search

julian-klode / sicherboot

Unmaintained systemd-boot integration with secure boot support; consider https://github.com/Foxboron/sbctl instead.
34 stars 5 forks source link

Signing DKMS modules #11

Open jkufner opened 3 years ago

jkufner commented 3 years ago

Since the version 5.4, Linux kernel has lockdown enabled by default when SecureBoot is enabled. Therefore, we have to sign all modules to successfully boot the system. There are plenty of tutorials how to do it with MOK keys and mokutils; however, virtually none of the blogposts and tutorials mention the need to use Shim to provide MOK key validation wrapper in EFI.

When using the SecureBoot in the user mode, we do not need MOK, we just need to sign the modules using DB keys the Sicherboot generates. Therefore, there should be a hook to do this automatically for the modules of the installed kernels.

I tried this for Virtualbox modules built by DKMS in Debian, and it seems to work just fine. I used the following script:

#!/bin/sh -e
# /etc/kernel/postinst.d/dkms-sign-modules

version="$1"

module_dir="/lib/modules/$version/updates/dkms"
sign_file="/lib/modules/$version/build/scripts/sign-file"

if [ -z "$version" ]
then
        echo "Usage: $0 version" >&2
        exit 1
fi

if ! [ -x "$sign_file" ]
then
        echo "Missing sign_file binary: $sign_file" >&2
        exit 1
fi

echo "" >&2
echo "Signing DKMS kernel modules ..." >&2
echo "Using $sign_file" >&2

find "$module_dir" -type f -name "*.ko" \
        -fprint /dev/stderr \
        -exec "$sign_file" sha256 /etc/sicherboot/keys/db.key /etc/sicherboot/keys/db.cer '{}' \;

echo "Signing DKMS kernel modules ... done." >&2
echo "" >&2

This script is wrong, untested, and probably does the signing in the wrong place. But it does the trick.

julian-klode commented 3 years ago

Kernel modules should be signed by different key than the bootloader and kernel. Does Debian not do automatic DKMS signing yet? We do in Ubuntu.

jkufner commented 3 years ago

Honestly, I have no idea. I could not find anything useful on this matter. So, I guess the support is well hidden or missing.

I'm a little bit confused about the module signing. As far as I understand, the kernel validates modules using some EFI service and thus using the db.key, but it also uses some other mechanism to validate upstream modules from the linux-image package, because linux-image-*-unsigned package does not boot due to missing module signatures (but the kernel itself loads, because it is signed by Sicherboot).

When not using Shim and Grub, I do not know where the kernel could receive other keys usable for module verification, unless such a key would be compiled into the kernel (I guess that is the case with the distribution key).

vincentbernat commented 2 years ago

Do you have some pointers on how this is done on Ubuntu?