sign kernel modules about linux-secureboot-kit HOT 12 CLOSED

@Snawoot done! Via:
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /home/user/linux-secureboot-kit/db.key /home/user/linux-secureboot-kit/db.crt /lib/modules/$(uname -r)/updates/dkms/vboxdrv.ko
Thank you!

from linux-secureboot-kit.

Hello!

Here is article on this topic: https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/

In short, module signature required when Secure Boot is enabled. At this moment linux-secureboot-kit doesn't sign DKMS modules, but I think it is also possible to add signing hook into DKMS post-install scripts or existing kernel post-install hooks.

Recipe above uses machine owner keys (MOK) to sign modules, which enrolment requires additional reboot. Probably we don't need MOK keys and we are already good to go with our db.key and db.crt. I'll try it soon and we'll see if automation in linux-secureboot-kit can be extended to cover DKMS modules along with the rest of protected code.

from linux-secureboot-kit.

@Snawoot thanks a lot for a fast answer!
That's good, firstly I will try sign modules with MOK, and after I will wait for signing DKMS modules by linux-secureboot-kit ;)

from linux-secureboot-kit.

@Snawoot btw, I can't enroll MOK keys in UEFI - tool simply don't starting up on boot. I tried reset to setup mode and clean UEFI keys, but UEFI print me that: Secure Variable Update is locked down!
Also, efi-readvar print me: Variable MokList has no entries

from linux-secureboot-kit.

@mrsmith0x00 Then try to sign with db.key and db.crt instead of MOK keys. I think it has to work. Please tell your results.

from linux-secureboot-kit.

Some docs on this subject suggest my guess is correct: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html#sect-sources-for-public-keys-used-to-authenticate-kernel-modules

db keys are usable instead of MOK keys

from linux-secureboot-kit.

And since they are already installed in UEFI, you don't have to add them; you may sign modules with it right away.

from linux-secureboot-kit.

@mrsmith0x00 yeah, I think that this will work. But... I deleted my old linux-secure-boot folder with db.key and db.crt (sorry for that). Then I exported db file via efi-readvar -v db -o db.file. How can I solve this problem? Or I should reinstall all with zero?

from linux-secureboot-kit.

No problem. Variables contain only certificates, so private key is lost and you have to reinstall from scratch: remove all keys from UEFI, remove SignedBoot menu entry from UEFI and run install again.

from linux-secureboot-kit.

Thanks a lot for help! Now closed.

from linux-secureboot-kit.

Nice! Now I have shallow understanding how it should be automated and probably soon it'll be included into linux-secure-boot recipes.

from linux-secureboot-kit.

Short notice: automated signature for DKMS modules has been merged into master along with improved initramfs signature hooks.

from linux-secureboot-kit.