FS#75102 - [linux][config] enable MOK module signing

Attached to Project: Arch Linux
Opened by Tobias Powalowski (tpowa) - Friday, 17 June 2022, 18:57 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 20 June 2022, 05:02 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Jan Alexander Steffens (heftig)
David Runge (dvzrv)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Patch for enabling MOK user module signing in secure boot.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 20 June 2022, 05:02 GMT
Reason for closing:  Won't implement
Comment by Jan Alexander Steffens (heftig) - Saturday, 18 June 2022, 02:26 GMT
> CONFIG_KEXEC_SIG:
>
> This option makes the kexec_file_load() syscall check for a valid
> signature of the kernel image. The image can still be loaded without
> a valid signature unless you also enable KEXEC_SIG_FORCE, though if
> there's a signature that we can check, then it must be valid.

I have a feeling this will break kexec because we don't have a stable signing key.

Also, the patch does not apply.
Comment by Tobias Powalowski (tpowa) - Saturday, 18 June 2022, 05:18 GMT
I will test it today. I don't think it will break kexec cause we don't enable the second option which will force this.
+# CONFIG_KEXEC_SIG_FORCE is not set
+# CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not set
Comment by Tobias Powalowski (tpowa) - Saturday, 18 June 2022, 11:33 GMT
Test results with provided kernel and iso image here:
https://pkgbuild.com/~tpowa/5.18.5-MOK-enabled/

Kexec only needs to be changed on secure boot enabled machines: lsm=integrity as kernel commandline parameter
It's cleary stated on kernel panic that happens if you don't add this on kernel commandline.
The kexec kernel needn't be signed, it works also without signing the kernel.

So I think it is safe to add those config options to support this security model.
Comment by Jan Alexander Steffens (heftig) - Saturday, 18 June 2022, 11:51 GMT
The question is what if the kexec kernel is signed with a different key? All our kernels have unique keys.
Comment by Jan Alexander Steffens (heftig) - Saturday, 18 June 2022, 11:53 GMT
The configs say that FORCE only configures whether a signature must be present. But even without FORCE all signatures are checked, which suggests to me that we cannot kexec a kernel signed by a different key.
Comment by Tobias Powalowski (tpowa) - Saturday, 18 June 2022, 21:15 GMT
It works I tested it on my machines and on my archboot vm. It does not matter. If you define lockdown=integrity then I think it will check if the signature is correct, else it ignores that.
Comment by Jan Alexander Steffens (heftig) - Sunday, 19 June 2022, 20:13 GMT
Unfortunately, enabling IMA makes it impossible to load unsigned kernel modules when secure boot is in use, and without shim in the boot you can't get the kernel to trust a local key for module signing.
Comment by Tobias Powalowski (tpowa) - Monday, 20 June 2022, 04:48 GMT
FWIW, those are the options for having a full MOK signed secure boot boot process.
It's not possible to merge it into default linux package. You have to decide which security model should be the preferred and as long we don't have an official Arch Linux signed shim, it's not worth to follow this path right now with an extra kernel.

Loading...