sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard

Published 20 hours ago verified publisher icon Foxboron

Support linux keyring for kernel module signing

Open Foxboron opened this issue 3 years ago • 23 comments

Heftig is probably adding support for loading UEFI keys into the Linux keyring when secure boot is enabled. This allows us to use the db key for kernel module signing which is handy if you are using lockdown=confidentialy and dkms modules needs to be signed by a trusted key.

https://bbs.archlinux.org/viewtopic.php?pid=1861193#p1861193

I think sbctl should have some support to sign kernel modules by path, or by name. And also verify that the keyring has the UEFI certificate loaded.

Foxboron avatar Apr 14 '21 19:04 Foxboron

Isn't this important for lockdown=integrity in the equal measure?.. Which is the default when SB is enabled.

savchenko avatar Apr 15 '21 13:04 savchenko

I don't think integrity disallows loading of unsigned modules, so not as important I reckon. I'm unsure if the UEFI keys gets loaded into the keyring with ìntegrity and confidentiality. But I'd guess so.

I displaced the documentation I had up yesterday :D But I should build a kernel and try this out :)

Foxboron avatar Apr 15 '21 13:04 Foxboron

I believe it does: https://github.com/openwall/lkrg/issues/27

Is there anything that would benefit from an additional testing? Happy to help.

savchenko avatar Apr 16 '21 01:04 savchenko

There is nothing to test yet I believe. I'll try write a separate go library for kernel module signing and see if that works first. Then I'll work on some integration with sbctl.

If you have any ideas, requirements or wants for the command line design please do tell me. I'll poke you once I have some code available :) Thanks!

(Hit the close button by accident :))

Foxboron avatar Apr 16 '21 07:04 Foxboron

I was wrong :/

Turns out this was possible, but the kernel seperated the UEFI keys into the .platform keyring which the modules does not verify against.

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.0.y&id=9dc92c45177ab70e20ae94baa2f2e558da63a9c7

Fedora/RedHat carries patches that adds the platform keyring for kernel module signing, but this as been rejected upstream.

https://lore.kernel.org/lkml/[email protected]/T/

Regardless I have patched the x509 cert code to create certificates the kernel accepts. a6445c4a2bc3f03779d18a034ed171857883c361

This was fairly disappointing

Foxboron avatar Apr 16 '21 20:04 Foxboron

Seems like there is some movement upstream to have MokTrustPlatform tell the kernel if the secure boot keys should be trusted or not. I'm annoyed that a lot of this functionality is gated behind the shim.

https://patchwork.kernel.org/project/keyrings/patch/[email protected]/

Foxboron avatar Jun 21 '21 09:06 Foxboron

That'd be a great feature to have; missing signatures for the virtualbox modules are the one reason I have to disable lockdown=integrty on some of my systems :slightly_smiling_face:

swsnr avatar Jan 03 '22 18:01 swsnr

After reading up on the patches I think we can get this to work using sbctl with this workflow.

  • Create and set MokListTrustedRT to 1
  • Write our keys to MokListRT

And then we can implement kernel module signing with sbctl with kernel 5.18. If the patches do get accepted.

Foxboron avatar Jan 16 '22 22:01 Foxboron

The patches you mentioned above found the way to the kernel meanwhile. Do you now plan to add the feature to save the keys to MokListRT?

Klaus327 avatar Jul 17 '22 18:07 Klaus327

"Yes", but the issue is that the MOK variables are read from the EFI configuration table setup by shim. So without the shim software in your bootchain the kernel is going to ignore the values regardless.

Foxboron avatar Jul 17 '22 20:07 Foxboron

You're right - I ignored the MOK / shim issue. This is knocking out systemd-boot which operates w/o shim - what a pity. Maybe it's even better to have different keys for module signing and UEFI secure boot. Thanks for your work!

Klaus327 avatar Jul 18 '22 19:07 Klaus327

The issue is that there is only two ways to load a trusted key into the Linux keyring. Include one at build-time or use the patch series above. There is no other way currently.

Foxboron avatar Jul 18 '22 19:07 Foxboron

Well, this is silly. Considering https://github.com/systemd/systemd/pull/20255 has landed now, it could be extended to also enroll a MOK for these kind of cases…

medhefgo avatar Aug 04 '22 09:08 medhefgo

You would still need to have the shim there, unless you have sd-boot setup the EFI configuration table :)

I wanted to mention it at some point, but it's a bit hard to know when it was relevant information.

Foxboron avatar Aug 04 '22 09:08 Foxboron

You would still need to have the shim there, unless you have sd-boot setup the EFI configuration table :)

The idea would be that for this pseudo-shim support, you'd rely on the custom keys (and MOK) to be in the secure boot db and additionally add the MOK-related vars. Then you'd not have to implement any of the hackery that shim does, as afaik it does not provide any UEFI runtime APIs to the kernel (and the kernel stub afaik doesn't need any of the shim boot services either).

medhefgo avatar Aug 04 '22 10:08 medhefgo

Mm, the kernel refuses to read the MOK variables unless they are present in the EFI configuration table. So you would need some shim hackery? Am I misunderstanding something? Simply adding the MOK variables is not enough as stated earlier in this issue.

Foxboron avatar Aug 04 '22 10:08 Foxboron

Mm, the kernel refuses to read the MOK variables unless they are present in the EFI configuration table.

I see. But installing the MOK key store should be a simple operation that doesn't need hackery (as the UEFI API provides this for us).

medhefgo avatar Aug 04 '22 10:08 medhefgo

Sure, that would be fine I believe. But be aware that it doesn't really do anything on it's own without the shim.

Foxboron avatar Aug 04 '22 10:08 Foxboron

But that's the idea, no? Provide a MOK store so that the user can give the kernel a trusted key for kernel module signing, while relying on the regular UEFI secure boot key store (probably without the MOK in it) with custom keys managed by sbctl for boot security.

(If you haven't noticed, I hate shim. It's such an incredibly ugly and hacky solution and should be avoided as much as possible.)

medhefgo avatar Aug 04 '22 10:08 medhefgo

But that's the idea, no? Provide a MOK store so that the user can give the kernel a trusted key for kernel module signing, while relying on the regular UEFI secure boot key store (probably without the MOK in it) with custom keys managed by sbctl for boot security.

I'm fumbling a bit because it's hard to go from implementation details to see the big-picture :)

(If you haven't noticed, I hate shim. It's such an incredibly ugly and hacky solution and should be avoided as much as possible.)

Which is fine and I somewhat agree, but it's important to realize that the current assumptions from people writing the kernel code, and people working on Secure Boot in Linux distros, regard the shim as the main component in all of this. Moving away from it is hard :/

Foxboron avatar Aug 04 '22 10:08 Foxboron

Is there an update or workaround for this issue? I'm not able to load v4l2loopback without disabling secure boot on my device.

Grafcube avatar Jul 31 '23 14:07 Grafcube

You need to use the shim and load the db key into the MOKList.

This isn't something sbctl is going to support without a shim/MOK mode or setup awareness.

Foxboron avatar Jul 31 '23 14:07 Foxboron

You need to use the shim and load the db key into the MOKList.

Sorry but I don't know what that means. For my setup I generated bundles for each boot entry and put them in /boot/EFI/Linux.

Grafcube avatar Jul 31 '23 15:07 Grafcube