#!/bin/sh
DKMS_DIR=/lib/modules/$1/updates/dkms
KEYS_DIR=/opt/sign
SIGN_CMD=/usr/src/linux-headers-$1/scripts/sign-file
for file in $DKMS_DIR/*.ko
do
$SIGN_CMD sha256 $KEYS_DIR/MOK.priv $KEYS_DIR/MOK.der "$file" > /dev/null 2>&1
done
exit 0
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Tuesday, January 31, 2017
Automate DKMS modules signing in Linux
Some time ago I have managed to sign DKMS Nvidia modules with generated keys and upload those to UEFI. Of course, I had to sign modules every time they've been rebuilt, i.e. when kernel or nvidia driver gets updated. So after few kernel updates I have decided to automate the task via postinst.d hook.
Tuesday, June 21, 2016
Module signing in Linux
Got xUbuntu 16.04 installed alongside with Windows 10 on UEFI with Secure Boot enabled and had to get 3rd party GPU drivers running so found this nice answer here.
Resources: Detailed website article for Fedora and Ubuntu implementation of module signing.
One addition for the security-conscious: the private key MOK.priv generated by openssl -nodes as above is not protected by a password. Thus in principle, a rogue program could use it to sign a compromised module or even taint the bootloader, as your signing key now sits in hardware storage as a trusted key. A more secure solution is to omit the -nodes option. In step 1 openssl will then ask for a password to protect the private key. Before step 2, when signing, set the KBUILD_SIGN_PIN environment variable to the password you specified in step 1.
Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. If you'd want to keep Secure Boot and also run these modules, then the next logical step is to sign those modules.
So let's try it.
So let's try it.
- Create signing keys
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=descriptive name/" - Sign the module
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /path/to/module - Register the keys to Secure Boot
sudo mokutil --import MOK.der
Supply a password for later use after reboot - Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
Resources: Detailed website article for Fedora and Ubuntu implementation of module signing.
One addition for the security-conscious: the private key MOK.priv generated by openssl -nodes as above is not protected by a password. Thus in principle, a rogue program could use it to sign a compromised module or even taint the bootloader, as your signing key now sits in hardware storage as a trusted key. A more secure solution is to omit the -nodes option. In step 1 openssl will then ask for a password to protect the private key. Before step 2, when signing, set the KBUILD_SIGN_PIN environment variable to the password you specified in step 1.
Subscribe to:
Posts (Atom)