V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-05 07:51:09 +01:00
parent 519643646e
commit 4b46e8cffc
5 changed files with 151 additions and 21 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@
 # SPDX-Security-Contact: security@coresecret.eu
 .checklist/
 .idea/
+.todo/
 out/
 *.DS_Store
 *.log
--- a/func/cdi_4500_user/4520_accounts_setup.sh
+++ b/func/cdi_4500_user/4520_accounts_setup.sh
@@ -612,8 +612,8 @@ EOF

    if [[ ! -f "${var_sudoers_winscp_global}" ]]; then

-      install_header   "${var_sudoers_winscp_global}"
-      install_comments "${var_sudoers_winscp_global}"
+      insert_header   "${var_sudoers_winscp_global}"
+      insert_header "${var_sudoers_winscp_global}"
      cat << EOF >|    "${var_sudoers_winscp_global}"
 ### Added by CISS.debian.installer. WinSCP SFTP-as-root (least privilege).
 ### Allow exactly the sftp-server binary, optionally with -e (stderr logging).
@@ -648,8 +648,8 @@ EOF

  else

-    install_header   "${var_sudoers_winscp_user}"
-    install_comments "${var_sudoers_winscp_user}"
+    insert_header   "${var_sudoers_winscp_user}"
+    insert_header "${var_sudoers_winscp_user}"
    echo "${var_user} ALL=(root) PASSWD: CISS_SFTPROOT" >> "${var_sudoers_winscp_user}"
    printf "# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf \n" >> "${var_sudoers_winscp_user}"

--- a/upgrades/linux-image/linux_image_clang_options.sh
+++ b/upgrades/linux-image/linux_image_clang_options.sh
@@ -119,7 +119,7 @@ scripts/config --disable CONFIG_DM_INIT

 # --- Crypto primitives needed for LUKS (and general use) ---------------------
 scripts/config --enable  CONFIG_CRYPTO_AES
-scripts/config --enable  CONFIG_CRYPTO_AES_NI_INTEL   # x86_64 AES-NI (harmless if absent)
+scripts/config --enable  CONFIG_CRYPTO_AES_NI_INTEL
 scripts/config --enable  CONFIG_CRYPTO_CHACHA20_POLY1305
 scripts/config --enable  CONFIG_CRYPTO_CRC32C
 scripts/config --enable  CONFIG_CRYPTO_CURVE25519
@@ -226,6 +226,8 @@ scripts/config --enable  CONFIG_MODULE_SIG
 scripts/config --enable  CONFIG_MODULE_SIG_ALL
 scripts/config --enable  CONFIG_MODULE_SIG_SHA512
 scripts/config --disable CONFIG_MODULE_SIG_FORCE
+#scripts/config --set-str CONFIG_MODULE_SIG_KEY="certs/ciss-sb-db-leaf-production-2025-RSA-3072.private.key"
+#scripts/config --set-str CONFIG_SYSTEM_TRUSTED_KEYS="certs/ciss-sb-db-leaf-production-2025-RSA-3072.crt"

 # --- Apply intended core DM + crypto as builtins -----------------------------
 scripts/config --set-val CONFIG_DM_CRYPT y
--- a/upgrades/secure-boot/ciss-sb-pki.cnf
+++ b/upgrades/secure-boot/ciss-sb-pki.cnf
@@ -0,0 +1,143 @@
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+# Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in a vault.
+#
+# The firmware does not check "whether KEK originates from PK in terms of certificate logic." It only checks whether the
+# update message (authenticated variable) has been correctly signed by an authorized key.
+# This is procedural authorization, not PKI path validation.
+#
+# CISS CA order, useful, but optional for UEFI
+# The scheme (Root CA → PK / KEK / db-CA → db-Leaf) is excellent for governance, rotation, and offsite security.
+# However, the following is sufficient for the firmware:
+#   PK : Self-signed, long runtime.
+#   KEK: List with your KEK and (recommended) Microsoft KEK so that you can continue to accept official dbx updates.
+#   db : At least your db-CA (or even the db-Leaf), this allows you to sign shim/GRUB/Kernel yourself.
+#        Optionally, add "MS UEFI CA 2011 (for MS-signed shim/Windows)", but only if you really want to.
+
+
+[ new_oids ]
+encryptedClearance              = 2.5.4.55.2
+
+[ ca ]
+default_ca                      = ciss_sb
+
+[ ciss_sb ]
+dir                             = /root/.ciss/SB/CA
+certs                           = $dir/certs
+crl_dir                         = $dir/crl
+new_certs_dir                   = $dir/newcerts
+database                        = $dir/index.txt
+serial                          = $dir/serial
+RANDFILE                        = $dir/private/.rand
+private_key                     = $dir/private/ciss-sb-ca.key.pem
+certificate                     = $dir/certs/ciss-sb-ca.crt.pem
+default_md                      = sha512
+default_days                    = 7305
+unique_subject                  = no
+email_in_dn                     = no
+copy_extensions                 = copy
+policy                          = policy_strict
+
+[ policy_strict ]
+commonName                      = supplied
+organizationName                = supplied
+organizationalUnitName          = supplied
+countryName                     = supplied
+stateOrProvinceName             = optional
+localityName                    = supplied
+
+[ req ]
+prompt 							            = yes
+encrypt_key 					          = no
+default_bits                    = 4096
+default_md                      = sha512
+string_mask                     = utf8only
+distinguished_name              = req_distinguished_name
+# For CA self-signed cert:
+x509_extensions                 = v3_ca
+
+[ req_distinguished_name ]
+commonName                      = Common Name
+commonName_max                  = 64
+organizationName                = Organization Name
+organizationName_max			      = 64
+organizationalUnitName          = Organizational Unit Name
+organizationalUnitName_max      = 64
+countryName                     = Country Name (ISO 3166-1 alpha-2 (2 letter code))
+countryName_min                 = 2
+countryName_max                 = 2
+stateOrProvinceName             = State or Province or Canton (ISO 3166-2 (2 letter code))
+stateOrProvinceName_min			    = 2
+stateOrProvinceName_max			    = 64
+localityName                    = Locality e.g., City
+localityName_max				        = 64
+organizationIdentifier			    = ID provided by Registration Authority e.g. Court, ECB, NTR
+organizationIdentifier_max	    = 64
+clearance						            = Clearance
+clearance_max					          = 64
+serialNumber					          = QSCD Serial Number
+serialNumber_max				        = 64
+############################### = 1234567890123456789012345678901234567890123456789012345678901234
+commonName_default				      = CISS Secure Boot Root CA 2025 RSA 4096
+organizationName_default        = Centurion Intelligence Consulting Agency
+organizationalUnitName_default 	= CISO
+organizationIdentifier_default	= VATPT-307086887
+countryName_default             = PT
+stateOrProvinceName_default    	= Distrito de Lisboa
+localityName_default           	= Lisboa
+generationQualifier_default		  = xFF00
+uniqueIdentifier_default		    = BEDF772DB22A3EF24B432A7DDB34DA9C
+
+[ v3_ca ]
+basicConstraints                = critical, CA:true
+keyUsage                        = critical, keyCertSign, cRLSign
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+authorityInfoAccess		          = @ciss_sb_pki
+certificatePolicies		          = 2.5.29.32.0, @ciss_sb_policy
+nsComment                       = "CISS Secure Boot Root CA 2025 RSA 4096"
+
+[ v3_pk ]
+basicConstraints                = critical, CA:true, pathlen:0
+keyUsage                        = critical, digitalSignature, keyCertSign
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid:always,issuer
+authorityInfoAccess		          = @ciss_sb_pki
+certificatePolicies		          = @ciss_sb_policy
+crlDistributionPoints           = @ciss_sb_root_crl
+nsComment                       = "UEFI Platform Key (PK), RSA-3072, SHA-384"
+
+[ v3_kek ]
+basicConstraints                = critical, CA:true, pathlen:0
+keyUsage                        = critical, digitalSignature, keyCertSign
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid,issuer
+authorityInfoAccess		          = @ciss_sb_pki
+certificatePolicies		          = @ciss_sb_policy
+crlDistributionPoints           = @ciss_sb_root_crl
+nsComment                       = "UEFI Key-Exchange Key (KEK), RSA-3072, SHA-384"
+
+
+[ ciss_sb_pki ]
+caIssuers;URI.0                 = https://ca.quantumsign.eu/
+
+[ ciss_sb_policy ]
+policyIdentifier 		            = 1.3.6.1.4.1.59634.100.100.100.100
+CPS.0				                    = "https://policy.quantumsign.eu/"
+
+[ ciss_sb_root_crl ]
+fullname                        = URI:https://crl.quantumign.eu/
+reasons                         = keyCompromise, CACompromise, affiliationChanged, superseded, cessationOfOperation, certificateHold, privilegeWithdrawn, AACompromise
+
+
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
--- a/upgrades/secure-boot/ciss-sb-root-ca.cnf
+++ b/upgrades/secure-boot/ciss-sb-root-ca.cnf
@@ -1,16 +0,0 @@
-# SPDX-Version: 3.0
-# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
-# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
-# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
-# SPDX-FileType: SOURCE
-# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
-# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
-# SPDX-PackageName: CISS.debian.installer
-# SPDX-Security-Contact: security@coresecret.eu
-
-### Keep the corresponding ROOT CA strict offline, offsite and air-gapped and maybe in a HSM or at least encrypted in vault.
-
-
-
-# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf