Re-init.
This commit is contained in:
commit
e384f07a18
69
0001-Hibernate-Patch.patch
Normal file
69
0001-Hibernate-Patch.patch
Normal file
@ -0,0 +1,69 @@
|
||||
From 71c4fb133b496d62539dd32dc3d377f861f067f2 Mon Sep 17 00:00:00 2001
|
||||
From: Captain ALM <captainalm@captainalm.com>
|
||||
Date: Sat, 25 May 2024 17:55:24 +0100
|
||||
Subject: [PATCH] Hibernate Patch.
|
||||
|
||||
---
|
||||
Documentation/admin-guide/kernel-parameters.txt | 5 +++++
|
||||
kernel/power/hibernate.c | 11 +++++++++--
|
||||
2 files changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
|
||||
index a1b25a735..71b537ea6 100644
|
||||
--- a/Documentation/admin-guide/kernel-parameters.txt
|
||||
+++ b/Documentation/admin-guide/kernel-parameters.txt
|
||||
@@ -2684,6 +2684,11 @@
|
||||
to extract confidential information from the kernel
|
||||
are also disabled.
|
||||
|
||||
+ lockdown_hibernate [HIBERNATION]
|
||||
+ Enable hibernation even if lockdown is enabled. Enable this only if
|
||||
+ your swap is encrypted and secured properly, as an attacker can
|
||||
+ modify the kernel offline during hibernation.
|
||||
+
|
||||
locktorture.nreaders_stress= [KNL]
|
||||
Set the number of locking read-acquisition kthreads.
|
||||
Defaults to being automatically set based on the
|
||||
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
|
||||
index 9abc73d50..25c3a8fa6 100644
|
||||
--- a/kernel/power/hibernate.c
|
||||
+++ b/kernel/power/hibernate.c
|
||||
@@ -36,7 +36,7 @@
|
||||
|
||||
#include "power.h"
|
||||
|
||||
-
|
||||
+static int lockdown_hibernate;
|
||||
static int nocompress;
|
||||
static int noresume;
|
||||
static int nohibernate;
|
||||
@@ -83,7 +83,7 @@ void hibernate_release(void)
|
||||
bool hibernation_available(void)
|
||||
{
|
||||
return nohibernate == 0 &&
|
||||
- !security_locked_down(LOCKDOWN_HIBERNATION) &&
|
||||
+ (lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) &&
|
||||
!secretmem_active();
|
||||
}
|
||||
|
||||
@@ -1337,6 +1337,12 @@ static int __init nohibernate_setup(char *str)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int __init lockdown_hibernate_setup(char *str)
|
||||
+{
|
||||
+ lockdown_hibernate = 1;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
__setup("noresume", noresume_setup);
|
||||
__setup("resume_offset=", resume_offset_setup);
|
||||
__setup("resume=", resume_setup);
|
||||
@@ -1344,3 +1350,4 @@ __setup("hibernate=", hibernate_setup);
|
||||
__setup("resumewait", resumewait_setup);
|
||||
__setup("resumedelay=", resumedelay_setup);
|
||||
__setup("nohibernate", nohibernate_setup);
|
||||
+__setup("lockdown_hibernate", lockdown_hibernate_setup);
|
||||
--
|
||||
2.34.1
|
||||
|
25
BMOK-openssl.cnf
Normal file
25
BMOK-openssl.cnf
Normal file
@ -0,0 +1,25 @@
|
||||
# This definition stops the following lines choking if HOME isn't
|
||||
# defined.
|
||||
HOME = .
|
||||
RANDFILE = $ENV::HOME/.rnd
|
||||
[ req ]
|
||||
distinguished_name = req_distinguished_name
|
||||
x509_extensions = v3
|
||||
string_mask = utf8only
|
||||
prompt = no
|
||||
|
||||
[ req_distinguished_name ]
|
||||
countryName = UK
|
||||
stateOrProvinceName = Kent
|
||||
localityName = Herne Bay
|
||||
0.organizationName = Captain ALM
|
||||
commonName = Secure Boot Signing
|
||||
emailAddress = alfred@captainalm.com
|
||||
|
||||
[ v3 ]
|
||||
subjectKeyIdentifier = hash
|
||||
authorityKeyIdentifier = keyid:always,issuer
|
||||
basicConstraints = critical,CA:FALSE
|
||||
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
|
||||
nsComment = "OpenSSL Generated Certificate"
|
||||
|
123
bash_aliases
Normal file
123
bash_aliases
Normal file
@ -0,0 +1,123 @@
|
||||
alias screen-off="xset dpms force off"
|
||||
alias boot-sign-verify="sudo sign-boot && sudo verify-boot"
|
||||
function kernel-build() {
|
||||
echo "[+] Kernel Build Starting...";
|
||||
cwd=$(pwd);
|
||||
cd ~/kernel;
|
||||
for _dir in *"linux"*; do
|
||||
[ -d "${_dir}" ] && linuxdir="${_dir}" && break;
|
||||
done;
|
||||
echo "[-] Removing Sources...";
|
||||
rm -rf "$linuxdir";
|
||||
sudo rm -rf deb-contents;
|
||||
rm -f *.gz;
|
||||
rm -f *.dsc;
|
||||
echo "[*] Archiving old packages...";
|
||||
mkdir -p old-debs;
|
||||
touch dummy.deb;
|
||||
mv *.deb old-debs/;
|
||||
echo "[+] Obtaining Sources...";
|
||||
apt-get source linux-image-unsigned-$(uname -r);
|
||||
for _dir in *"linux"*; do
|
||||
[ -d "${_dir}" ] && linuxdir="${_dir}" && break;
|
||||
done;
|
||||
cd "$linuxdir";
|
||||
echo "[*] Patching source and configuration...";
|
||||
sed -i "s/.*CONFIG_MODULE_SIG_FORCE.*/CONFIG_MODULE_SIG_FORCE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>/" debian.master/config/annotations;
|
||||
git apply --verbose ~/Downloads/patches/hibernate/0001-Hibernate-Patch.patch;
|
||||
echo "[*] Cleaning kernel build...";
|
||||
chmod a+x debian/rules;
|
||||
chmod a+x debian/scripts/*;
|
||||
chmod a+x debian/scripts/misc/*;
|
||||
fakeroot debian/rules clean;
|
||||
mkdir -p debian/build/build-generic/certs;
|
||||
sudo cp /cert/mok/signing_key.pem debian/build/build-generic/certs/;
|
||||
sudo chmod u=rw,g=rw,o=rw debian/build/build-generic/certs/signing_key.pem;
|
||||
echo "[*] Building kernel...";
|
||||
fakeroot debian/rules binary;
|
||||
echo "[*] Build Complete!";
|
||||
rm -f debian/build/build-generic/certs/signing_key.pem;
|
||||
echo "[+] Extracting kernel package...";
|
||||
cd ~/kernel;
|
||||
mkdir -p deb-contents;
|
||||
dpkg-deb -R $(ls linux-image-unsigned-* | head -1) deb-contents;
|
||||
cd "$linuxdir";
|
||||
echo "[*] Making kernel signed...";
|
||||
pkgarch=$(dpkg-architecture -qDEB_HOST_ARCH);
|
||||
pkgver=$(dpkg-parsechangelog --show-field Version);
|
||||
cd ~/kernel/deb-contents;
|
||||
pkgunom=$(head -1 DEBIAN/control | sed -e 's/Package: //');
|
||||
find ./ -type f -exec sed -i -e 's/-unsigned//g' {} \;
|
||||
find ./ -type f -exec sed -i -e 's/ unsigned//g' {} \;
|
||||
pkgnom=$(head -1 DEBIAN/control | sed -e 's/Package: //');
|
||||
sudo mv usr/share/doc/$pkgunom usr/share/doc/$pkgnom;
|
||||
tlinuz=$(ls boot/vmlinuz-* | head -1);
|
||||
sudo sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $tlinuz --output $tlinuz;
|
||||
sed -i "s/.*Conflicts: .*/Conflicts: $pkgunom/" DEBIAN/control;
|
||||
pkgisz=$(du -ks * | grep -v DEBIAN | cut -f1 | xargs | sed -e 's/\ /+/g' | bc);
|
||||
find ./ -path '*/DEBIAN' -prune -o -type f -exec md5sum {} \; | awk '{ print $1 " " substr($2, 10) }' > DEBIAN/md5sums;
|
||||
sed -i "s/.*Installed-Size: .*/Installed-Size: $pkgisz/" DEBIAN/control;
|
||||
echo "[+] Packing signed kernel...";
|
||||
cd ~/kernel;
|
||||
dpkg-deb -b deb-contents ${pkgnom}_${pkgver}_${pkgarch}.deb;
|
||||
sudo rm -rf deb-contents;
|
||||
echo "[+] Deploying Packages Locally...";
|
||||
sudo cp ${pkgnom}_${pkgver}_${pkgarch}.deb /usr/local/mydebs/;
|
||||
sudo cp linux-headers-* /usr/local/mydebs/;
|
||||
sudo cp linux-libc-dev* /usr/local/mydebs/;
|
||||
sudo cp linux-modules* /usr/local/mydebs/;
|
||||
sudo update-mydebs;
|
||||
cd "$cwd";
|
||||
echo "Kernel Build Finished!";
|
||||
}
|
||||
function install-tar() {
|
||||
if [ $# -gt 0 ]; then
|
||||
if [ $# -eq 1 ]; then
|
||||
fln=$(basename -- "$1");
|
||||
flp=$1;
|
||||
else
|
||||
fln=$(basename -- "$2");
|
||||
flp=$2;
|
||||
fi
|
||||
fln="${fln%%.*}";
|
||||
echo "Installing: /opt/$fln";
|
||||
sudo mkdir -p "/opt/$fln";
|
||||
sudo tar -xvf "$flp" -C /opt/$fln;
|
||||
if [ $# -gt 1 ]; then
|
||||
sudo chown -R "$1" /opt/$fln;
|
||||
fi
|
||||
else
|
||||
echo "Usage:";
|
||||
echo "install-tar <archive> | <owner> <archive>";
|
||||
fi
|
||||
}
|
||||
function install-tar-contents() {
|
||||
if [ $# -gt 0 ]; then
|
||||
if [ $# -eq 1 ]; then
|
||||
flp=$1;
|
||||
else
|
||||
flp=$2;
|
||||
fi
|
||||
echo "Installing: /opt";
|
||||
sudo tar -xvf "$flp" -C /opt;
|
||||
if [ $# -gt 1 ]; then
|
||||
sudo chown -R "$1" /opt;
|
||||
fi
|
||||
else
|
||||
echo "Usage:";
|
||||
echo "install-tar-contents <archive> | <owner> <archive>";
|
||||
fi
|
||||
}
|
||||
function edit-dot-desktop() {
|
||||
sudo nano "/usr/share/applications/$(basename -- "$1").desktop";
|
||||
}
|
||||
function edit-dot-desktop-local() {
|
||||
nano ~"/.local/share/applications/$(basename -- "$1").desktop";
|
||||
}
|
||||
function tpm2-contents() {
|
||||
sudo tpm2_selftest
|
||||
sudo tpm2_gettestresult
|
||||
sudo tpm2_getcap -l
|
||||
sudo tmp2_pcrread
|
||||
sudo tpm2_pcrread
|
||||
}
|
9
boot-verify-sign
Executable file
9
boot-verify-sign
Executable file
@ -0,0 +1,9 @@
|
||||
#!/bin/bash
|
||||
/bin/bash /usr/local/sbin/verify-boot;
|
||||
if [ $? != 0 ]; then
|
||||
echo "Bad" > /opt/boot-verify-state;
|
||||
/bin/bash /usr/local/sbin/sign-boot;
|
||||
echo "Good" > /opt/boot-verify-state;
|
||||
else
|
||||
echo "Good" > /opt/boot-verify-state;
|
||||
fi;
|
6
grub-update
Normal file
6
grub-update
Normal file
@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
echo "[+] Updating Grub...";
|
||||
update-grub;
|
||||
/usr/share/ubuntu-system-adjustments/systemd/start;
|
||||
sign-boot;
|
||||
echo "[*] Grub Update Complete!";
|
BIN
grub.d.my.7z
Normal file
BIN
grub.d.my.7z
Normal file
Binary file not shown.
12
install-grub
Normal file
12
install-grub
Normal file
@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
echo "[+] Installing Grub...";
|
||||
grub-install -v --target=x86_64-efi /dev/sda --efi-directory=/boot/efi --boot-directory=/boot --uefi-secure-boot --pubkey=/root/pubkey --sbat=/root/sbat --disable-shim-lock --modules="acpi afsplitter all_video bitmap bitmap_scale boot btrfs bufio cat chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efi_gop efinet efi_uga ext2 extcmd fat font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux linuxefi loadenv loopback ls luks lvm lzopio mdraid09 mdraid1x mmap mpi net normal ntfs password_pbkdf2 pbkdf2 pgp png probe procfs raid5rec raid6rec regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal trig video video_bochs video_cirrus video_colors xfs xzio zfs zfscrypt zfsinfo zstd part_gpt tpm";
|
||||
#echo "[+] Patching load.cfg";
|
||||
#echo >> /boot/grub/x86_64-efi/load.cfg;
|
||||
#echo 'trust --skip-sig (hd0,gpt6)/pubkey' >> /boot/grub/x86_64-efi/load.cfg;
|
||||
#echo 'set check_signatures=enforce' >> /boot/grub/x86_64-efi/load.cfg;
|
||||
#echo 'set superusers="root"' >> /boot/grub/x86_64-efi/load.cfg;
|
||||
#echo 'password_pbkdf2 root grub.pbkdf2.sha512.10000.87A1064D2A4493C4235F8BB04C02309873D6ECC872696400690D4C6194A9EE8A0BE005590ACAE2E3C1F416A8E9DBB665EC1F6AE35B4274CE3CD8F4694D17D0DA.18DDB69D7AB16CDC661D9F8D47CFA37A9C6A9FF8E2851C56E0E131A99BC713C348C152D338171809BE7AE2CBDA7DACE06AAD83F6B7ED118430F0C3DD9935B5AF' >> /boot/grub/x86_64-efi/load.cfg;
|
||||
#sudo cp /boot/grub/x86_64-efi/load.cfg /boot/efi/EFI/ubuntu/grub.cfg;
|
||||
grub-update;
|
||||
echo "[*] Grub Install Complete!";
|
36
sign-boot
Normal file
36
sign-boot
Normal file
@ -0,0 +1,36 @@
|
||||
#!/bin/bash
|
||||
echo "[*] Preparing to sign!";
|
||||
#touch /dev/shm/sb-passpwd.txt;
|
||||
#chown root:root /dev/shm/sb-passpwd.txt;
|
||||
#chmod u=rw,g=,o= /dev/shm/sb-passpwd.txt;
|
||||
#echo -n "Password: ";
|
||||
#read -s pwd;
|
||||
#echo -n "$pwd" > /dev/shm/sb-passpwd.txt;
|
||||
echo "[-] BMOK Un-Signing...";
|
||||
for i in $(find /boot/grub -iname "*.efi" -type f -print)
|
||||
do
|
||||
echo $i;
|
||||
sbattach --remove $i;
|
||||
done;
|
||||
echo "[+] BMOK Signing...";
|
||||
for i in $(find /boot/grub -iname "*.efi" -type f -print)
|
||||
do
|
||||
echo $i;
|
||||
sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i;
|
||||
done;
|
||||
echo "[-] Un-Signing...";
|
||||
#-iname "efi" -prune -o
|
||||
for i in $(find /boot -iname "*.sig" -type f -print)
|
||||
do
|
||||
rm "$i";
|
||||
done;
|
||||
echo "[+] Signing...";
|
||||
for i in $(find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
|
||||
do
|
||||
echo $i;
|
||||
gpg --batch --detach-sign $i;
|
||||
#gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
|
||||
# /dev/shm/sb-passpwd.txt;
|
||||
done;
|
||||
#shred /dev/shm/sb-passpwd.txt;
|
||||
echo "[*] Signing Complete!";
|
3
update-mydebs
Normal file
3
update-mydebs
Normal file
@ -0,0 +1,3 @@
|
||||
#! /bin/bash
|
||||
cd /usr/local/mydebs
|
||||
dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz
|
32
verify-boot
Normal file
32
verify-boot
Normal file
@ -0,0 +1,32 @@
|
||||
#!/bin/bash
|
||||
echo "[*] Preparing to verify!";
|
||||
echo "[-] Missing Signatures:";
|
||||
ec=0;
|
||||
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
|
||||
do
|
||||
if [ ! -f "$i.sig" ]; then
|
||||
echo "$i";
|
||||
ec=1;
|
||||
fi
|
||||
done;
|
||||
bad='Good';
|
||||
echo "[*] Signed:";
|
||||
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
|
||||
do
|
||||
if gpg --verify-files "$i.sig" > /dev/null 2>&1
|
||||
then
|
||||
echo "Good: $i";
|
||||
else
|
||||
echo "Bad: $i";
|
||||
bad='Bad';
|
||||
ec=2;
|
||||
fi
|
||||
done;
|
||||
echo "[-] Signature State: $bad";
|
||||
if [ $ec -ne 0 ]; then
|
||||
touch /boot/boot-tainted;
|
||||
elif [ -f /boot/boot-tainted ]; then
|
||||
rm -f /boot/boot-tainted;
|
||||
fi
|
||||
echo "[*] Finished Verification!";
|
||||
exit $ec;
|
Loading…
Reference in New Issue
Block a user