[opensuse-kernel] kernel lockdown and signed modules
Hi, I recently needed to rebuild one kmp package to add some changes. I did that and I have been using it without trouble. However, when I try to load such module on a UEFI system with secure boon enabled I get: modprobe: ERROR: could not insert '<module>': Operation not permitted and dmesg shows: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 After some googling I found that I need to sign the module I build myself in order to make it load on a kernel with lockdown. I followed the instructions in: https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html 8.2 Signing Module Object Files (UEFI Secure Boot) I created a key and certificate (8.2.1) I signed my KMP rpm (8.2.2) using modsign-repackage I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert then I imported the certificate installed by <name>-ueficert using mokutil mokutil --import /etc/uefi/certs/<file>.crt After reboot I enrolled the new certificate. Now the command: mokutil --list-enrolled shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled. However when I try to load my (now signed) kernel module I still get: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 (but the command modsign-verify <module> gives: good signature) Am I doing something wrong? Is the documentation I'm following outdated? Is there a bug somewhere? I don't think the problem is with the UEFI bios as I get the same results on real hardware and in qemu. Any help is appreciated. Thanks. Giacomo
On Fri, 27 Nov 2020 15:18:16 +0100, Giacomo Comes wrote:
Hi, I recently needed to rebuild one kmp package to add some changes. I did that and I have been using it without trouble.
However, when I try to load such module on a UEFI system with secure boon enabled I get: modprobe: ERROR: could not insert '<module>': Operation not permitted and dmesg shows: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 After some googling I found that I need to sign the module I build myself in order to make it load on a kernel with lockdown. I followed the instructions in: https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html 8.2 Signing Module Object Files (UEFI Secure Boot) I created a key and certificate (8.2.1) I signed my KMP rpm (8.2.2) using modsign-repackage I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert then I imported the certificate installed by <name>-ueficert using mokutil mokutil --import /etc/uefi/certs/<file>.crt After reboot I enrolled the new certificate. Now the command: mokutil --list-enrolled shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled. However when I try to load my (now signed) kernel module I still get: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 (but the command modsign-verify <module> gives: good signature)
Am I doing something wrong? Is the documentation I'm following outdated? Is there a bug somewhere? I don't think the problem is with the UEFI bios as I get the same results on real hardware and in qemu. Any help is appreciated.
Which kernel are you trying? Is it with the latest Leap 15.2 or SLE15-SP2? If yes, it might be due to the recently added the codesign check. In short, the key has to be generated with an openssl option -addext "extendedKeyUsage=codeSigning" You can look at a bugzilla entry below, for example: https://bugzilla.suse.com/show_bug.cgi?id=1178793 HTH, Takashi
On Fri, Nov 27, 2020 at 03:41:58PM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 15:18:16 +0100, Giacomo Comes wrote:
Hi, I recently needed to rebuild one kmp package to add some changes. I did that and I have been using it without trouble.
However, when I try to load such module on a UEFI system with secure boon enabled I get: modprobe: ERROR: could not insert '<module>': Operation not permitted and dmesg shows: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 After some googling I found that I need to sign the module I build myself in order to make it load on a kernel with lockdown. I followed the instructions in: https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html 8.2 Signing Module Object Files (UEFI Secure Boot) I created a key and certificate (8.2.1) I signed my KMP rpm (8.2.2) using modsign-repackage I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert then I imported the certificate installed by <name>-ueficert using mokutil mokutil --import /etc/uefi/certs/<file>.crt After reboot I enrolled the new certificate. Now the command: mokutil --list-enrolled shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled. However when I try to load my (now signed) kernel module I still get: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 (but the command modsign-verify <module> gives: good signature)
Am I doing something wrong? Is the documentation I'm following outdated? Is there a bug somewhere? I don't think the problem is with the UEFI bios as I get the same results on real hardware and in qemu. Any help is appreciated.
Which kernel are you trying? Is it with the latest Leap 15.2 or SLE15-SP2? If yes, it might be due to the recently added the codesign check. In short, the key has to be generated with an openssl option -addext "extendedKeyUsage=codeSigning"
You can look at a bugzilla entry below, for example: https://bugzilla.suse.com/show_bug.cgi?id=1178793
Thanks, that helped. In the end the recent change in the opensuse kernel made the documentation I was following inaccurete. When creating key and certificate (step 8.2.1) it is necessary now to add the option '-addext "extendedKeyUsage=codeSigning"' to the openssl command. I did that and now my signed module is loading. Regards. Giacomo
On Fri, 27 Nov 2020 21:06:44 +0100, Giacomo Comes wrote:
On Fri, Nov 27, 2020 at 03:41:58PM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 15:18:16 +0100, Giacomo Comes wrote:
Hi, I recently needed to rebuild one kmp package to add some changes. I did that and I have been using it without trouble.
However, when I try to load such module on a UEFI system with secure boon enabled I get: modprobe: ERROR: could not insert '<module>': Operation not permitted and dmesg shows: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 After some googling I found that I need to sign the module I build myself in order to make it load on a kernel with lockdown. I followed the instructions in: https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html 8.2 Signing Module Object Files (UEFI Secure Boot) I created a key and certificate (8.2.1) I signed my KMP rpm (8.2.2) using modsign-repackage I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert then I imported the certificate installed by <name>-ueficert using mokutil mokutil --import /etc/uefi/certs/<file>.crt After reboot I enrolled the new certificate. Now the command: mokutil --list-enrolled shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled. However when I try to load my (now signed) kernel module I still get: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 (but the command modsign-verify <module> gives: good signature)
Am I doing something wrong? Is the documentation I'm following outdated? Is there a bug somewhere? I don't think the problem is with the UEFI bios as I get the same results on real hardware and in qemu. Any help is appreciated.
Which kernel are you trying? Is it with the latest Leap 15.2 or SLE15-SP2? If yes, it might be due to the recently added the codesign check. In short, the key has to be generated with an openssl option -addext "extendedKeyUsage=codeSigning"
You can look at a bugzilla entry below, for example: https://bugzilla.suse.com/show_bug.cgi?id=1178793
Thanks, that helped. In the end the recent change in the opensuse kernel made the documentation I was following inaccurete. When creating key and certificate (step 8.2.1) it is necessary now to add the option '-addext "extendedKeyUsage=codeSigning"' to the openssl command.
I did that and now my signed module is loading.
Good to hear. Joey, we need to update the documentation above, too. Could you contact with our documentation team and update the description? thanks, Takashi
Hi Takashi, On Sat, Nov 28, 2020 at 09:32:27AM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 21:06:44 +0100, Giacomo Comes wrote:
On Fri, Nov 27, 2020 at 03:41:58PM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 15:18:16 +0100, Giacomo Comes wrote:
Hi, I recently needed to rebuild one kmp package to add some changes. I did that and I have been using it without trouble.
However, when I try to load such module on a UEFI system with secure boon enabled I get: modprobe: ERROR: could not insert '<module>': Operation not permitted and dmesg shows: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 After some googling I found that I need to sign the module I build myself in order to make it load on a kernel with lockdown. I followed the instructions in: https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html 8.2 Signing Module Object Files (UEFI Secure Boot) I created a key and certificate (8.2.1) I signed my KMP rpm (8.2.2) using modsign-repackage I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert then I imported the certificate installed by <name>-ueficert using mokutil mokutil --import /etc/uefi/certs/<file>.crt After reboot I enrolled the new certificate. Now the command: mokutil --list-enrolled shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled. However when I try to load my (now signed) kernel module I still get: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 (but the command modsign-verify <module> gives: good signature)
Am I doing something wrong? Is the documentation I'm following outdated? Is there a bug somewhere? I don't think the problem is with the UEFI bios as I get the same results on real hardware and in qemu. Any help is appreciated.
Which kernel are you trying? Is it with the latest Leap 15.2 or SLE15-SP2? If yes, it might be due to the recently added the codesign check. In short, the key has to be generated with an openssl option -addext "extendedKeyUsage=codeSigning"
You can look at a bugzilla entry below, for example: https://bugzilla.suse.com/show_bug.cgi?id=1178793
Thanks, that helped. In the end the recent change in the opensuse kernel made the documentation I was following inaccurete. When creating key and certificate (step 8.2.1) it is necessary now to add the option '-addext "extendedKeyUsage=codeSigning"' to the openssl command.
I did that and now my signed module is loading.
Good to hear.
Joey, we need to update the documentation above, too. Could you contact with our documentation team and update the description?
Thanks for your reminder. I created a bug for documentation: https://bugzilla.suse.com/show_bug.cgi?id=1181033 Sorry for my delay! Joey Lee
18.01.2021 06:14, joeyli пишет:
Thanks for your reminder. I created a bug for documentation: https://bugzilla.suse.com/show_bug.cgi?id=1181033
Is it secret documentation? You are not authorized to access bug #1181033.
Hi Andrei, On Mon, Jan 18, 2021 at 08:17:05AM +0300, Andrei Borzenkov wrote:
18.01.2021 06:14, joeyli пишет:
Thanks for your reminder. I created a bug for documentation: https://bugzilla.suse.com/show_bug.cgi?id=1181033
Is it secret documentation?
You are not authorized to access bug #1181033.
Thanks for your reminder. I am not sure that the documentation be maintained by the same team. So I just created another bug for openSUSE Leap 15.2. https://bugzilla.suse.com/show_bug.cgi?id=1181036 Thanks Joey Lee
Hi all, On Mon, Jan 18, 2021 at 11:14:40AM +0800, Joey Lee wrote:
Hi Takashi,
On Sat, Nov 28, 2020 at 09:32:27AM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 21:06:44 +0100, Giacomo Comes wrote:
On Fri, Nov 27, 2020 at 03:41:58PM +0100, Takashi Iwai wrote:
On Fri, 27 Nov 2020 15:18:16 +0100, Giacomo Comes wrote:
Hi, I recently needed to rebuild one kmp package to add some changes. I did that and I have been using it without trouble.
However, when I try to load such module on a UEFI system with secure boon enabled I get: modprobe: ERROR: could not insert '<module>': Operation not permitted and dmesg shows: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 After some googling I found that I need to sign the module I build myself in order to make it load on a kernel with lockdown. I followed the instructions in: https://documentation.suse.com/sbp/all/html/SBP-KMP-Manual/index.html 8.2 Signing Module Object Files (UEFI Secure Boot) I created a key and certificate (8.2.1) I signed my KMP rpm (8.2.2) using modsign-repackage I installed the rpm: <name>-kmp-<flavor> together with <name>-ueficert then I imported the certificate installed by <name>-ueficert using mokutil mokutil --import /etc/uefi/certs/<file>.crt After reboot I enrolled the new certificate. Now the command: mokutil --list-enrolled shows two certificates: the 'openSUSE Secure Boot CA' and the one I have enrolled. However when I try to load my (now signed) kernel module I still get: Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7 (but the command modsign-verify <module> gives: good signature)
Am I doing something wrong? Is the documentation I'm following outdated? Is there a bug somewhere? I don't think the problem is with the UEFI bios as I get the same results on real hardware and in qemu. Any help is appreciated.
Which kernel are you trying? Is it with the latest Leap 15.2 or SLE15-SP2? If yes, it might be due to the recently added the codesign check. In short, the key has to be generated with an openssl option -addext "extendedKeyUsage=codeSigning"
You can look at a bugzilla entry below, for example: https://bugzilla.suse.com/show_bug.cgi?id=1178793
Thanks, that helped. In the end the recent change in the opensuse kernel made the documentation I was following inaccurete. When creating key and certificate (step 8.2.1) it is necessary now to add the option '-addext "extendedKeyUsage=codeSigning"' to the openssl command.
I did that and now my signed module is loading.
Good to hear.
Joey, we need to update the documentation above, too. Could you contact with our documentation team and update the description?
Thanks for your reminder. I created a bug for documentation: https://bugzilla.suse.com/show_bug.cgi?id=1181033
The above bug is for SLE15-SP2. I am not sure that the documentation be maintained by the same team. So I just created another bug for openSUSE Leap 15.2. https://bugzilla.suse.com/show_bug.cgi?id=1181036 Regards Joey Lee
participants (4)
-
Andrei Borzenkov
-
Giacomo Comes
-
joeyli
-
Takashi Iwai