於 二,2013-03-05 於 18:29 +0100,Thomas Renninger 提到:
On Tuesday, March 05, 2013 03:43:21 PM joeyli wrote:
Hi Thomas,
...
Currently there have no openSUSE wiki or document to explain kernel module sign. As I know we didn't enable kernel module sign (CONFIG_MODULE_SIG) on openSUSE 12.3. I am not sure we still need a document if openSUSE doesn't enable it.
About kernel module sign subsystem, the big differences between openSUSE 12.3 kernel and SLES-11 SP3 kernel:
+ Firmware sign: We merged Takashi's firmware sign patches to SP3 kernel but not in openSUSE 12.3
+ Enroll key from db and MOK when UEFI BIOS: SP3 kernel will load key from db and MOK to modsign_keyring for check 3rd party sign or self sign kernel module. This feature doesn't in openSUSE 12.3 kernel. And, of course openSUSE kernel will not revoke a key through dbx in UEFI. The patches for support this function were sent to kernel upstream by Matthew Garrett for reviewing, unfortunately didn't see it in v3.9-rc1. I can enroll keys via BIOS or via mokmanager. The latter works by booting into the efi shell and call: fs0:\efi\SUSE\shim.efi MokManager.efi
Sorry for my description for 'Enroll' is not clear. Yes, your operating is right for enroll the certificate to MOK, but openSUSE 12.3 kernel doesn't have ability to load the public key from db or MOK. When kernel load a key to keyring, you should see the following dmesg: [ 2.272837] MODSIGN: Loaded cert 'Magrathea: Glacier signing key: 444fad680dbea252b64ab87008d596fa9a67081c' By default there should embedded a public key when kernel building with kernel module sign enabled. Kernel will load more public key from db/MOK but need applied this patchset: http://lists.opensuse.org/opensuse-kernel/2013-01/msg00056.html
The following is a simple note for how to try the kernel module sign manually. This procedure works with mainline and SLES kernel, I think it should also works with openSUSE 12.3 kernel: ... Thanks, module signing seem to work. What seem to be missing is that the kernel needs to be signed manually?
There are quite some different tools out there: certutils, efitools, pesign, sbsign, openssl, ...
I played a bit with these, found efitools in Michael's obs project, etc.. Our build service seem to use pesign, but the .spec file is only marking which files to sign and the key/certificate comes from the build service.
I couldn't find out how to feed my own local pesign key database. certutils I only found in mozilla-nss-tools packaged and installed it. Looks like pesign makes use of certutils or similar, both exit with the same error for me:
certutil error: certutil: function failed: The certificate/key database is in an old, unsupported format.
pesign error: Could not initialize nss: The certificate/key database is in an old, unsupported format.
While I want to sign a SLE11 SP3 kernel I mainly worked with 12.3 on another machine.
So I guess the last remaining bit is: How do I sign my kernel.
Thanks,
Thomas
For how to use pesign NSS database, you can reference this wiki page write by Gary Lin: http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools About sign kernel binary on IBS server, the mechanism was builded by Michal Marek, Michael Schroeder and Gary Lin. They will know more detail. Thanks a lot! Joey Lee -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org