commit e384f07a1847a3f391ce2a7f093de91ed7ff948e Author: Captain ALM Date: Thu May 30 01:42:30 2024 +0100 Re-init. diff --git a/0001-Hibernate-Patch.patch b/0001-Hibernate-Patch.patch new file mode 100644 index 0000000..ed5dab4 --- /dev/null +++ b/0001-Hibernate-Patch.patch @@ -0,0 +1,69 @@ +From 71c4fb133b496d62539dd32dc3d377f861f067f2 Mon Sep 17 00:00:00 2001 +From: Captain ALM +Date: Sat, 25 May 2024 17:55:24 +0100 +Subject: [PATCH] Hibernate Patch. + +--- + Documentation/admin-guide/kernel-parameters.txt | 5 +++++ + kernel/power/hibernate.c | 11 +++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt +index a1b25a735..71b537ea6 100644 +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -2684,6 +2684,11 @@ + to extract confidential information from the kernel + are also disabled. + ++ lockdown_hibernate [HIBERNATION] ++ Enable hibernation even if lockdown is enabled. Enable this only if ++ your swap is encrypted and secured properly, as an attacker can ++ modify the kernel offline during hibernation. ++ + locktorture.nreaders_stress= [KNL] + Set the number of locking read-acquisition kthreads. + Defaults to being automatically set based on the +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 9abc73d50..25c3a8fa6 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -36,7 +36,7 @@ + + #include "power.h" + +- ++static int lockdown_hibernate; + static int nocompress; + static int noresume; + static int nohibernate; +@@ -83,7 +83,7 @@ void hibernate_release(void) + bool hibernation_available(void) + { + return nohibernate == 0 && +- !security_locked_down(LOCKDOWN_HIBERNATION) && ++ (lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) && + !secretmem_active(); + } + +@@ -1337,6 +1337,12 @@ static int __init nohibernate_setup(char *str) + return 1; + } + ++static int __init lockdown_hibernate_setup(char *str) ++{ ++ lockdown_hibernate = 1; ++ return 1; ++} ++ + __setup("noresume", noresume_setup); + __setup("resume_offset=", resume_offset_setup); + __setup("resume=", resume_setup); +@@ -1344,3 +1350,4 @@ __setup("hibernate=", hibernate_setup); + __setup("resumewait", resumewait_setup); + __setup("resumedelay=", resumedelay_setup); + __setup("nohibernate", nohibernate_setup); ++__setup("lockdown_hibernate", lockdown_hibernate_setup); +-- +2.34.1 + diff --git a/BMOK-openssl.cnf b/BMOK-openssl.cnf new file mode 100644 index 0000000..5741787 --- /dev/null +++ b/BMOK-openssl.cnf @@ -0,0 +1,25 @@ +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3 +string_mask = utf8only +prompt = no + +[ req_distinguished_name ] +countryName = UK +stateOrProvinceName = Kent +localityName = Herne Bay +0.organizationName = Captain ALM +commonName = Secure Boot Signing +emailAddress = alfred@captainalm.com + +[ v3 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:FALSE +extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 +nsComment = "OpenSSL Generated Certificate" + diff --git a/bash_aliases b/bash_aliases new file mode 100644 index 0000000..286ce85 --- /dev/null +++ b/bash_aliases @@ -0,0 +1,123 @@ +alias screen-off="xset dpms force off" +alias boot-sign-verify="sudo sign-boot && sudo verify-boot" +function kernel-build() { + echo "[+] Kernel Build Starting..."; + cwd=$(pwd); + cd ~/kernel; + for _dir in *"linux"*; do + [ -d "${_dir}" ] && linuxdir="${_dir}" && break; + done; + echo "[-] Removing Sources..."; + rm -rf "$linuxdir"; + sudo rm -rf deb-contents; + rm -f *.gz; + rm -f *.dsc; + echo "[*] Archiving old packages..."; + mkdir -p old-debs; + touch dummy.deb; + mv *.deb old-debs/; + echo "[+] Obtaining Sources..."; + apt-get source linux-image-unsigned-$(uname -r); + for _dir in *"linux"*; do + [ -d "${_dir}" ] && linuxdir="${_dir}" && break; + done; + cd "$linuxdir"; + echo "[*] Patching source and configuration..."; + sed -i "s/.*CONFIG_MODULE_SIG_FORCE.*/CONFIG_MODULE_SIG_FORCE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>/" debian.master/config/annotations; + git apply --verbose ~/Downloads/patches/hibernate/0001-Hibernate-Patch.patch; + echo "[*] Cleaning kernel build..."; + chmod a+x debian/rules; + chmod a+x debian/scripts/*; + chmod a+x debian/scripts/misc/*; + fakeroot debian/rules clean; + mkdir -p debian/build/build-generic/certs; + sudo cp /cert/mok/signing_key.pem debian/build/build-generic/certs/; + sudo chmod u=rw,g=rw,o=rw debian/build/build-generic/certs/signing_key.pem; + echo "[*] Building kernel..."; + fakeroot debian/rules binary; + echo "[*] Build Complete!"; + rm -f debian/build/build-generic/certs/signing_key.pem; + echo "[+] Extracting kernel package..."; + cd ~/kernel; + mkdir -p deb-contents; + dpkg-deb -R $(ls linux-image-unsigned-* | head -1) deb-contents; + cd "$linuxdir"; + echo "[*] Making kernel signed..."; + pkgarch=$(dpkg-architecture -qDEB_HOST_ARCH); + pkgver=$(dpkg-parsechangelog --show-field Version); + cd ~/kernel/deb-contents; + pkgunom=$(head -1 DEBIAN/control | sed -e 's/Package: //'); + find ./ -type f -exec sed -i -e 's/-unsigned//g' {} \; + find ./ -type f -exec sed -i -e 's/ unsigned//g' {} \; + pkgnom=$(head -1 DEBIAN/control | sed -e 's/Package: //'); + sudo mv usr/share/doc/$pkgunom usr/share/doc/$pkgnom; + tlinuz=$(ls boot/vmlinuz-* | head -1); + sudo sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $tlinuz --output $tlinuz; + sed -i "s/.*Conflicts: .*/Conflicts: $pkgunom/" DEBIAN/control; + pkgisz=$(du -ks * | grep -v DEBIAN | cut -f1 | xargs | sed -e 's/\ /+/g' | bc); + find ./ -path '*/DEBIAN' -prune -o -type f -exec md5sum {} \; | awk '{ print $1 " " substr($2, 10) }' > DEBIAN/md5sums; + sed -i "s/.*Installed-Size: .*/Installed-Size: $pkgisz/" DEBIAN/control; + echo "[+] Packing signed kernel..."; + cd ~/kernel; + dpkg-deb -b deb-contents ${pkgnom}_${pkgver}_${pkgarch}.deb; + sudo rm -rf deb-contents; + echo "[+] Deploying Packages Locally..."; + sudo cp ${pkgnom}_${pkgver}_${pkgarch}.deb /usr/local/mydebs/; + sudo cp linux-headers-* /usr/local/mydebs/; + sudo cp linux-libc-dev* /usr/local/mydebs/; + sudo cp linux-modules* /usr/local/mydebs/; + sudo update-mydebs; + cd "$cwd"; + echo "Kernel Build Finished!"; +} +function install-tar() { + if [ $# -gt 0 ]; then + if [ $# -eq 1 ]; then + fln=$(basename -- "$1"); + flp=$1; + else + fln=$(basename -- "$2"); + flp=$2; + fi + fln="${fln%%.*}"; + echo "Installing: /opt/$fln"; + sudo mkdir -p "/opt/$fln"; + sudo tar -xvf "$flp" -C /opt/$fln; + if [ $# -gt 1 ]; then + sudo chown -R "$1" /opt/$fln; + fi + else + echo "Usage:"; + echo "install-tar | "; + fi +} +function install-tar-contents() { + if [ $# -gt 0 ]; then + if [ $# -eq 1 ]; then + flp=$1; + else + flp=$2; + fi + echo "Installing: /opt"; + sudo tar -xvf "$flp" -C /opt; + if [ $# -gt 1 ]; then + sudo chown -R "$1" /opt; + fi + else + echo "Usage:"; + echo "install-tar-contents | "; + fi +} +function edit-dot-desktop() { + sudo nano "/usr/share/applications/$(basename -- "$1").desktop"; +} +function edit-dot-desktop-local() { + nano ~"/.local/share/applications/$(basename -- "$1").desktop"; +} +function tpm2-contents() { + sudo tpm2_selftest + sudo tpm2_gettestresult + sudo tpm2_getcap -l + sudo tmp2_pcrread + sudo tpm2_pcrread +} diff --git a/boot-verify-sign b/boot-verify-sign new file mode 100755 index 0000000..c5279d4 --- /dev/null +++ b/boot-verify-sign @@ -0,0 +1,9 @@ +#!/bin/bash +/bin/bash /usr/local/sbin/verify-boot; +if [ $? != 0 ]; then + echo "Bad" > /opt/boot-verify-state; + /bin/bash /usr/local/sbin/sign-boot; + echo "Good" > /opt/boot-verify-state; +else + echo "Good" > /opt/boot-verify-state; +fi; diff --git a/grub-update b/grub-update new file mode 100644 index 0000000..fbac7ef --- /dev/null +++ b/grub-update @@ -0,0 +1,6 @@ +#!/bin/bash +echo "[+] Updating Grub..."; +update-grub; +/usr/share/ubuntu-system-adjustments/systemd/start; +sign-boot; +echo "[*] Grub Update Complete!"; diff --git a/grub.d.my.7z b/grub.d.my.7z new file mode 100644 index 0000000..e7718ad Binary files /dev/null and b/grub.d.my.7z differ diff --git a/install-grub b/install-grub new file mode 100644 index 0000000..ef0e4b2 --- /dev/null +++ b/install-grub @@ -0,0 +1,12 @@ +#!/bin/bash +echo "[+] Installing Grub..."; +grub-install -v --target=x86_64-efi /dev/sda --efi-directory=/boot/efi --boot-directory=/boot --uefi-secure-boot --pubkey=/root/pubkey --sbat=/root/sbat --disable-shim-lock --modules="acpi afsplitter all_video bitmap bitmap_scale boot btrfs bufio cat chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efi_gop efinet efi_uga ext2 extcmd fat font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux linuxefi loadenv loopback ls luks lvm lzopio mdraid09 mdraid1x mmap mpi net normal ntfs password_pbkdf2 pbkdf2 pgp png probe procfs raid5rec raid6rec regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal trig video video_bochs video_cirrus video_colors xfs xzio zfs zfscrypt zfsinfo zstd part_gpt tpm"; +#echo "[+] Patching load.cfg"; +#echo >> /boot/grub/x86_64-efi/load.cfg; +#echo 'trust --skip-sig (hd0,gpt6)/pubkey' >> /boot/grub/x86_64-efi/load.cfg; +#echo 'set check_signatures=enforce' >> /boot/grub/x86_64-efi/load.cfg; +#echo 'set superusers="root"' >> /boot/grub/x86_64-efi/load.cfg; +#echo 'password_pbkdf2 root grub.pbkdf2.sha512.10000.87A1064D2A4493C4235F8BB04C02309873D6ECC872696400690D4C6194A9EE8A0BE005590ACAE2E3C1F416A8E9DBB665EC1F6AE35B4274CE3CD8F4694D17D0DA.18DDB69D7AB16CDC661D9F8D47CFA37A9C6A9FF8E2851C56E0E131A99BC713C348C152D338171809BE7AE2CBDA7DACE06AAD83F6B7ED118430F0C3DD9935B5AF' >> /boot/grub/x86_64-efi/load.cfg; +#sudo cp /boot/grub/x86_64-efi/load.cfg /boot/efi/EFI/ubuntu/grub.cfg; +grub-update; +echo "[*] Grub Install Complete!"; diff --git a/sign-boot b/sign-boot new file mode 100644 index 0000000..771fb04 --- /dev/null +++ b/sign-boot @@ -0,0 +1,36 @@ +#!/bin/bash +echo "[*] Preparing to sign!"; +#touch /dev/shm/sb-passpwd.txt; +#chown root:root /dev/shm/sb-passpwd.txt; +#chmod u=rw,g=,o= /dev/shm/sb-passpwd.txt; +#echo -n "Password: "; +#read -s pwd; +#echo -n "$pwd" > /dev/shm/sb-passpwd.txt; +echo "[-] BMOK Un-Signing..."; +for i in $(find /boot/grub -iname "*.efi" -type f -print) +do + echo $i; + sbattach --remove $i; +done; +echo "[+] BMOK Signing..."; +for i in $(find /boot/grub -iname "*.efi" -type f -print) +do + echo $i; + sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i; +done; +echo "[-] Un-Signing..."; +#-iname "efi" -prune -o +for i in $(find /boot -iname "*.sig" -type f -print) +do + rm "$i"; +done; +echo "[+] Signing..."; +for i in $(find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) +do + echo $i; + gpg --batch --detach-sign $i; + #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \ + # /dev/shm/sb-passpwd.txt; +done; +#shred /dev/shm/sb-passpwd.txt; +echo "[*] Signing Complete!"; diff --git a/update-mydebs b/update-mydebs new file mode 100644 index 0000000..cc0ca12 --- /dev/null +++ b/update-mydebs @@ -0,0 +1,3 @@ +#! /bin/bash +cd /usr/local/mydebs +dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz diff --git a/verify-boot b/verify-boot new file mode 100644 index 0000000..d183e5a --- /dev/null +++ b/verify-boot @@ -0,0 +1,32 @@ +#!/bin/bash +echo "[*] Preparing to verify!"; +echo "[-] Missing Signatures:"; +ec=0; +for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) +do + if [ ! -f "$i.sig" ]; then + echo "$i"; + ec=1; + fi +done; +bad='Good'; +echo "[*] Signed:"; +for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print) +do + if gpg --verify-files "$i.sig" > /dev/null 2>&1 + then + echo "Good: $i"; + else + echo "Bad: $i"; + bad='Bad'; + ec=2; + fi +done; +echo "[-] Signature State: $bad"; +if [ $ec -ne 0 ]; then + touch /boot/boot-tainted; +elif [ -f /boot/boot-tainted ]; then + rm -f /boot/boot-tainted; +fi +echo "[*] Finished Verification!"; +exit $ec;