diff mbox series

wic: implement bootloader --password

Message ID 20221115144031.89678-1-s.zhmylev@yadro.com
State New
Headers show
Series wic: implement bootloader --password | expand

Commit Message

Sergei Zhmylev Nov. 15, 2022, 2:40 p.m. UTC
From: Sergei Zhmylev <s.zhmylev@yadro.com>

Currently the only way to specify a password for bootloader
is to supply a complete user-defined bootloader config file
to the build process.  This patch introduces a --password
paramenter in order to simplify bootloaders hardening.

Signed-off-by: Sergei Zhmylev <s.zhmylev@yadro.com>
---
 scripts/lib/wic/ksparser.py                         |  1 +
 scripts/lib/wic/plugins/source/bootimg-efi.py       |  6 +++++-
 scripts/lib/wic/plugins/source/bootimg-pcbios.py    |  7 ++++++-
 .../lib/wic/plugins/source/isoimage-isohybrid.py    | 13 +++++++++++--
 4 files changed, 23 insertions(+), 4 deletions(-)

Comments

Alexander Kanavin Nov. 15, 2022, 3:45 p.m. UTC | #1
Wait, is the password provided through command line?

Alex

On Tue, 15 Nov 2022 at 15:40, Sergey Zhmylev <s.zhmylev@yadro.com> wrote:
>
> From: Sergei Zhmylev <s.zhmylev@yadro.com>
>
> Currently the only way to specify a password for bootloader
> is to supply a complete user-defined bootloader config file
> to the build process.  This patch introduces a --password
> paramenter in order to simplify bootloaders hardening.
>
> Signed-off-by: Sergei Zhmylev <s.zhmylev@yadro.com>
> ---
>  scripts/lib/wic/ksparser.py                         |  1 +
>  scripts/lib/wic/plugins/source/bootimg-efi.py       |  6 +++++-
>  scripts/lib/wic/plugins/source/bootimg-pcbios.py    |  7 ++++++-
>  .../lib/wic/plugins/source/isoimage-isohybrid.py    | 13 +++++++++++--
>  4 files changed, 23 insertions(+), 4 deletions(-)
>
> diff --git a/scripts/lib/wic/ksparser.py b/scripts/lib/wic/ksparser.py
> index d1e546b12d..89bc897a5a 100644
> --- a/scripts/lib/wic/ksparser.py
> +++ b/scripts/lib/wic/ksparser.py
> @@ -195,6 +195,7 @@ class KickStart():
>                                  default='msdos')
>          bootloader.add_argument('--timeout', type=int)
>          bootloader.add_argument('--source')
> +        bootloader.add_argument('--password')
>
>          include = subparsers.add_parser('include')
>          include.add_argument('path', type=cannedpathtype)
> diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
> index 4b00913a70..3d84252796 100644
> --- a/scripts/lib/wic/plugins/source/bootimg-efi.py
> +++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
> @@ -86,7 +86,11 @@ class BootimgEFIPlugin(SourcePlugin):
>              grubefi_conf += "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1\n"
>              grubefi_conf += "default=boot\n"
>              grubefi_conf += "timeout=%s\n" % bootloader.timeout
> -            grubefi_conf += "menuentry '%s'{\n" % (title if title else "boot")
> +            if bootloader.password:
> +                grubefi_conf += "set superusers=\"root\"\n"
> +                grubefi_conf += "export superusers\n"
> +                grubefi_conf += "password root %s\n" % (bootloader.password)
> +            grubefi_conf += "menuentry '%s' %s {\n" % (title if title else "boot", "--unrestricted" if bootloader.password else "")
>
>              kernel = get_bitbake_var("KERNEL_IMAGETYPE")
>              if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1":
> diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
> index 32e47f1831..cbf4622cf9 100644
> --- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py
> +++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
> @@ -113,8 +113,13 @@ class BootimgPcbiosPlugin(SourcePlugin):
>              syslinux_conf = ""
>              syslinux_conf += "PROMPT 0\n"
>              syslinux_conf += "TIMEOUT " + str(bootloader.timeout) + "\n"
> +            if bootloader.password:
> +                syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n"
> +                syslinux_conf += "ALLOWOPTIONS 0\n"
> +                syslinux_conf += "NOESCAPE 1\n"
> +            else:
> +                syslinux_conf += "ALLOWOPTIONS 1\n"
>              syslinux_conf += "\n"
> -            syslinux_conf += "ALLOWOPTIONS 1\n"
>              syslinux_conf += "SERIAL 0 115200\n"
>              syslinux_conf += "\n"
>              if splashline:
> diff --git a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py
> index 607356ad13..1d5099f954 100644
> --- a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py
> +++ b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py
> @@ -63,8 +63,13 @@ class IsoImagePlugin(SourcePlugin):
>          syslinux_conf = ""
>          syslinux_conf += "PROMPT 0\n"
>          syslinux_conf += "TIMEOUT %s \n" % (bootloader.timeout or 10)
> +        if bootloader.password:
> +            syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n"
> +            syslinux_conf += "ALLOWOPTIONS 0\n"
> +            syslinux_conf += "NOESCAPE 1\n"
> +        else:
> +            syslinux_conf += "ALLOWOPTIONS 1\n"
>          syslinux_conf += "\n"
> -        syslinux_conf += "ALLOWOPTIONS 1\n"
>          syslinux_conf += "SERIAL 0 115200\n"
>          syslinux_conf += "\n"
>          if splashline:
> @@ -116,10 +121,14 @@ class IsoImagePlugin(SourcePlugin):
>              grubefi_conf += "--parity=no --stop=1\n"
>              grubefi_conf += "default=boot\n"
>              grubefi_conf += "timeout=%s\n" % (bootloader.timeout or 10)
> +            if bootloader.password:
> +                grubefi_conf += "set superusers=\"root\"\n"
> +                grubefi_conf += "export superusers\n"
> +                grubefi_conf += "password root %s\n" % (bootloader.password)
>              grubefi_conf += "\n"
>              grubefi_conf += "search --set=root --label %s " % part.label
>              grubefi_conf += "\n"
> -            grubefi_conf += "menuentry 'boot'{\n"
> +            grubefi_conf += "menuentry 'boot' %s {\n" % ("--unrestricted" if bootloader.password else "")
>
>              kernel = get_bitbake_var("KERNEL_IMAGETYPE")
>              if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1":
> --
> 2.37.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#173346): https://lists.openembedded.org/g/openembedded-core/message/173346
> Mute This Topic: https://lists.openembedded.org/mt/95043934/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Sergei Zhmylev Nov. 15, 2022, 3:51 p.m. UTC | #2
No, the password is provided through wks file. 
ksparser.py is a wic subsystem which parses those kikstart files.
Richard Purdie Dec. 17, 2022, 11:24 a.m. UTC | #3
On Tue, 2022-11-15 at 17:40 +0300, Sergey Zhmylev wrote:
> From: Sergei Zhmylev <s.zhmylev@yadro.com>
> 
> Currently the only way to specify a password for bootloader
> is to supply a complete user-defined bootloader config file
> to the build process.  This patch introduces a --password
> paramenter in order to simplify bootloaders hardening.
> 
> Signed-off-by: Sergei Zhmylev <s.zhmylev@yadro.com>
> ---
>  scripts/lib/wic/ksparser.py                         |  1 +
>  scripts/lib/wic/plugins/source/bootimg-efi.py       |  6 +++++-
>  scripts/lib/wic/plugins/source/bootimg-pcbios.py    |  7 ++++++-
>  .../lib/wic/plugins/source/isoimage-isohybrid.py    | 13 +++++++++++--
>  4 files changed, 23 insertions(+), 4 deletions(-)

Sorry about the delay in reply on this one. Wic is one of the
components we have some nice tests for. Would you be able to add a test
for this new functionality to the testsuite please? You can run it with
"oe-selftest -r wic".

Also, do we need some documentation about this in the manuals?

Cheers,

Richard
diff mbox series

Patch

diff --git a/scripts/lib/wic/ksparser.py b/scripts/lib/wic/ksparser.py
index d1e546b12d..89bc897a5a 100644
--- a/scripts/lib/wic/ksparser.py
+++ b/scripts/lib/wic/ksparser.py
@@ -195,6 +195,7 @@  class KickStart():
                                 default='msdos')
         bootloader.add_argument('--timeout', type=int)
         bootloader.add_argument('--source')
+        bootloader.add_argument('--password')
 
         include = subparsers.add_parser('include')
         include.add_argument('path', type=cannedpathtype)
diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py
index 4b00913a70..3d84252796 100644
--- a/scripts/lib/wic/plugins/source/bootimg-efi.py
+++ b/scripts/lib/wic/plugins/source/bootimg-efi.py
@@ -86,7 +86,11 @@  class BootimgEFIPlugin(SourcePlugin):
             grubefi_conf += "serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1\n"
             grubefi_conf += "default=boot\n"
             grubefi_conf += "timeout=%s\n" % bootloader.timeout
-            grubefi_conf += "menuentry '%s'{\n" % (title if title else "boot")
+            if bootloader.password:
+                grubefi_conf += "set superusers=\"root\"\n"
+                grubefi_conf += "export superusers\n"
+                grubefi_conf += "password root %s\n" % (bootloader.password)
+            grubefi_conf += "menuentry '%s' %s {\n" % (title if title else "boot", "--unrestricted" if bootloader.password else "")
 
             kernel = get_bitbake_var("KERNEL_IMAGETYPE")
             if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1":
diff --git a/scripts/lib/wic/plugins/source/bootimg-pcbios.py b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
index 32e47f1831..cbf4622cf9 100644
--- a/scripts/lib/wic/plugins/source/bootimg-pcbios.py
+++ b/scripts/lib/wic/plugins/source/bootimg-pcbios.py
@@ -113,8 +113,13 @@  class BootimgPcbiosPlugin(SourcePlugin):
             syslinux_conf = ""
             syslinux_conf += "PROMPT 0\n"
             syslinux_conf += "TIMEOUT " + str(bootloader.timeout) + "\n"
+            if bootloader.password:
+                syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n"
+                syslinux_conf += "ALLOWOPTIONS 0\n"
+                syslinux_conf += "NOESCAPE 1\n"
+            else:
+                syslinux_conf += "ALLOWOPTIONS 1\n"
             syslinux_conf += "\n"
-            syslinux_conf += "ALLOWOPTIONS 1\n"
             syslinux_conf += "SERIAL 0 115200\n"
             syslinux_conf += "\n"
             if splashline:
diff --git a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py
index 607356ad13..1d5099f954 100644
--- a/scripts/lib/wic/plugins/source/isoimage-isohybrid.py
+++ b/scripts/lib/wic/plugins/source/isoimage-isohybrid.py
@@ -63,8 +63,13 @@  class IsoImagePlugin(SourcePlugin):
         syslinux_conf = ""
         syslinux_conf += "PROMPT 0\n"
         syslinux_conf += "TIMEOUT %s \n" % (bootloader.timeout or 10)
+        if bootloader.password:
+            syslinux_conf += "MENU MASTER PASSWD " + str(bootloader.password) + "\n"
+            syslinux_conf += "ALLOWOPTIONS 0\n"
+            syslinux_conf += "NOESCAPE 1\n"
+        else:
+            syslinux_conf += "ALLOWOPTIONS 1\n"
         syslinux_conf += "\n"
-        syslinux_conf += "ALLOWOPTIONS 1\n"
         syslinux_conf += "SERIAL 0 115200\n"
         syslinux_conf += "\n"
         if splashline:
@@ -116,10 +121,14 @@  class IsoImagePlugin(SourcePlugin):
             grubefi_conf += "--parity=no --stop=1\n"
             grubefi_conf += "default=boot\n"
             grubefi_conf += "timeout=%s\n" % (bootloader.timeout or 10)
+            if bootloader.password:
+                grubefi_conf += "set superusers=\"root\"\n"
+                grubefi_conf += "export superusers\n"
+                grubefi_conf += "password root %s\n" % (bootloader.password)
             grubefi_conf += "\n"
             grubefi_conf += "search --set=root --label %s " % part.label
             grubefi_conf += "\n"
-            grubefi_conf += "menuentry 'boot'{\n"
+            grubefi_conf += "menuentry 'boot' %s {\n" % ("--unrestricted" if bootloader.password else "")
 
             kernel = get_bitbake_var("KERNEL_IMAGETYPE")
             if get_bitbake_var("INITRAMFS_IMAGE_BUNDLE") == "1":