[opensuse-kernel] Secure boot with self built kernel on openSUSE or SLES
Hi, I've seen the various module signing and other patches to make secure boot work. But I could not find some kind of quick guide how to sign a kernel and modules myself, install my own key or whatever is needed. If I have missed an already existing documentation, it would be great if someone can point me to it. Otherwise it would be nice to have a tiny thread explaining what tools are needed, etc.. Differences to SLES would be nice to know as well. Thanks, Thomas -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Hi Thomas, 於 一,2013-03-04 於 16:54 +0100,Thomas Renninger 提到:
Hi,
I've seen the various module signing and other patches to make secure boot work.
But I could not find some kind of quick guide how to sign a kernel and modules myself, install my own key or whatever is needed.
If I have missed an already existing documentation, it would be great if someone can point me to it.
Here is a kernel document for kernel module sign in David Howells's linux-modsign tree: http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-modsign.git/plain...
Otherwise it would be nice to have a tiny thread explaining what tools are needed, etc.. Differences to SLES would be nice to know as well.
Thanks,
Thomas
Currently there have no openSUSE wiki or document to explain kernel module sign. As I know we didn't enable kernel module sign (CONFIG_MODULE_SIG) on openSUSE 12.3. I am not sure we still need a document if openSUSE doesn't enable it. About kernel module sign subsystem, the big differences between openSUSE 12.3 kernel and SLES-11 SP3 kernel: + Firmware sign: We merged Takashi's firmware sign patches to SP3 kernel but not in openSUSE 12.3 + Enroll key from db and MOK when UEFI BIOS: SP3 kernel will load key from db and MOK to modsign_keyring for check 3rd party sign or self sign kernel module. This feature doesn't in openSUSE 12.3 kernel. And, of course openSUSE kernel will not revoke a key through dbx in UEFI. The patches for support this function were sent to kernel upstream by Matthew Garrett for reviewing, unfortunately didn't see it in v3.9-rc1. The following is a simple note for how to try the kernel module sign manually. This procedure works with mainline and SLES kernel, I think it should also works with openSUSE 12.3 kernel: + select the following kernel config: Enable loadable module support -> Module signature verification Require modules to be validly signed Which hash algorithm should modules be signed with? ---> SHA256 (default) + When doing the kernel bulid, it will auto-genearate a key-pair in kernel source folder for testing: signing_key.priv: private key signing_key.x509: public key + make modules_install; make install When we do make modules_install, script will do the kernel modules sign. + After make install, kernel modules (*.ko) files will install to /lib/modules/3.0.46-default Please check any ko file, there should have signature append on the end of them. e.g. vi /lib/modules/3.0.46-default/kernel/drivers/platform/x86/acer-wmi.ko You can see there have a 'Magrathea: Glacier signing key' header and signautre attached the end of ko file like followng: ... @ec_read^@Magrathea: Glacier signing keyèÈ5<8c>s¥y;M<87>u^F¾ÖzÛ&^Rë_^B^@q<87.........A^B^A^^^T^@^@^@^@^@^B^B~Module signature appended~ + Verify: To verify the kernel module sign, you can try to insmod a non-sign ko file. You can find the non-sign ko file in the original kernel source folder. Then you can see: linux-kyk7:~/kernel-source.nfs/drivers/platform/x86 # insmod acer-wmi.ko insmod: error inserting 'acer-wmi.ko': -1 Required key not available For the signed kernel module, everything works like normal when use modprobe. + Strip the signature from signed kernel module: # strip -x acer-wmi.ko Then you can use insmod on the stripted ko file, it will also show up 'Required key not available' + Generate your own gpg key for testing: Kernel build script will detect the signing_key.priv and signing_key.x509 exist, if not, then will auto-generate key-pair for testing. So, if want use our own key for kernel module sign, we need generate gpg key and rename to signing_key.priv/signing_key.x509. Follow kernel module sign document: http://git.kernel.org/?p=linux/kernel/git/dhowells/linux-modsign.git;a=blob_... # cat >genkey <<EOF %pubring signing_key.x509 %secring signing_key.priv Key-Type: RSA Key-Length: 4096 Name-Real: A. N. Other Name-Comment: Kernel Module GPG key %commit EOF # gpg --homedir . --batch --gen-key genkey Then, we can edit the x509.genkey file to modify the attribute for kernel build. e.g. linux-kyk7:~/kernel-source.nfs # cat x509.genkey [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] O = SUSE Lab CN = Taipei team signing key emailAddress = jlee@suse.com [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid Manually generate key-pair for kernel module sign: openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \ -x509 -config x509.genkey \ -outform DER -out signing_key.x509 \ -keyout signing_key.priv Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Tuesday, March 05, 2013 03:43:21 PM joeyli wrote:
Hi Thomas,
...
Currently there have no openSUSE wiki or document to explain kernel module sign. As I know we didn't enable kernel module sign (CONFIG_MODULE_SIG) on openSUSE 12.3. I am not sure we still need a document if openSUSE doesn't enable it.
About kernel module sign subsystem, the big differences between openSUSE 12.3 kernel and SLES-11 SP3 kernel:
+ Firmware sign: We merged Takashi's firmware sign patches to SP3 kernel but not in openSUSE 12.3
+ Enroll key from db and MOK when UEFI BIOS: SP3 kernel will load key from db and MOK to modsign_keyring for check 3rd party sign or self sign kernel module. This feature doesn't in openSUSE 12.3 kernel. And, of course openSUSE kernel will not revoke a key through dbx in UEFI. The patches for support this function were sent to kernel upstream by Matthew Garrett for reviewing, unfortunately didn't see it in v3.9-rc1. I can enroll keys via BIOS or via mokmanager. The latter works by booting into the efi shell and call: fs0:\efi\SUSE\shim.efi MokManager.efi
The following is a simple note for how to try the kernel module sign manually. This procedure works with mainline and SLES kernel, I think it should also works with openSUSE 12.3 kernel: ... Thanks, module signing seem to work. What seem to be missing is that the kernel needs to be signed manually?
There are quite some different tools out there: certutils, efitools, pesign, sbsign, openssl, ... I played a bit with these, found efitools in Michael's obs project, etc.. Our build service seem to use pesign, but the .spec file is only marking which files to sign and the key/certificate comes from the build service. I couldn't find out how to feed my own local pesign key database. certutils I only found in mozilla-nss-tools packaged and installed it. Looks like pesign makes use of certutils or similar, both exit with the same error for me: certutil error: certutil: function failed: The certificate/key database is in an old, unsupported format. pesign error: Could not initialize nss: The certificate/key database is in an old, unsupported format. While I want to sign a SLE11 SP3 kernel I mainly worked with 12.3 on another machine. So I guess the last remaining bit is: How do I sign my kernel. Thanks, Thomas -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
於 二,2013-03-05 於 18:29 +0100,Thomas Renninger 提到:
On Tuesday, March 05, 2013 03:43:21 PM joeyli wrote:
Hi Thomas,
...
Currently there have no openSUSE wiki or document to explain kernel module sign. As I know we didn't enable kernel module sign (CONFIG_MODULE_SIG) on openSUSE 12.3. I am not sure we still need a document if openSUSE doesn't enable it.
About kernel module sign subsystem, the big differences between openSUSE 12.3 kernel and SLES-11 SP3 kernel:
+ Firmware sign: We merged Takashi's firmware sign patches to SP3 kernel but not in openSUSE 12.3
+ Enroll key from db and MOK when UEFI BIOS: SP3 kernel will load key from db and MOK to modsign_keyring for check 3rd party sign or self sign kernel module. This feature doesn't in openSUSE 12.3 kernel. And, of course openSUSE kernel will not revoke a key through dbx in UEFI. The patches for support this function were sent to kernel upstream by Matthew Garrett for reviewing, unfortunately didn't see it in v3.9-rc1. I can enroll keys via BIOS or via mokmanager. The latter works by booting into the efi shell and call: fs0:\efi\SUSE\shim.efi MokManager.efi
Sorry for my description for 'Enroll' is not clear. Yes, your operating is right for enroll the certificate to MOK, but openSUSE 12.3 kernel doesn't have ability to load the public key from db or MOK. When kernel load a key to keyring, you should see the following dmesg: [ 2.272837] MODSIGN: Loaded cert 'Magrathea: Glacier signing key: 444fad680dbea252b64ab87008d596fa9a67081c' By default there should embedded a public key when kernel building with kernel module sign enabled. Kernel will load more public key from db/MOK but need applied this patchset: http://lists.opensuse.org/opensuse-kernel/2013-01/msg00056.html
The following is a simple note for how to try the kernel module sign manually. This procedure works with mainline and SLES kernel, I think it should also works with openSUSE 12.3 kernel: ... Thanks, module signing seem to work. What seem to be missing is that the kernel needs to be signed manually?
There are quite some different tools out there: certutils, efitools, pesign, sbsign, openssl, ...
I played a bit with these, found efitools in Michael's obs project, etc.. Our build service seem to use pesign, but the .spec file is only marking which files to sign and the key/certificate comes from the build service.
I couldn't find out how to feed my own local pesign key database. certutils I only found in mozilla-nss-tools packaged and installed it. Looks like pesign makes use of certutils or similar, both exit with the same error for me:
certutil error: certutil: function failed: The certificate/key database is in an old, unsupported format.
pesign error: Could not initialize nss: The certificate/key database is in an old, unsupported format.
While I want to sign a SLE11 SP3 kernel I mainly worked with 12.3 on another machine.
So I guess the last remaining bit is: How do I sign my kernel.
Thanks,
Thomas
For how to use pesign NSS database, you can reference this wiki page write by Gary Lin: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools About sign kernel binary on IBS server, the mechanism was builded by Michal Marek, Michael Schroeder and Gary Lin. They will know more detail. Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Wednesday, March 06, 2013 11:13:46 AM joeyli wrote: ...
For how to use pesign NSS database, you can reference this wiki page write by Gary Lin: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
This looks like the missing piece(s). I will not be able to try this out before next week, but I will share how it worked out then. Thanks a lot! Thomas -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 6.3.2013 04:13, joeyli wrote:
Sorry for my description for 'Enroll' is not clear. Yes, your operating is right for enroll the certificate to MOK, but openSUSE 12.3 kernel doesn't have ability to load the public key from db or MOK.
It also does not enforce signature checking on the modules. Michal -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (3)
-
joeyli -
Michal Marek -
Thomas Renninger