Hi all, In the past of 2 weeks, I backported 5 patches for support UEFI secure boot and also sent to opensuse-kernel for every experts review: [PATCH 0/11] Backported patches to lock down functions in secure boot [1] [PATCH 0/2] Backported patches for prepare KMP kernel module sign [2] [PATCH 0/4] Backported patches for support driver firmware sign [3] [PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) [4] [PATCH 0/19] Backported patches for support UEFI variable filesystem [5] Now, I clone a kernel-source of openSUSE 12.3 and pushed those backported patches to this branch: https://gitorious.org/~joeyli/opensuse/joeylis-kernel-source/commits/openSUS... And, I also push kernel source to OBS for build out kernel RPMs: https://build.opensuse.org/project/show?project=home%3Ajoeyli%3Abranches%3Ao... Those kernel RPMs are for anyone want to try the backported patches on openSUSE. e.g. We can set 'secureboot_enable=1' kernel parameter to lock down some functions on non-UEFI machine, then monitor the openSUSE behavior. or We want test the kernel module sign. Thanks a lot! Joey Lee [1] [PATCH 0/11] Backported patches to lock down functions in secure boot Patch-mainline: Not yet, reviewing References: none Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + add 'secureboot_enable=1' kernel parameter Known issues on SLE (fixed): + xorg-x11-server need d01921ec18c21f21d377b606 patch for avoid 'xf86EnableIOPorts: failed to set IOPL for I/O (Operation not permitted)' Backported 11 patches to lock down functions in secure boot: 0001_Secure_boot:_Add_new_capability_v2.patch 0002_PCI:_Lock_down_BAR_access_in_secure_boot_environments_v2.patch 0003_x86:_Lock_down_IO_port_access_in_secure_boot_environments_v2.patch 0004_ACPI:_Limit_access_to_custom_method_v2.patch 0005_asus-wmi:_Restrict_debugfs_interface_v2.patch 0006_Restrict__dev_mem_and__dev_kmem_in_secure_boot_setups_v2.patch 0007_Secure_boot:_Add_a_dummy_kernel_parameter_that_will_switch_on_Secure_Boot_mode_v2.patch 0008_efi:_Enable_secure_boot_lockdown_automatically_when_enabled_in_firmware_v2.patch 0009_acpi:_Ignore_acpi_rsdp_kernel_parameter_in_a_secure_boot_environment_v2.patch 0010_SELinux:_define_mapping_for_new_Secure_Boot_capability_v2.patch 0011-hibernate-Disable-in-a-Secure-Boot-environment.patch [2] [PATCH 0/2] Backported patches for prepare KMP kernel module sign Patch-mainline: v3.8-rc? References: none Target: openSUSE 12.3 Backported 2 patches for for prepare KMP kernel module sign: 0001-MODSIGN-Avoid-using-.incbin-in-C-source.patch 0002-MODSIGN-Drop-ccache-hack.patch [3] [PATCH 0/4] Backported patches for support driver firmware sign Patch-mainline: Not yet, reviewing (contributed by Takashi) Target: openSUSE 12.3 Test steps: + select the following kernel config: Enable loadable module support -> Module signature verification Require modules to be validly signed Which hash algorithm should modules be signed with? ---> Device Drivers ---> Generic Driver Options ---> Firmware signature verification (NEW) + mkinitrd need this patch [1] + build; make modules_install; make firmware_install; make install + check the /lib/modules/3.0.51-default/, should have *.sig file + We can also test manually sign a firmware file: # ./scripts/sign-file -f -v signing_key.priv signing_key.x509 /lib/firmware/rtl_nic/rtl8105e-1.fw Takashi's patch set of driver firmware sign is reviewing on upstream, I backported it to openSUSE 12.3 for more testing. Backported 4 patches for support driver firmware sign Driver firmware sign (from Takashi, reviewing on upstream): Not yet: 0001-firmware:_Add_the_firmware_signing_support_to_scripts_sign-file.patch 0002-firmware:_Add_-a_option_to_scripts_sign-file.patch 0003-firmware:_Add_support_for_signature_checks.patch 0004-firmware:_Install_firmware_signature_files_automatically.patch [1] Index: mkinitrd-2.4.2/scripts/setup-modules.sh =================================================================== --- mkinitrd-2.4.2.orig/scripts/setup-modules.sh +++ mkinitrd-2.4.2/scripts/setup-modules.sh @@ -375,6 +375,10 @@ for module in $resolved_modules; do has_firmware=true fi echo -n "$fw " + if test -e "$dir/$subdir/$fw.sig"; then + cp -p --parents "$_" "$tmp_mnt" + echo -n "$fw.sig " + fi fi done done [4] [PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN) Patch-mainline: Not yet, from Fedora 18 kernel References: fate#314574 Target: SLE-11 SP3 Tested-on: qemu-kvm with OVMF UEFI BIOS Test steps: + enable the following kernel configs: CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_BLACKLIST=y CONFIG_MODULE_SIG_UEFI=y + build + make modules_install; make install When we do make modules_install, script will do the kernel modules sign. + copy vmlinuz binary to efi folder: # mv /boot/vmlinuz-3.0.53-default /boot/efi/vmlinuz-3.0.53-default.efi + boot kvm image with UEFI BIOS, enroll key to db, dbx + boot kvm image to SUSE, enroll key to MokList by mokutil + reboot system, go to UEFI shell + run vmlinuz-3.0.53-default.efi STUB kernel, the boot message should show: [ 0.157219] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.module_sign' [ 0.159674] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.modsign_blacklist' Backported 7 patches for load key of module sign from db, dbx and MokList (MODSIGN): 0001-modsign-Always-enforce-module-signing-in-a-Secure-Boot.patch 0002-Add-EFI-signature-data-types.patch 0003-Add-an-EFI-signature-blob-parser-and-key-loader.patch 0004-EFI-Add-in-kernel-variable-to-determine-if-Secure-Boot-is-enabled.patch 0005-MODSIGN-Add-module-certificate-blacklist-keyring.patch 0006-MODSIGN-Import-certificates-from-UEFI-Secure-Boot-v3.patch 0007-Dont-soft-lockup-on-bad-EFI-signature-lists.patch [5] Patch-mainline: v3.8-rc1..v3.8-rc3 Target: openSUSE 12.3 Test steps: + build; make modules_install; make install + mount -t efivarfs none /sys/firmware/efi/efivars/ or create file /lib/systemd/system/sys-firmware-efi-efivars.mount [1] + ls /sys/firmware/efi/efivars will show up all EFI variables + Try the small create[2]/delete[3] programs from Gary Lin The create program will create a EFI variable is TestVar, then we can see it show up in /sys/firmware/efi/efivars. And, delete program can remove it. Backported 19 patches: 0001-efi-Add-support-for-a-UEFI-variable-filesystem.patch 0002-efi-Handle-deletions-and-size-changes-in-efivarfs_w.patch 0003-efi-add-efivars-kobject-to-efi-sysfs-folder.patch 0004-efivarfs-Add-documentation-for-the-EFI-variable-fil.patch 0005-efivarfs-efivarfs_file_read-ensure-we-free-data-in.patch 0006-efivarfs-efivarfs_create-ensure-we-drop-our-refer.patch 0007-efivarfs-efivarfs_fill_super-fix-inode-reference.patch 0008-efivarfs-efivarfs_fill_super-ensure-we-free-our-t.patch 0009-efivarfs-efivarfs_fill_super-ensure-we-clean-up-c.patch 0010-efivarfs-Implement-exclusive-access-for-get-set-_v.patch 0011-efivarfs-Return-an-error-if-we-fail-to-read-a-variab.patch 0012-efi-Clarify-GUID-length-calculations.patch 0013-efivarfs-Replace-magic-number-with-sizeof-attributes.patch 0014-efivarfs-Add-unique-magic-number.patch 0015-efivarfs-Make-datasize-unsigned-long.patch 0016-efivarfs-Return-a-consistent-error-when-efivarfs_get.patch 0017-efivarfs-Fix-return-value-of-efivarfs_file_write.patch 0018-efivarfs-Use-query_variable_info-to-limit-kmalloc.patch 0019-efivarfs-Make-efivarfs_fill_super-static.patch [1] /lib/systemd/system/sys-firmware-efi-efivars.mount (already sent to systemd mailing list for review) [Unit] Description=EFI Variables File System Documentation=https://www.kernel.org/doc/Documentation/filesystems/efivarfs.txt DefaultDependencies=no ConditionPathExists=/sys/firmware/efi/efivars Before=sysinit.target [Mount] What=efivarfs Where=/sys/firmware/efi/efivars Type=efivarfs [2] create.c #include <stdio.h> #include <string.h> #include <stdint.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; int fd, flags; mode_t mode; uint32_t attribute; char buffer[1024 + 4]; int i; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); flags = O_CREAT | O_WRONLY; mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH; fd = open (file_path, flags, mode); if (fd < 0) { fprintf (stderr, "Failed to open %s\n", file_path); return -1; } attribute = EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS; memcpy (buffer, &attribute, sizeof(uint32_t)); for (i = 0; i < 1024; i++) buffer[i+4] = 'a'; if (write (fd, buffer, 1024 + 4) != (1024 + 4)) { fprintf (stderr, "Failed to write\n"); } close (fd); return 0; } [3] delete.c #include <stdio.h> #include <unistd.h> #include <linux/limits.h> #include "def.h" int main () { const char *variable_name = "TestVar"; char file_path[PATH_MAX]; snprintf (file_path, PATH_MAX, "%s%s-%s", EFIVARS_FS, variable_name, MY_GUID); unlink (file_path); return 0; } -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org