linux-secureboot-kit icon indicating copy to clipboard operation
linux-secureboot-kit copied to clipboard

Published 20 hours ago verified publisher icon Snawoot

Boot failure on Debian 10

Open Snawoot opened this issue 4 years ago • 10 comments

GRUB fails to validate kernel signature due to Debian bug introduced by Debian patches to grub. I'm seeking for a way to workaround it.

Snawoot avatar Jul 08 '19 12:07 Snawoot

Patch submitted to Debian maintainer of grub package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906124#55

Snawoot avatar Jul 08 '19 20:07 Snawoot

Still no updates it looks like? Would it be possible for us to use the package from Debian 9 in the meantime?

noahbliss avatar Dec 20 '19 16:12 noahbliss

Hello,

Debian grub2 package developers stopped responding any attempts to fix that.

I think it's much easier to apply patch from this thread to Debian 10 package source. Even if package will be overwritten by upcoming grub package updates, grub binary installed by linux-secureboot-kit will be unaffected.

Process should look like this:

  1. Enable deb-src repos in /etc/apt/sources.list
  2. apt-get install -y devscripts quilt
  3. apt-get build-dep grub2
  4. apt-get source grub2
  5. Enter into grub2 source directory under current directory and push new patch: https://wiki.debian.org/UsingQuilt#Making_a_new_patch
  6. Update version and add log message with a dch -i
  7. Run debuild -us -uc

Snawoot avatar Dec 20 '19 19:12 Snawoot

Thanks for the info. Perhaps it wouldn't be a bad idea on Debian to forego trying to fix grub and just bypass it entirely using a single signed EFI that combines kernel and initramfs. I believe this is one such example: https://gist.github.com/zaxebo1/a17577390512bdea35a00d111dac8aa2

noahbliss avatar Dec 20 '19 19:12 noahbliss

Made a thing to get around this limitation if you (or anyone else) were interested: https://github.com/noahbliss/mortar Skirts the whole "broken grub" issue by just not using grub. :+1:

noahbliss avatar Mar 04 '20 23:03 noahbliss

@noahbliss Thanks! That looks like a step up solution since it uses metered boot and TPM.

Snawoot avatar Mar 04 '20 23:03 Snawoot

Hey @Snawoot I'm back. Any chance you could give me a hand with using the db cert/key to sign modules with DKMS/other method in mortar? With many distros starting to enforce lockdown mode with kernel 5.4+ this is becoming more of a priority for me to implement. Otherwise I may browse your code for inspiration if that's cool.

noahbliss avatar Jun 22 '20 17:06 noahbliss

@noahbliss

Hi! Sure!

It's possible to add signing hook into DKMS with POST_BUILD option in dkms.conf for module. And DKMS config can be overriden via config file in /etc/dkms/MODULE.conf. However, it's tricky, there are few difficulties to overcome:

  • Problem: Module config may have some POST_BUILD script already.
    • Solution: introduce script chaining. Dynamically create post-build script which performs signing actions as needed and invokes original POST_BUILD. This action can be performed in overriden DKMS config for module because it's last sourced file by DKMS and all necessary variables already defined. Snoop to old value and export new value with chained script.
  • Problem: Path to post-build script must be specified relative to build dir.
    • Solution: calculate relative suffix for root and concatenate it with path to temporary chained script.
  • Problem: Ubuntu and others may have patched DKMS with own signing functions which are running after build stage.
    • Solution: unset sign_build function from local DKMS config for module.
      • Problem: DKMS sources config file in a safe fashion (like subprocess with sandboxed script which exports only defined variable values). So, function override won't work.
        • Solution: detect it, and dump function override code straight into intermediate file with safe-sourcing results, which is sourced by DKMS directly.

Here is DKMS config override which is installed for each DKMS module into /etc/dkms/. Here is what it does:

  1. Calculates root path relative to build directory.
  2. Copies all required variables which already defined by module DKMS config (or other local overrides).
  3. Enforces stripping of built module.
  4. Composes new POST_BUILD script which does signatures and chains to original POST_BUILD script.
  5. Makes sign_build function of Ubuntu-patched DKMS a no-op function.

This "config" file contains nothing specific to linux-secureboot-kit project except path to db cert/key. It's in lines 81, 87, 92. You may use this hook right away in your project.

And there is another script which is responsible for installation of DKMS hooks. It just enumerates all modules installed via DKMS and symlinks DKMS config override with hook into /etc/dkms. I think only constant you need to modify in it is location of installed DKMS hook file (which was discussed above).

So, I think everything is ready and you may just add these files into your project with minor modifications.

If you'll have questions or need further assistance you may reach me directly:

  • Telegram: @Snawoot
  • Twitter: @Snawoot
  • Email: specified here along with PGP key.

Snawoot avatar Jun 22 '20 22:06 Snawoot

Dang! Solid info. I'll give it some cycles and see where I land, thanks a ton!

noahbliss avatar Jun 22 '20 23:06 noahbliss

Centos 8 backported ugly linux-efi bugs from debian as well, so lsbk is unusable on it too.

Snawoot avatar Oct 03 '20 17:10 Snawoot