http://bugzilla.opensuse.org/show_bug.cgi?id=1209006 http://bugzilla.opensuse.org/show_bug.cgi?id=1209006#c18 --- Comment #18 from Joey Lee <jlee@suse.com> --- Hi Martin, (In reply to Martin Wilck from comment #16)
(In reply to Martin Wilck from comment #15)
(In reply to Joey Lee from comment #9)
Base on v6.2 kernel, keys in .machine keyring still must be trusted(signed) by key in built-in/secondary keyring. It applies restrict_link_to_ima and depends on CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
[...]
So keys could be added from the machine keyring to the secondary keyring without being trusted by the secondary keyring beforehand, but such keys could never have been added to the machine keyring in the first place.
That looks like an upstream bug to me.
Sorry, no. I was wrong.
https://elixir.bootlin.com/linux/v6.2/source/security/integrity/digsig.c#L13... shows that there is no restriction at all for keys in the machine and platform key rings.
But now I fail to see why MoK keys don't make it into the secondary keyring...
You are right! I missed the above code when tracing. I have tested .machine keyring and confirmed that .machine keyring be linked to .secondary keyring and can be used to verify kernel module. First we need run "mokutil --trust-mok" command to request shim to create MokListTrustedRT for linking .machine keyring to .secondary keying. Unfortunately we need shim-15.5 to support MokListTrustedRT, but we only have Microsoft signed shim-15.4 now. Our shim-15.6 and shim 15.7 is waiting shim usptream review and Microsoft signing. If anyone wants to try shim-15.7, it is in openSUSE:Factory:secure-boot repo: https://build.opensuse.org/package/show/openSUSE:Factory:secure-boot/shim You will need to enroll openSUSE CA or signkey to UEFI db. Then you can play shim-15.7. After shim created MokListTrustedRT and boot success, keyctl shows: Vigor135:~ # keyctl list %:.platform 6 keys in keyring: 1067995450: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53 22887073: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: fc6de3c630f48b63df52f138903ce4d57b4912cf 261332100: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ec9a8cdfe96d577ab849ff3e58ee0d84b17d9745 174403700: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: e9454afc180d18db2c0311d43f6fe8dd65cb96e8 690509329: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: af96d2c6c40d1afc8b175658d0536fe4514e7501 351948099: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4 Vigor135:~ # keyctl list %:.machine 6 keys in keyring: 531558656: ---lswrv 0 0 asymmetric: openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762 905231616: ---lswrv 0 0 asymmetric: openSUSE Secure Boot Signkey: fd9f2c12e599d67cc7f9067541adf426b712469e 113219: ---lswrv 0 0 asymmetric: Kernel OBS Project: 1fb41512acbc8eebdf828d877e4367bf6c719af3 772042873: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 959b5e1b135628040e10b510443790b327f6615d 529014248: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 55f24d5835fbedf68734252328b769eb29ddfe97 775007952: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: e9454afc180d18db2c0311d43f6fe8dd65cb96e8 So, all keys in mok unconditionally be added to .machine keyring. And keyring be linked to .secondary keyring: Vigor135:~ # keyctl list %:.secondary_trusted_keys 2 keys in keyring: 236292887: ---lswrv 0 0 keyring: .builtin_trusted_keys 900602128: ---lswrv 0 0 keyring: .machine I have boot to self-built kernel and loaded a openSUSE signkey signed module success. So, I want to fix my comment#9, the .machine keyring works to verify kernel module. The problem is that we need Microsoft signs back openSUSE shim-15.6 or shim-15.7. Otherwise we still need downstream patch KEYS-Make-use-of-platform-keyring-for-module-signatu.patch. -- You are receiving this mail because: You are on the CC list for the bug.