Open Snawoot opened 5 years ago
Patch submitted to Debian maintainer of grub package: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906124#55
Still no updates it looks like? Would it be possible for us to use the package from Debian 9 in the meantime?
Hello,
Debian grub2 package developers stopped responding any attempts to fix that.
I think it's much easier to apply patch from this thread to Debian 10 package source. Even if package will be overwritten by upcoming grub package updates, grub binary installed by linux-secureboot-kit will be unaffected.
Process should look like this:
apt-get install -y devscripts quilt
apt-get build-dep grub2
apt-get source grub2
dch -i
debuild -us -uc
Thanks for the info. Perhaps it wouldn't be a bad idea on Debian to forego trying to fix grub and just bypass it entirely using a single signed EFI that combines kernel and initramfs. I believe this is one such example: https://gist.github.com/zaxebo1/a17577390512bdea35a00d111dac8aa2
Made a thing to get around this limitation if you (or anyone else) were interested: https://github.com/noahbliss/mortar Skirts the whole "broken grub" issue by just not using grub. :+1:
@noahbliss Thanks! That looks like a step up solution since it uses metered boot and TPM.
Hey @Snawoot I'm back. Any chance you could give me a hand with using the db cert/key to sign modules with DKMS/other method in mortar? With many distros starting to enforce lockdown mode with kernel 5.4+ this is becoming more of a priority for me to implement. Otherwise I may browse your code for inspiration if that's cool.
@noahbliss
Hi! Sure!
It's possible to add signing hook into DKMS with POST_BUILD
option in dkms.conf for module. And DKMS config can be overriden via config file in /etc/dkms/MODULE.conf
. However, it's tricky, there are few difficulties to overcome:
POST_BUILD
script already.
POST_BUILD
. This action can be performed in overriden DKMS config for module because it's last sourced file by DKMS and all necessary variables already defined. Snoop to old value and export new value with chained script.sign_build
function from local DKMS config for module.Here is DKMS config override which is installed for each DKMS module into /etc/dkms/. Here is what it does:
sign_build
function of Ubuntu-patched DKMS a no-op function.This "config" file contains nothing specific to linux-secureboot-kit project except path to db cert/key. It's in lines 81, 87, 92. You may use this hook right away in your project.
And there is another script which is responsible for installation of DKMS hooks. It just enumerates all modules installed via DKMS and symlinks DKMS config override with hook into /etc/dkms. I think only constant you need to modify in it is location of installed DKMS hook file (which was discussed above).
So, I think everything is ready and you may just add these files into your project with minor modifications.
If you'll have questions or need further assistance you may reach me directly:
Dang! Solid info. I'll give it some cycles and see where I land, thanks a ton!
Centos 8 backported ugly linux-efi bugs from debian as well, so lsbk is unusable on it too.
GRUB fails to validate kernel signature due to Debian bug introduced by Debian patches to grub. I'm seeking for a way to workaround it.