Tuesday, June 21, 2016

Module signing in Linux

Got xUbuntu 16.04 installed alongside with Windows 10 on UEFI with Secure Boot enabled and had to get 3rd party GPU drivers running so found this nice answer here.

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. If you'd want to keep Secure Boot and also run these modules, then the next logical step is to sign those modules.

So let's try it.
  1. Create signing keys
    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=descriptive name/"
  2. Sign the module
    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /path/to/module
  3. Register the keys to Secure Boot
    sudo mokutil --import MOK.der
    Supply a password for later use after reboot
  4. Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
Please let me know if your modules would run this way on Ubuntu 16.04 (on kernel 4.4.0-21, I believe).

Resources: Detailed website article for Fedora and Ubuntu implementation of module signing.

One addition for the security-conscious: the private key MOK.priv generated by openssl -nodes as above is not protected by a password. Thus in principle, a rogue program could use it to sign a compromised module or even taint the bootloader, as your signing key now sits in hardware storage as a trusted key. A more secure solution is to omit the -nodes option. In step 1 openssl will then ask for a password to protect the private key. Before step 2, when signing, set the KBUILD_SIGN_PIN environment variable to the password you specified in step 1.

No comments: