
hash: f05deea2cd1003e186fa7756eecf8f113db26a7f
|
||||
body: >
|
||||
When performing a hostapp-update, we may touch file and efivars
|
||||
that are
|
||||
|
||||
measured into PCR7. Re-generate the predicted value and reseal
|
||||
the LUKS
|
||||
|
||||
passphrase using this new digest.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "os-helpers-tpm2: compute_pcr7: allow overriding efivars"
|
||||
hash: 3e0911a5c4317ea4b9ca03a7816ce600e5b202c5
|
||||
body: >
|
||||
When computing the digest of PCR7, it may be necessary to
|
||||
override the
|
||||
|
||||
input variables used, in order to predict the value on the next
|
||||
boot.
|
||||
|
||||
Allow these inputs to be overridden using function parameters.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: Move policy update to HUP commit hook
|
||||
hash: 80f9bd84de394aa728ed802a2d4c02f3a87f370b
|
||||
body: >
|
||||
When migrating the TPM2 policy used to secure the LUKS
|
||||
passphrase to use
|
||||
|
||||
different PCRs, we temporarily want to maintain fallback
|
||||
capability in
|
||||
|
||||
case the newly installed hostapp doesn't pass healthchecks. This
|
||||
allows
|
||||
|
||||
the system to boot back into the original OS and try again.
|
||||
|
||||
|
||||
In order to do so, we leave the passphrase in place with the old
|
||||
PCR
|
||||
|
||||
authentication policy. The cryptsetup hook in the initramfs will
|
||||
try
|
||||
|
||||
PCRs 0,2,3,7 and if those don't work we fallback to the original
|
||||
PCRs.
|
||||
|
||||
|
||||
Once the new system successfully boots, we'll re-encrypt the
|
||||
passphrase
|
||||
|
||||
and use the new PCRs to create a policy to secure the key.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "rollback-health: move apply-dbx to HUP commit hook"
|
||||
hash: 3d78d26366b284313ea718adb8d5498ac4f27e1f
|
||||
body: >
|
||||
This operation is done after rollback-health completes and the
|
||||
new OS is
|
||||
|
||||
running to ensure the OS is healthy before appending to the
|
||||
forbidden
|
||||
|
||||
signatures list.
|
||||
|
||||
|
||||
Move this out of rollback-health and into a HUP commit hook,
|
||||
which
|
||||
|
||||
allows it to be excluded from OS images that don't use EFI or
|
||||
support
|
||||
|
||||
secure boot.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "hostapp-hooks: include 0-signed-update only for efi"
|
||||
hash: 328222014146f0116e0208443f3e255d0e85ef15
|
||||
body: >
|
||||
This hook is only applicable for EFI machines. Include it in the
|
||||
build
|
||||
|
||||
only when MACHINE_FEATURES includes EFI.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "secure boot: seal luks passphrase w/ PCR7"
|
||||
hash: 86460d1fa00e40caa1e3edd3ebed5d2098dafe31
|
||||
body: ""
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "os-helpers-tpm2: separate authentication from crypto"
|
||||
hash: 6a4e3cd2f48dc7e48acc35f04200317397d6d0b1
|
||||
body: >
|
||||
When encrypting the LUKS passphrase, we need the ability to
|
||||
construct a
|
||||
|
||||
policy that can logically OR together multiple policies, such as
|
||||
when
|
||||
|
||||
the machine may or may not measure binaries loaded through EFI
|
||||
boot
|
||||
|
||||
services into PCR7.
|
||||
|
||||
|
||||
We also need the ability to update the sealing policy to revoke
|
||||
|
||||
previously valid configurations, such as after
|
||||
hostapp-healthcheck
|
||||
|
||||
completes successfully. Ideally, this should be completed before
|
||||
|
||||
modifying any efi variables, to prevent the system from becoming
|
||||
|
||||
unbootable in the event of an interrupted update.
|
||||
|
||||
|
||||
These requirements necessitate the ability to create sealing
|
||||
policies
|
||||
|
||||
and authenticate against them outside of the
|
||||
hw_{en,de}crypt_passphrase
|
||||
|
||||
functions.
|
||||
|
||||
|
||||
This commit allows the caller to setup the sealing policy when
|
||||
|
||||
encrypting, and choose what kind of authentication to use when
|
||||
|
||||
decrypting.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "tcgtool: new recipe"
|
||||
hash: 5217a6c8e8599f18ef84d319fb41049c476be265
|
||||
body: >
|
||||
Create recipe for tcgtool, a program that replicates the
|
||||
structures used
|
||||
|
||||
to represent data measured and hashed to extend TPM PCRs.
|
||||
|
||||
|
||||
This is useful to compute a PCR hash at runtime, which is
|
||||
normally
|
||||
|
||||
computed by the firmware before the OS boots. This allows for
|
||||
adjusting
|
||||
|
||||
a TPM2 policy to unlock the disk encryption passphrase with the
|
||||
updated
|
||||
|
||||
state on the next boot.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "recipes-bsp: add recipe for GRUB 2.12"
|
||||
hash: 27808e2da6740bcd17d435aa15d644fef7b2b69c
|
||||
body: >
|
||||
This version changes how kernel images are booted, passing them
|
||||
to the EFI
|
||||
|
||||
boot services LoadImage method, which uses EFISTUB and retains
|
||||
the TPM
|
||||
|
||||
event log in memory.
|
||||
|
||||
|
||||
Copy this recipe from Poky rev 43f9098. This may be removed once
|
||||
Poky is
|
||||
|
||||
bumped to Scarthgap (5.0).
|
||||
|
||||
|
||||
More info: https://edk2.groups.io/g/devel/topic/93730585
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "tests: skip bootloader config integrity check"
|
||||
hash: ad70f51fcc899dd3ec521c280c0a074302f7498f
|
||||
body: >
|
||||
GRUB 2.12 no longer outputs the escape codes the previous
|
||||
version did.
|
||||
|
||||
Skip this test until we can patch the bootloader to output a
|
||||
string we
|
||||
|
||||
can match against.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
- subject: "secureboot: enroll kernel hash in db for EFISTUB"
|
||||
hash: 45fe30fcc01bb2f3c423c11e2ea244546da30d57
|
||||
body: >
|
||||
Generate hash for second stage bootloader and enroll in db
|
||||
efivar to
|
||||
|
||||
allow the firmware to verify the image for booting when using
|
||||
EFISTUB.
|
||||
|
||||
|
||||
This is necessary to update to GRUB 2.12, which passes the EFI
|
||||
image to
|
||||
|
||||
the EFI boot services LoadImage method, which then validates the
|
||||
image
|
||||
|
||||
when secure boot is enabled.
|
||||
footer:
|
||||
Change-type: patch
|
||||
change-type: patch
|
||||
Signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
signed-off-by: Joseph Kogut <joseph@balena.io>
|
||||
author: Joseph Kogut
|
||||
nested: []
|
||||
version: meta-balena-5.2.3
|
||||
title: ""
|
||||
date: 2024-03-22T08:48:01.071Z
|
||||
version: 5.2.3
|
||||
title: ""
|
||||
date: 2024-03-22T13:26:19.025Z
|
||||
- commits:
|
||||
- subject: Update contracts to 2de35264348458938cf5c85c28660a58a1e8066a
|
||||
hash: 65c1a0369b32ba0ec8ddee5b1857667b10008698
|
||||
|
|
28
CHANGELOG.md
28
CHANGELOG.md
|
@ -1,6 +1,34 @@
|
|||
Change log
|
||||
-----------
|
||||
|
||||
# v5.2.3
|
||||
## (2024-03-22)
|
||||
|
||||
|
||||
<details>
|
||||
<summary> Update layers/meta-balena to 90d838ae943ffa72108522bfcc4370105a3be40c [Self-hosted Renovate Bot] </summary>
|
||||
|
||||
> ## meta-balena-5.2.3
|
||||
> ### (2024-03-22)
|
||||
>
|
||||
> * mv docs/{,uefi-}secure-boot.md [Joseph Kogut]
|
||||
> * docs: secure-boot: update for PCR7 sealing [Joseph Kogut]
|
||||
> * os-helpers: compute_pcr7: merge event log digests [Joseph Kogut]
|
||||
> * Update policy's PCR7 value in hostapp-update hook [Joseph Kogut]
|
||||
> * os-helpers-tpm2: compute_pcr7: allow overriding efivars [Joseph Kogut]
|
||||
> * Move policy update to HUP commit hook [Joseph Kogut]
|
||||
> * rollback-health: move apply-dbx to HUP commit hook [Joseph Kogut]
|
||||
> * hostapp-hooks: include 0-signed-update only for efi [Joseph Kogut]
|
||||
> * secure boot: seal luks passphrase w/ PCR7 [Joseph Kogut]
|
||||
> * os-helpers-tpm2: separate authentication from crypto [Joseph Kogut]
|
||||
> * tcgtool: new recipe [Joseph Kogut]
|
||||
> * recipes-bsp: add recipe for GRUB 2.12 [Joseph Kogut]
|
||||
> * tests: skip bootloader config integrity check [Joseph Kogut]
|
||||
> * secureboot: enroll kernel hash in db for EFISTUB [Joseph Kogut]
|
||||
>
|
||||
|
||||
</details>
|
||||
|
||||
# v5.2.2+rev1
|
||||
## (2024-03-21)
|
||||
|
||||
|
|
2
VERSION
2
VERSION
|
@ -1 +1 @@
|
|||
5.2.2+rev1
|
||||
5.2.3
|
Loading…
Add table
Reference in a new issue