Hi all,
In the past of 2 weeks, I backported 5 patches for support UEFI secure boot and also sent to
opensuse-kernel for every experts review:
[PATCH 0/11] Backported patches to lock down functions in secure boot [1]
[PATCH 0/2] Backported patches for prepare KMP kernel module sign [2]
[PATCH 0/4] Backported patches for support driver firmware sign [3]
[PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) [4]
[PATCH 0/19] Backported patches for support UEFI variable filesystem [5]
Now, I clone a kernel-source of openSUSE 12.3 and pushed those backported patches to this branch:
https://gitorious.org/~joeyli/opensuse/joeylis-kernel-source/commits/openSUS...
And, I also push kernel source to OBS for build out kernel RPMs:
https://build.opensuse.org/project/show?project=home%3Ajoeyli%3Abranches%3Ao...
Those kernel RPMs are for anyone want to try the backported patches on openSUSE.
e.g.
We can set 'secureboot_enable=1' kernel parameter to lock down some functions on non-UEFI machine, then
monitor the openSUSE behavior.
or
We want test the kernel module sign.
Thanks a lot!
Joey Lee
[1]
[PATCH 0/11] Backported patches to lock down functions in secure boot
Patch-mainline: Not yet, reviewing
References: none
Target: openSUSE 12.3
Test steps:
+ build; make modules_install; make install
+ add 'secureboot_enable=1' kernel parameter
Known issues on SLE (fixed):
+ xorg-x11-server need d01921ec18c21f21d377b606 patch for avoid
'xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)'
Backported 11 patches to lock down functions in secure boot:
0001_Secure_boot:_Add_new_capability_v2.patch
0002_PCI:_Lock_down_BAR_access_in_secure_boot_environments_v2.patch
0003_x86:_Lock_down_IO_port_access_in_secure_boot_environments_v2.patch
0004_ACPI:_Limit_access_to_custom_method_v2.patch
0005_asus-wmi:_Restrict_debugfs_interface_v2.patch
0006_Restrict__dev_mem_and__dev_kmem_in_secure_boot_setups_v2.patch
0007_Secure_boot:_Add_a_dummy_kernel_parameter_that_will_switch_on_Secure_Boot_mode_v2.patch
0008_efi:_Enable_secure_boot_lockdown_automatically_when_enabled_in_firmware_v2.patch
0009_acpi:_Ignore_acpi_rsdp_kernel_parameter_in_a_secure_boot_environment_v2.patch
0010_SELinux:_define_mapping_for_new_Secure_Boot_capability_v2.patch
0011-hibernate-Disable-in-a-Secure-Boot-environment.patch
[2]
[PATCH 0/2] Backported patches for prepare KMP kernel module sign
Patch-mainline: v3.8-rc?
References: none
Target: openSUSE 12.3
Backported 2 patches for for prepare KMP kernel module sign:
0001-MODSIGN-Avoid-using-.incbin-in-C-source.patch
0002-MODSIGN-Drop-ccache-hack.patch
[3]
[PATCH 0/4] Backported patches for support driver firmware sign
Patch-mainline: Not yet, reviewing (contributed by Takashi)
Target: openSUSE 12.3
Test steps:
+ select the following kernel config:
Enable loadable module support ->
Module signature verification
Require modules to be validly signed
Which hash algorithm should modules be signed with? --->
Device Drivers --->
Generic Driver Options --->
Firmware signature verification (NEW)
+ mkinitrd need this patch [1]
+ build; make modules_install; make firmware_install; make install
+ check the /lib/modules/3.0.51-default/, should have *.sig file
+ We can also test manually sign a firmware file:
# ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw
Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for
more testing.
Backported 4 patches for support driver firmware sign
Driver firmware sign (from Takashi, reviewing on upstream):
Not yet:
0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch
0002-firmware:_Add_-a_option_to_scripts_sign-file.patch
0003-firmware:_Add_support_for_signature_checks.patch
0004-firmware:_Install_firmware_signature_files_automatically.patch
[1]
Index: mkinitrd-2.4.2/scripts/setup-modules.sh
===================================================================
--- mkinitrd-2.4.2.orig/scripts/setup-modules.sh
+++ mkinitrd-2.4.2/scripts/setup-modules.sh
@@ -375,6 +375,10 @@ for module in $resolved_modules; do
has_firmware=true
fi
echo -n "$fw "
+ if test -e "$dir/$subdir/$fw.sig"; then
+ cp -p --parents "$_" "$tmp_mnt"
+ echo -n "$fw.sig "
+ fi
fi
done
done
[4]
[PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN)
Patch-mainline: Not yet, from Fedora 18 kernel
References: fate#314574
Target: SLE-11 SP3
Tested-on: qemu-kvm with OVMF UEFI BIOS
Test steps:
+ enable the following kernel configs:
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_BLACKLIST=y
CONFIG_MODULE_SIG_UEFI=y
+ build
+ make modules_install; make install
When we do make modules_install, script will do the kernel modules sign.
+ copy vmlinuz binary to efi folder:
# mv /boot/vmlinuz-3.0.53-default /boot/efi/vmlinuz-3.0.53-default.efi
+ boot kvm image with UEFI BIOS, enroll key to db, dbx
+ boot kvm image to SUSE, enroll key to MokList by mokutil
+ reboot system, go to UEFI shell
+ run vmlinuz-3.0.53-default.efi STUB kernel, the boot message should show:
[ 0.157219] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.module_sign'
[ 0.159674] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.modsign_blacklist'
Backported 7 patches for load key of module sign from db, dbx and MokList (MODSIGN):
0001-modsign-Always-enforce-module-signing-in-a-Secure-Boot.patch
0002-Add-EFI-signature-data-types.patch
0003-Add-an-EFI-signature-blob-parser-and-key-loader.patch
0004-EFI-Add-in-kernel-variable-to-determine-if-Secure-Boot-is-enabled.patch
0005-MODSIGN-Add-module-certificate-blacklist-keyring.patch
0006-MODSIGN-Import-certificates-from-UEFI-Secure-Boot-v3.patch
0007-Dont-soft-lockup-on-bad-EFI-signature-lists.patch
[5]
Patch-mainline: v3.8-rc1..v3.8-rc3
Target: openSUSE 12.3
Test steps:
+ build; make modules_install; make install
+ mount -t efivarfs none /sys/firmware/efi/efivars/
or create file
/lib/systemd/system/sys-firmware-efi-efivars.mount [1]
+ ls /sys/firmware/efi/efivars will show up all EFI variables
+ Try the small create[2]/delete[3] programs from Gary Lin
The create program will create a EFI variable is TestVar, then we can
see it show up
in /sys/firmware/efi/efivars. And, delete program can remove it.
Backported 19 patches:
0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch
0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch
0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch
0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch
0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch
0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch
0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch
0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch
0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch
0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch
0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch
0012-efi-Clarify-GUID-length-calculations.patch
0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch
0014-efivarfs-Add-unique-magic-number.patch
0015-efivarfs-Make-datasize-unsigned-long.patch
0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch
0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch
0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch
0019-efivarfs-Make-efivarfs_fill_super-static.patch
[1]
/lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to
systemd mailing list for review)
[Unit]
Description=EFI Variables File System
Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs.txt
DefaultDependencies=no
ConditionPathExists=/sys/firmware/efi/efivars
Before=sysinit.target
[Mount]
What=efivarfs
Where=/sys/firmware/efi/efivars
Type=efivarfs
[2]
create.c
#include