[Bug 1209006] Document how to secureboot-sign manually-built kernel modules on TW kernel >= 6.2.1
https://bugzilla.suse.com/show_bug.cgi?id=1209006
https://bugzilla.suse.com/show_bug.cgi?id=1209006#c19
--- Comment #19 from Michal Suchanek
Hi Martin,
(In reply to Martin Wilck from comment #16)
(In reply to Martin Wilck from comment #15)
(In reply to Joey Lee from comment #9)
Base on v6.2 kernel, keys in .machine keyring still must be trusted(signed) by key in built-in/secondary keyring. It applies restrict_link_to_ima and depends on CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.
[...]
So keys could be added from the machine keyring to the secondary keyring without being trusted by the secondary keyring beforehand, but such keys could never have been added to the machine keyring in the first place.
That looks like an upstream bug to me.
Sorry, no. I was wrong.
https://elixir.bootlin.com/linux/v6.2/source/security/integrity/digsig.c#L13... shows that there is no restriction at all for keys in the machine and platform key rings.
But now I fail to see why MoK keys don't make it into the secondary keyring...
You are right! I missed the above code when tracing. I have tested .machine keyring and confirmed that .machine keyring be linked to .secondary keyring and can be used to verify kernel module.
First we need run "mokutil --trust-mok" command to request shim to create MokListTrustedRT for linking .machine keyring to .secondary keying.
Unfortunately we need shim-15.5 to support MokListTrustedRT, but we only have Microsoft signed shim-15.4 now. Our shim-15.6 and shim 15.7 is waiting shim usptream review and Microsoft signing.
Or patch this requirement out of the kernel. What's the point anyway? Or just verify everything with the platform keyring. It's trusted for kernel verification, anyway. Why that distinction? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com