This commit is contained in:
Captain ALM 2024-05-30 01:42:30 +01:00
commit e384f07a18
Signed by: alfred
GPG Key ID: 4E4ADD02609997B1
10 changed files with 315 additions and 0 deletions

View File

@ -0,0 +1,69 @@
From 71c4fb133b496d62539dd32dc3d377f861f067f2 Mon Sep 17 00:00:00 2001
From: Captain ALM <captainalm@captainalm.com>
Date: Sat, 25 May 2024 17:55:24 +0100
Subject: [PATCH] Hibernate Patch.
---
Documentation/admin-guide/kernel-parameters.txt | 5 +++++
kernel/power/hibernate.c | 11 +++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index a1b25a735..71b537ea6 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2684,6 +2684,11 @@
to extract confidential information from the kernel
are also disabled.
+ lockdown_hibernate [HIBERNATION]
+ Enable hibernation even if lockdown is enabled. Enable this only if
+ your swap is encrypted and secured properly, as an attacker can
+ modify the kernel offline during hibernation.
+
locktorture.nreaders_stress= [KNL]
Set the number of locking read-acquisition kthreads.
Defaults to being automatically set based on the
diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
index 9abc73d50..25c3a8fa6 100644
--- a/kernel/power/hibernate.c
+++ b/kernel/power/hibernate.c
@@ -36,7 +36,7 @@
#include "power.h"
-
+static int lockdown_hibernate;
static int nocompress;
static int noresume;
static int nohibernate;
@@ -83,7 +83,7 @@ void hibernate_release(void)
bool hibernation_available(void)
{
return nohibernate == 0 &&
- !security_locked_down(LOCKDOWN_HIBERNATION) &&
+ (lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) &&
!secretmem_active();
}
@@ -1337,6 +1337,12 @@ static int __init nohibernate_setup(char *str)
return 1;
}
+static int __init lockdown_hibernate_setup(char *str)
+{
+ lockdown_hibernate = 1;
+ return 1;
+}
+
__setup("noresume", noresume_setup);
__setup("resume_offset=", resume_offset_setup);
__setup("resume=", resume_setup);
@@ -1344,3 +1350,4 @@ __setup("hibernate=", hibernate_setup);
__setup("resumewait", resumewait_setup);
__setup("resumedelay=", resumedelay_setup);
__setup("nohibernate", nohibernate_setup);
+__setup("lockdown_hibernate", lockdown_hibernate_setup);
--
2.34.1

25
BMOK-openssl.cnf Normal file
View File

@ -0,0 +1,25 @@
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = Kent
localityName = Herne Bay
0.organizationName = Captain ALM
commonName = Secure Boot Signing
emailAddress = alfred@captainalm.com
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"

123
bash_aliases Normal file
View File

@ -0,0 +1,123 @@
alias screen-off="xset dpms force off"
alias boot-sign-verify="sudo sign-boot && sudo verify-boot"
function kernel-build() {
echo "[+] Kernel Build Starting...";
cwd=$(pwd);
cd ~/kernel;
for _dir in *"linux"*; do
[ -d "${_dir}" ] && linuxdir="${_dir}" && break;
done;
echo "[-] Removing Sources...";
rm -rf "$linuxdir";
sudo rm -rf deb-contents;
rm -f *.gz;
rm -f *.dsc;
echo "[*] Archiving old packages...";
mkdir -p old-debs;
touch dummy.deb;
mv *.deb old-debs/;
echo "[+] Obtaining Sources...";
apt-get source linux-image-unsigned-$(uname -r);
for _dir in *"linux"*; do
[ -d "${_dir}" ] && linuxdir="${_dir}" && break;
done;
cd "$linuxdir";
echo "[*] Patching source and configuration...";
sed -i "s/.*CONFIG_MODULE_SIG_FORCE.*/CONFIG_MODULE_SIG_FORCE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>/" debian.master/config/annotations;
git apply --verbose ~/Downloads/patches/hibernate/0001-Hibernate-Patch.patch;
echo "[*] Cleaning kernel build...";
chmod a+x debian/rules;
chmod a+x debian/scripts/*;
chmod a+x debian/scripts/misc/*;
fakeroot debian/rules clean;
mkdir -p debian/build/build-generic/certs;
sudo cp /cert/mok/signing_key.pem debian/build/build-generic/certs/;
sudo chmod u=rw,g=rw,o=rw debian/build/build-generic/certs/signing_key.pem;
echo "[*] Building kernel...";
fakeroot debian/rules binary;
echo "[*] Build Complete!";
rm -f debian/build/build-generic/certs/signing_key.pem;
echo "[+] Extracting kernel package...";
cd ~/kernel;
mkdir -p deb-contents;
dpkg-deb -R $(ls linux-image-unsigned-* | head -1) deb-contents;
cd "$linuxdir";
echo "[*] Making kernel signed...";
pkgarch=$(dpkg-architecture -qDEB_HOST_ARCH);
pkgver=$(dpkg-parsechangelog --show-field Version);
cd ~/kernel/deb-contents;
pkgunom=$(head -1 DEBIAN/control | sed -e 's/Package: //');
find ./ -type f -exec sed -i -e 's/-unsigned//g' {} \;
find ./ -type f -exec sed -i -e 's/ unsigned//g' {} \;
pkgnom=$(head -1 DEBIAN/control | sed -e 's/Package: //');
sudo mv usr/share/doc/$pkgunom usr/share/doc/$pkgnom;
tlinuz=$(ls boot/vmlinuz-* | head -1);
sudo sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $tlinuz --output $tlinuz;
sed -i "s/.*Conflicts: .*/Conflicts: $pkgunom/" DEBIAN/control;
pkgisz=$(du -ks * | grep -v DEBIAN | cut -f1 | xargs | sed -e 's/\ /+/g' | bc);
find ./ -path '*/DEBIAN' -prune -o -type f -exec md5sum {} \; | awk '{ print $1 " " substr($2, 10) }' > DEBIAN/md5sums;
sed -i "s/.*Installed-Size: .*/Installed-Size: $pkgisz/" DEBIAN/control;
echo "[+] Packing signed kernel...";
cd ~/kernel;
dpkg-deb -b deb-contents ${pkgnom}_${pkgver}_${pkgarch}.deb;
sudo rm -rf deb-contents;
echo "[+] Deploying Packages Locally...";
sudo cp ${pkgnom}_${pkgver}_${pkgarch}.deb /usr/local/mydebs/;
sudo cp linux-headers-* /usr/local/mydebs/;
sudo cp linux-libc-dev* /usr/local/mydebs/;
sudo cp linux-modules* /usr/local/mydebs/;
sudo update-mydebs;
cd "$cwd";
echo "Kernel Build Finished!";
}
function install-tar() {
if [ $# -gt 0 ]; then
if [ $# -eq 1 ]; then
fln=$(basename -- "$1");
flp=$1;
else
fln=$(basename -- "$2");
flp=$2;
fi
fln="${fln%%.*}";
echo "Installing: /opt/$fln";
sudo mkdir -p "/opt/$fln";
sudo tar -xvf "$flp" -C /opt/$fln;
if [ $# -gt 1 ]; then
sudo chown -R "$1" /opt/$fln;
fi
else
echo "Usage:";
echo "install-tar <archive> | <owner> <archive>";
fi
}
function install-tar-contents() {
if [ $# -gt 0 ]; then
if [ $# -eq 1 ]; then
flp=$1;
else
flp=$2;
fi
echo "Installing: /opt";
sudo tar -xvf "$flp" -C /opt;
if [ $# -gt 1 ]; then
sudo chown -R "$1" /opt;
fi
else
echo "Usage:";
echo "install-tar-contents <archive> | <owner> <archive>";
fi
}
function edit-dot-desktop() {
sudo nano "/usr/share/applications/$(basename -- "$1").desktop";
}
function edit-dot-desktop-local() {
nano ~"/.local/share/applications/$(basename -- "$1").desktop";
}
function tpm2-contents() {
sudo tpm2_selftest
sudo tpm2_gettestresult
sudo tpm2_getcap -l
sudo tmp2_pcrread
sudo tpm2_pcrread
}

9
boot-verify-sign Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
/bin/bash /usr/local/sbin/verify-boot;
if [ $? != 0 ]; then
echo "Bad" > /opt/boot-verify-state;
/bin/bash /usr/local/sbin/sign-boot;
echo "Good" > /opt/boot-verify-state;
else
echo "Good" > /opt/boot-verify-state;
fi;

6
grub-update Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
echo "[+] Updating Grub...";
update-grub;
/usr/share/ubuntu-system-adjustments/systemd/start;
sign-boot;
echo "[*] Grub Update Complete!";

BIN
grub.d.my.7z Normal file

Binary file not shown.

12
install-grub Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
echo "[+] Installing Grub...";
grub-install -v --target=x86_64-efi /dev/sda --efi-directory=/boot/efi --boot-directory=/boot --uefi-secure-boot --pubkey=/root/pubkey --sbat=/root/sbat --disable-shim-lock --modules="acpi afsplitter all_video bitmap bitmap_scale boot btrfs bufio cat chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efi_gop efinet efi_uga ext2 extcmd fat font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux linuxefi loadenv loopback ls luks lvm lzopio mdraid09 mdraid1x mmap mpi net normal ntfs password_pbkdf2 pbkdf2 pgp png probe procfs raid5rec raid6rec regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal trig video video_bochs video_cirrus video_colors xfs xzio zfs zfscrypt zfsinfo zstd part_gpt tpm";
#echo "[+] Patching load.cfg";
#echo >> /boot/grub/x86_64-efi/load.cfg;
#echo 'trust --skip-sig (hd0,gpt6)/pubkey' >> /boot/grub/x86_64-efi/load.cfg;
#echo 'set check_signatures=enforce' >> /boot/grub/x86_64-efi/load.cfg;
#echo 'set superusers="root"' >> /boot/grub/x86_64-efi/load.cfg;
#echo 'password_pbkdf2 root grub.pbkdf2.sha512.10000.87A1064D2A4493C4235F8BB04C02309873D6ECC872696400690D4C6194A9EE8A0BE005590ACAE2E3C1F416A8E9DBB665EC1F6AE35B4274CE3CD8F4694D17D0DA.18DDB69D7AB16CDC661D9F8D47CFA37A9C6A9FF8E2851C56E0E131A99BC713C348C152D338171809BE7AE2CBDA7DACE06AAD83F6B7ED118430F0C3DD9935B5AF' >> /boot/grub/x86_64-efi/load.cfg;
#sudo cp /boot/grub/x86_64-efi/load.cfg /boot/efi/EFI/ubuntu/grub.cfg;
grub-update;
echo "[*] Grub Install Complete!";

36
sign-boot Normal file
View File

@ -0,0 +1,36 @@
#!/bin/bash
echo "[*] Preparing to sign!";
#touch /dev/shm/sb-passpwd.txt;
#chown root:root /dev/shm/sb-passpwd.txt;
#chmod u=rw,g=,o= /dev/shm/sb-passpwd.txt;
#echo -n "Password: ";
#read -s pwd;
#echo -n "$pwd" > /dev/shm/sb-passpwd.txt;
echo "[-] BMOK Un-Signing...";
for i in $(find /boot/grub -iname "*.efi" -type f -print)
do
echo $i;
sbattach --remove $i;
done;
echo "[+] BMOK Signing...";
for i in $(find /boot/grub -iname "*.efi" -type f -print)
do
echo $i;
sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i;
done;
echo "[-] Un-Signing...";
#-iname "efi" -prune -o
for i in $(find /boot -iname "*.sig" -type f -print)
do
rm "$i";
done;
echo "[+] Signing...";
for i in $(find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
echo $i;
gpg --batch --detach-sign $i;
#gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
# /dev/shm/sb-passpwd.txt;
done;
#shred /dev/shm/sb-passpwd.txt;
echo "[*] Signing Complete!";

3
update-mydebs Normal file
View File

@ -0,0 +1,3 @@
#! /bin/bash
cd /usr/local/mydebs
dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

32
verify-boot Normal file
View File

@ -0,0 +1,32 @@
#!/bin/bash
echo "[*] Preparing to verify!";
echo "[-] Missing Signatures:";
ec=0;
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
if [ ! -f "$i.sig" ]; then
echo "$i";
ec=1;
fi
done;
bad='Good';
echo "[*] Signed:";
for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
do
if gpg --verify-files "$i.sig" > /dev/null 2>&1
then
echo "Good: $i";
else
echo "Bad: $i";
bad='Bad';
ec=2;
fi
done;
echo "[-] Signature State: $bad";
if [ $ec -ne 0 ]; then
touch /boot/boot-tainted;
elif [ -f /boot/boot-tainted ]; then
rm -f /boot/boot-tainted;
fi
echo "[*] Finished Verification!";
exit $ec;