On Wed, Jun 14, 2023 at 06:52:03AM +0200, Jiri Slaby wrote:
On 13. 06. 23, 15:18, Takashi Iwai wrote:
Can we have a common scriptlet that can be triggered by YaST (or whatever) tool for managing that?
I think we need one. Something like {/usr,}/etc/sb-state-changed.d/. Or it can simply be a shutdown (user enabled SB in the config) _and_ startup (BIOS enabled SB) script. The startup one would trigger a reboot after rebuilding and installing the key.
The obvious question: what do other distros do?
I was checked shim signature and kernel embedded keys in Fedora 37, CentOS 9 and Ubuntu 22.10. I have put the result on bsc#1198101. The point is: I didn't found KMP from Fedora of Ubuntu online update. Maybe I missed. Or maybe that they do not provide online update of KMP, especially NVIDIA driver, so they do not worry about the local-built with one time signkey problem. The following is checking result for reference. Somethings can be confirmed: - All of their kernel are locked-down on integrity mode when BIOS secure boot option is enabled. - All of them used different signkey to sign kernel and in-tree kernel module. Especially Ubuntu uses 'Build time autogenerated kernel key' to sign kernel module. And, the key be embedded to kernel when building. - I didn't found KMPs of them, so I can not check the signature of the .ko file for out-of-tree kernel module. Results for reference (also on bsc#1198101): Fedora 37: - shim: Microsoft signature (only Microsoft signed) embedded key: 'Fedora Secure Boot CA' - kernel: Two signatures: 'Fedora Secure Boot Signer' <-- Fedora Secure Boot CA signature for shim verify 'kernel-signer' signed <-- Fedora kernel signing key signature, for kexec? embedded key: 'Fedora kernel signing key' - In-tree Kernel Module: 'Fedora kernel signing key' signature - *.ko in KMP: I didn't find Fedora KMP yet, only saw user guide for how to self-sign kernel module. So, the key embedded in Fedora shim can only be used to load kernel but not verify kernel module. CentOS 9: - shim: Signature: Microsoft Windows UEFI Driver Publisher signature Embedded key: 'CentOS Secure Boot CA 2' - kernel: Signature: CentOS Secure Boot Signing 201 (Issuer: CentOS Secure Boot CA 2) Embedded key: 'CentOS Stream kernel signing key' 'Red Hat Enterprise Linux Driver Update Program (key 3)' 'Red Hat Enterprise Linux kpatch signing key' - In-tree Kernel Module: Signature: 'CentOS Stream kernel signing key' - *.ko in KMP: I didn't find CentOS KMP yet. CentOS 9 also uses different key to sign kernel and in-tree kernel modules. On the other hand, CentOS and Fedora are lock-down when secure boot be enabled: [root@Vigor111 boot]# cat /sys/kernel/security/lockdown none [integrity] confidentiality Ubuntu 22.10: Ubuntu is interesting, they use a "Build time autogenerated kernel key" to sign in-tree modules. I believe it's a one time key. - shim: Signature: Microsoft Windows UEFI Driver Publisher signature Embedded key: 'Canonical Ltd. Master Certificate Authority' <-- Ubuntu CA - kernel: Signature: Canonical Ltd. Secure Boot Signing (2017) (Issuer: Canonical Ltd. Master Certificate Authority) Embedded key: 'Build time autogenerated kernel key' 'Canonical Ltd. Live Patch Signing' 'Canonical Ltd. Kernel Module Signing' - In-tree Kernel Module: Signature: 'Build time autogenerated kernel key' - *.ko in KMP: I didn't find Ubuntu KMP yet. Ubuntu 22.10 also uses different key to sign kernel and in-tree kernel modules. And the key for signing in-tree kernel modules is a one time key. Like CentOS and Fedora, Ubuntu kernel lock-down when secure boot be enabled: root@ubuntu2210:/home/linux# cat /sys/kernel/security/lockdown none [integrity] confidentiality Thanks Joey Lee