[Bug 1083723] New: Kernels from Kernel:* are not signed by the SUSE key -- cannot be secure-booted
http://bugzilla.suse.com/show_bug.cgi?id=1083723 Bug ID: 1083723 Summary: Kernels from Kernel:* are not signed by the SUSE key -- cannot be secure-booted Classification: Internal Novell Products Product: openSUSE Build Service Version: 2.5 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: General Assignee: adrian@suse.com Reporter: jslaby@suse.com QA Contact: adrian@suse.com CC: jlee@suse.com, mls@suse.com Found By: --- Blocker: --- Would it be possible to add the SUSE key (which is used for signing released openSUSE:* kernels) to sign also kernels in the Kernel:* space on OBS and Devel:Kernel:* space in IBS? This would allow for enabling secure boot even when one uses kernel-of-the-day from the above repos. And there are plenty of those people (from developers like me to users as can be seen on the opensuse lists). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c1 Michael Schröder <mls@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jslaby@suse.com Flags| |needinfo?(jslaby@suse.com) --- Comment #1 from Michael Schröder <mls@suse.com> --- It's possible, of course, but we aren't allowed to do this. Please talk with the security team. Why do you even need that? Can't you just add that Kernel: key to your list of allowed UEFI keys on your test machine? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c2 Jiri Slaby <jslaby@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Flags|needinfo?(jslaby@suse.com) |needinfo?(security-team@sus | |e.de) --- Comment #2 from Jiri Slaby <jslaby@suse.com> --- (In reply to Michael Schröder from comment #1)
It's possible, of course, but we aren't allowed to do this. Please talk with the security team.
NEEDINFO-ed now.
Why do you even need that? Can't you just add that Kernel: key to your list of allowed UEFI keys on your test machine?
It's mainly convenience. It might be rather easy for *me* to upload the key to the FW (BTW could somebody write down how -- I have no idea?). But it's rather hard for users if I ask them to test KOTD on a secure-boot enabled machine. Well, it's always like, disable secure boot, check, reinstall/remove the kernel, enable secure boot, etc. It's possible, but inconvenient. In the end, KOTDs are officially provided kernels. So I would love to see them signed by SUSE keys too. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c3 --- Comment #3 from Joey Lee <jlee@suse.com> --- (In reply to Jiri Slaby from comment #2)
(In reply to Michael Schröder from comment #1)
It's possible, of course, but we aren't allowed to do this. Please talk with the security team.
NEEDINFO-ed now.
Why do you even need that? Can't you just add that Kernel: key to your list of allowed UEFI keys on your test machine?
It's mainly convenience. It might be rather easy for *me* to upload the key to the FW (BTW could somebody write down how -- I have no idea?). But it's
If you are talking about mok. Then: step 1. enroll certificate to mok # enroll certificate with root password # mokutil --root-pw --import public-256.der step 2. reboot, follow the mok manager's interactive UI to enroll key. step 3. boot to system # show the enrolled certificate in mok # mokutil --list-enrolled -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c4 --- Comment #4 from Jiri Slaby <jslaby@suse.com> --- (In reply to Joey Lee from comment #3)
# mokutil --root-pw --import public-256.der
I am missing one more step -- how to take the cert from the BS? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c5 --- Comment #5 from Joey Lee <jlee@suse.com> --- (In reply to Jiri Slaby from comment #4)
(In reply to Joey Lee from comment #3)
# mokutil --root-pw --import public-256.der
I am missing one more step -- how to take the cert from the BS?
Try this example: osc signkey --sslcert Devel:Kernel:SLE12:KMP > ibs-devel-kernel.crt -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c6 --- Comment #6 from Michael Schröder <mls@suse.com> --- The easiest way is to use the Web UI: Go to some Kernel: project, e.g. Kernel:HEAD. Then click on the "GPG Key / SSL Certificate" Link. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c8 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #8 from Marcus Meissner <meissner@suse.com> --- https://build.opensuse.org/project/show/Kernel:stable , click on GPG Key/SSL Certificate as MLS writes? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 Jeffrey Cheung <jcheung@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jcheung@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 http://bugzilla.suse.com/show_bug.cgi?id=1083723#c9 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsegitz@suse.com --- Comment #9 from Johannes Segitz <jsegitz@suse.com> --- (In reply to Jiri Slaby from comment #0) How's access to Kernel:* and Devel:Kernel:* managed? Do we have people who are not allowed to work on our official kernels that have access there? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-team@sus | |e.de) | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1083723 lili zhao <llzhao@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |llzhao@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1083723 https://bugzilla.suse.com/show_bug.cgi?id=1083723#c10 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com --- Comment #10 from Ludwig Nussel <lnussel@suse.com> --- The magic kernel %post script already automatically call mokutil to get the key imported on next boot if CONFIG_MODULE_SIG=y, that's how the whole discussion started. See bug 1173115. So way to go is to improve and optimize that that rather ad hoc mechanism. There is no need to sign devel projects with the official keys. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1083723 https://bugzilla.suse.com/show_bug.cgi?id=1083723#c11 --- Comment #11 from Jiri Slaby <jslaby@suse.com> --- (In reply to Ludwig Nussel from comment #10)
There is no need to sign devel projects with the official keys.
I'm not sure -- does it happen now? I don't think so, as KOTDs have signature from the respective devel projects and mokutil imports them as you write. Not sure what keys are used for signing modules, but upstream kernel (and TW) does not check modules against MOK keys, only vendor ones. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1083723 https://bugzilla.suse.com/show_bug.cgi?id=1083723#c12 --- Comment #12 from Ludwig Nussel <lnussel@suse.com> --- So can we close this? -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com