Hi Thomas, 於 一,2013-03-04 於 16:54 +0100,Thomas Renninger 提到:
Hi,
I've seen the various module signing and other patches to make secure boot work.
But I could not find some kind of quick guide how to sign a kernel and modules myself, install my own key or whatever is needed.
If I have missed an already existing documentation, it would be great if someone can point me to it.
Here is a kernel document for kernel module sign in David Howells's linux-modsign tree: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-modsign.git/plain...
Otherwise it would be nice to have a tiny thread explaining what tools are needed, etc.. Differences to SLES would be nice to know as well.
Thanks,
Thomas
Currently there have no openSUSE wiki or document to explain kernel module sign. As I know we didn't enable kernel module sign (CONFIG_MODULE_SIG) on openSUSE 12.3. I am not sure we still need a document if openSUSE doesn't enable it. About kernel module sign subsystem, the big differences between openSUSE 12.3 kernel and SLES-11 SP3 kernel: + Firmware sign: We merged Takashi's firmware sign patches to SP3 kernel but not in openSUSE 12.3 + Enroll key from db and MOK when UEFI BIOS: SP3 kernel will load key from db and MOK to modsign_keyring for check 3rd party sign or self sign kernel module. This feature doesn't in openSUSE 12.3 kernel. And, of course openSUSE kernel will not revoke a key through dbx in UEFI. The patches for support this function were sent to kernel upstream by Matthew Garrett for reviewing, unfortunately didn't see it in v3.9-rc1. The following is a simple note for how to try the kernel module sign manually. This procedure works with mainline and SLES kernel, I think it should also works with openSUSE 12.3 kernel: + select the following kernel config: Enable loadable module support -> Module signature verification Require modules to be validly signed Which hash algorithm should modules be signed with? ---> SHA256 (default) + When doing the kernel bulid, it will auto-genearate a key-pair in kernel source folder for testing: signing_key.priv: private key signing_key.x509: public key + make modules_install; make install When we do make modules_install, script will do the kernel modules sign. + After make install, kernel modules (*.ko) files will install to /lib/modules/3.0.46-default Please check any ko file, there should have signature append on the end of them. e.g. vi /lib/modules/3.0.46-default/kernel/drivers/platform/x86/acer-wmi.ko You can see there have a 'Magrathea: Glacier signing key' header and signautre attached the end of ko file like followng: ... @ec_read^@Magrathea: Glacier signing keyèÈ5<8c>s¥y;M<87>u^F¾ÖzÛ&^Rë_^B^@q<87.........A^B^A^^^T^@^@^@^@^@^B^B~Module signature appended~ + Verify: To verify the kernel module sign, you can try to insmod a non-sign ko file. You can find the non-sign ko file in the original kernel source folder. Then you can see: linux-kyk7:~/kernel-source.nfs/drivers/platform/x86 # insmod acer-wmi.ko insmod: error inserting 'acer-wmi.ko': -1 Required key not available For the signed kernel module, everything works like normal when use modprobe. + Strip the signature from signed kernel module: # strip -x acer-wmi.ko Then you can use insmod on the stripted ko file, it will also show up 'Required key not available' + Generate your own gpg key for testing: Kernel build script will detect the signing_key.priv and signing_key.x509 exist, if not, then will auto-generate key-pair for testing. So, if want use our own key for kernel module sign, we need generate gpg key and rename to signing_key.priv/signing_key.x509. Follow kernel module sign document: http://git.kernel.org/?p=linux/kernel/git/dhowells/linux-modsign.git;a=blob_... # cat >genkey <<EOF %pubring signing_key.x509 %secring signing_key.priv Key-Type: RSA Key-Length: 4096 Name-Real: A. N. Other Name-Comment: Kernel Module GPG key %commit EOF # gpg --homedir . --batch --gen-key genkey Then, we can edit the x509.genkey file to modify the attribute for kernel build. e.g. linux-kyk7:~/kernel-source.nfs # cat x509.genkey [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = SUSE Lab CN = Taipei team signing key emailAddress = jlee@suse.com [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid Manually generate key-pair for kernel module sign: openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ -x509 -config x509.genkey \ -outform DER -out signing_key.x509 \ -keyout signing_key.priv Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org