On Tuesday, March 05, 2013 03:43:21 PM joeyli wrote:
Hi Thomas,
...
Currently there have no openSUSE wiki or document to explain kernel module sign. As I know we didn't enable kernel module sign (CONFIG_MODULE_SIG) on openSUSE 12.3. I am not sure we still need a document if openSUSE doesn't enable it.
About kernel module sign subsystem, the big differences between openSUSE 12.3 kernel and SLES-11 SP3 kernel:
+ Firmware sign: We merged Takashi's firmware sign patches to SP3 kernel but not in openSUSE 12.3
+ Enroll key from db and MOK when UEFI BIOS: SP3 kernel will load key from db and MOK to modsign_keyring for check 3rd party sign or self sign kernel module. This feature doesn't in openSUSE 12.3 kernel. And, of course openSUSE kernel will not revoke a key through dbx in UEFI. The patches for support this function were sent to kernel upstream by Matthew Garrett for reviewing, unfortunately didn't see it in v3.9-rc1. I can enroll keys via BIOS or via mokmanager. The latter works by booting into the efi shell and call: fs0:\efi\SUSE\shim.efi MokManager.efi
The following is a simple note for how to try the kernel module sign manually. This procedure works with mainline and SLES kernel, I think it should also works with openSUSE 12.3 kernel: ... Thanks, module signing seem to work. What seem to be missing is that the kernel needs to be signed manually?
There are quite some different tools out there: certutils, efitools, pesign, sbsign, openssl, ... I played a bit with these, found efitools in Michael's obs project, etc.. Our build service seem to use pesign, but the .spec file is only marking which files to sign and the key/certificate comes from the build service. I couldn't find out how to feed my own local pesign key database. certutils I only found in mozilla-nss-tools packaged and installed it. Looks like pesign makes use of certutils or similar, both exit with the same error for me: certutil error: certutil: function failed: The certificate/key database is in an old, unsupported format. pesign error: Could not initialize nss: The certificate/key database is in an old, unsupported format. While I want to sign a SLE11 SP3 kernel I mainly worked with 12.3 on another machine. So I guess the last remaining bit is: How do I sign my kernel. Thanks, Thomas -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org