-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support linux keyring for kernel module signing #52
Comments
Isn't this important for |
I don't think I displaced the documentation I had up yesterday :D But I should build a kernel and try this out :) |
I believe it does: lkrg-org/lkrg#27 Is there anything that would benefit from an additional testing? Happy to help. |
There is nothing to test yet I believe. I'll try write a separate go library for kernel module signing and see if that works first. Then I'll work on some integration with sbctl. If you have any ideas, requirements or wants for the command line design please do tell me. I'll poke you once I have some code available :) Thanks! (Hit the close button by accident :)) |
I was wrong :/ Turns out this was possible, but the kernel seperated the UEFI keys into the Fedora/RedHat carries patches that adds the platform keyring for kernel module signing, but this as been rejected upstream. https://lore.kernel.org/lkml/20190425182134.GA7823@laptop.jcline.org/T/ Regardless I have patched the x509 cert code to create certificates the kernel accepts. a6445c4 This was fairly disappointing |
Seems like there is some movement upstream to have |
That'd be a great feature to have; missing signatures for the virtualbox modules are the one reason I have to disable |
After reading up on the patches I think we can get this to work using
And then we can implement kernel module signing with |
The patches you mentioned above found the way to the kernel meanwhile. Do you now plan to add the feature to save the keys to MokListRT? |
"Yes", but the issue is that the MOK variables are read from the EFI configuration table setup by |
You're right - I ignored the MOK / shim issue. This is knocking out systemd-boot which operates w/o shim - what a pity. Maybe it's even better to have different keys for module signing and UEFI secure boot. |
The issue is that there is only two ways to load a trusted key into the Linux keyring. Include one at build-time or use the patch series above. There is no other way currently. |
Well, this is silly. Considering systemd/systemd#20255 has landed now, it could be extended to also enroll a MOK for these kind of cases… |
You would still need to have the shim there, unless you have I wanted to mention it at some point, but it's a bit hard to know when it was relevant information. |
The idea would be that for this pseudo-shim support, you'd rely on the custom keys (and MOK) to be in the secure boot db and additionally add the MOK-related vars. Then you'd not have to implement any of the hackery that shim does, as afaik it does not provide any UEFI runtime APIs to the kernel (and the kernel stub afaik doesn't need any of the shim boot services either). |
Mm, the kernel refuses to read the |
I see. But installing the MOK key store should be a simple operation that doesn't need hackery (as the UEFI API provides this for us). |
Sure, that would be fine I believe. But be aware that it doesn't really do anything on it's own without the shim. |
But that's the idea, no? Provide a MOK store so that the user can give the kernel a trusted key for kernel module signing, while relying on the regular UEFI secure boot key store (probably without the MOK in it) with custom keys managed by sbctl for boot security. (If you haven't noticed, I hate shim. It's such an incredibly ugly and hacky solution and should be avoided as much as possible.) |
I'm fumbling a bit because it's hard to go from implementation details to see the big-picture :)
Which is fine and I somewhat agree, but it's important to realize that the current assumptions from people writing the kernel code, and people working on Secure Boot in Linux distros, regard the shim as the main component in all of this. Moving away from it is hard :/ |
Is there an update or workaround for this issue? I'm not able to load v4l2loopback without disabling secure boot on my device. |
You need to use the shim and load the This isn't something |
Sorry but I don't know what that means. For my setup I generated bundles for each boot entry and put them in |
Heftig is probably adding support for loading UEFI keys into the Linux keyring when secure boot is enabled. This allows us to use the db key for kernel module signing which is handy if you are using
lockdown=confidentialy
and dkms modules needs to be signed by a trusted key.https://bbs.archlinux.org/viewtopic.php?pid=1861193#p1861193
I think
sbctl
should have some support to sign kernel modules by path, or by name. And also verify that the keyring has the UEFI certificate loaded.The text was updated successfully, but these errors were encountered: