Comment # 18
on bug 1209006
from Joey Lee
Hi Martin,
(In reply to Martin Wilck from comment #16)
> (In reply to Martin Wilck from comment #15)
> > (In reply to Joey Lee from comment #9)
>
> > > Base on v6.2 kernel, keys in .machine keyring still must be trusted(signed)
> > > by key in built-in/secondary keyring. It applies restrict_link_to_ima and
> > > depends on CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
> >
> > [...]
> >
> > So keys could be added from the machine keyring to the secondary keyring
> > without being trusted by the secondary keyring beforehand, but such keys
> > could never have been added to the machine keyring in the first place.
> >
> > That looks like an upstream bug to me.
>
> Sorry, no. I was wrong.
>
> https://elixir.bootlin.com/linux/v6.2/source/security/integrity/digsig.c#L134
> shows that there is no restriction at all for keys in the machine and
> platform key rings.
>
> But now I fail to see why MoK keys don't make it into the secondary
> keyring...
You are right! I missed the above code when tracing. I have tested .machine
keyring and confirmed that .machine keyring be linked to .secondary keyring and
can be used to verify kernel module.
First we need run "mokutil --trust-mok" command to request shim to create
MokListTrustedRT for linking .machine keyring to .secondary keying.
Unfortunately we need shim-15.5 to support MokListTrustedRT, but we only have
Microsoft signed shim-15.4 now. Our shim-15.6 and shim 15.7 is waiting shim
usptream review and Microsoft signing.
If anyone wants to try shim-15.7, it is in openSUSE:Factory:secure-boot repo:
https://build.opensuse.org/package/show/openSUSE:Factory:secure-boot/shim
You will need to enroll openSUSE CA or signkey to UEFI db. Then you can play
shim-15.7.
After shim created MokListTrustedRT and boot success, keyctl shows:
Vigor135:~ # keyctl list %:.platform
6 keys in keyring:
1067995450: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA
2011: a92902398e16c49778cd90f99e4f9ae17c55af53
22887073: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: fc6de3c630f48b63df52f138903ce4d57b4912cf
261332100: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: ec9a8cdfe96d577ab849ff3e58ee0d84b17d9745
174403700: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: e9454afc180d18db2c0311d43f6fe8dd65cb96e8
690509329: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: af96d2c6c40d1afc8b175658d0536fe4514e7501
351948099: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011:
13adbf4309bd82709c8cd54f316ed522988a1bd4
Vigor135:~ # keyctl list %:.machine
6 keys in keyring:
531558656: ---lswrv 0 0 asymmetric: openSUSE Secure Boot CA:
6842600de22c4c477e95be23dfea9513e5971762
905231616: ---lswrv 0 0 asymmetric: openSUSE Secure Boot Signkey:
fd9f2c12e599d67cc7f9067541adf426b712469e
113219: ---lswrv 0 0 asymmetric: Kernel OBS Project:
1fb41512acbc8eebdf828d877e4367bf6c719af3
772042873: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 959b5e1b135628040e10b510443790b327f6615d
529014248: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 55f24d5835fbedf68734252328b769eb29ddfe97
775007952: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: e9454afc180d18db2c0311d43f6fe8dd65cb96e8
So, all keys in mok unconditionally be added to .machine keyring. And keyring
be linked to .secondary keyring:
Vigor135:~ # keyctl list %:.secondary_trusted_keys
2 keys in keyring:
236292887: ---lswrv 0 0 keyring: .builtin_trusted_keys
900602128: ---lswrv 0 0 keyring: .machine
I have boot to self-built kernel and loaded a openSUSE signkey signed module
success. So, I want to fix my comment#9, the .machine keyring works to verify
kernel module.
The problem is that we need Microsoft signs back openSUSE shim-15.6 or
shim-15.7. Otherwise we still need downstream patch
KEYS-Make-use-of-platform-keyring-for-module-signatu.patch.