Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

key enrollment on non-EFI systems for module.sig_enforce=1 kernel parameter #359

Closed
adrelanos opened this issue Nov 3, 2023 · 3 comments
Closed

key enrollment on non-EFI systems for module.sig_enforce=1 kernel parameter #359

adrelanos opened this issue Nov 3, 2023 · 3 comments

Comments

@adrelanos
Copy link
Contributor

Kernel module signature verification can be enabled using the module.sig_enforce=1 kernel parameter on non-EFI systems.

On non-EFI systems, mokutil won't work. But then how could one enroll the key without needing to recompile grub or the kernel?

Can /var/lib/dkms/mok.pub be enrolled using keyctl?

Is this something that DKMS could automate?
adrelanos added a commit to adrelanos/security-misc that referenced this issue Nov 3, 2023
@adrelanos
revert enabling kernel module signature enforcement
97054b2 
due to issues

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63

dell/dkms#359
@evelikov
Copy link
Collaborator

evelikov commented Nov 3, 2023

From my casual reading at the kernel documentation, you should be able to add any x509 as builtin_trusted_keys via keyctl. That said I haven't tried it and I'm not sure if it makes sense to automate in dkms.

If anything, I'm more inclined to remove all the ad-hoc module install/signing and use the upstream Kbuild to do that for us. Although this is more of a pie in the sky idea currently.

If you have a compelling reason why it has to be done by dkms, I won't mind reviewing a PR.

@evelikov
Copy link
Collaborator

evelikov commented Nov 3, 2023
edited
Loading

Actually on second read, I noticed this:

Note, however, that the kernel will only permit keys to be added to .builtin_trusted_keys if the new key's X.509 wrapper is validly signed by a key that is already resident in the .builtin_trusted_keys at the time the key was added.

So I guess, it might not be possible since we don't sign the key we generate as required.

@evelikov
Copy link
Collaborator

evelikov commented Nov 5, 2023

Reading through the docs, a few days later, it seem that you can either reuse the key used during the initial build to sign the dkms build modules. Or the original key must be used to sign the dkms generated key - in that case the new key must be added to the kernel via keyctl.

Distributions don't ship the key - understandably - so the only way for things to work is to rebuild the kernel. At this point, you can proceed with reusing it or creating/signing another key for dkms modules. Don't think such functionality belongs in dkms.

If my understanding is off, please correct me. Similarly if there is some reason why this should belong in dkms.

@evelikov evelikov closed this as completed Nov 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evelikov @adrelanos