Module signing and secure boot

sunox · Tux's lil' helper Joined: 26 Jan 2022 Posts: 136

I have secure boot set up and working with a signed kernel, and I'm just wondering what is the standard way of signing kernel modules in a secure boot environment. I'm reading various things and getting various answers and it's a bit confusing.

On the Gentoo Secure Boot page (https://wiki.gentoo.org/wiki/Secure_Boot#USE_flags) it says this:

pietinger

pietinger

Sorry ... I forgot this:

sunox · Tux's lil' helper Joined: 26 Jan 2022 Posts: 136

Thanks! I'll give this a try tomorrow.

I'm just wondering how exactly MODULES_SIGN_KEY is different from the "signing key" asked for in the kernel. Is it fair to say that MODULES_SIGN_KEY is where you put the private key (which does the signing) and "File name of the module signing key" where you put the certificate containing the public key (which does the verifying)? The confusing thing is that it asks for a "signing" key under the subheader "Certificates for signature checking".

Also confusing is that the kernel lets you specify the hash you want to use (e.g. CONFIG_MODULE_SIG_SHA256). Is this redundant with MODULES_SIGN_HASH?

And these two are just used for signing (and verifying?) packages (not including the kernel)?

sunox · Tux's lil' helper Joined: 26 Jan 2022 Posts: 136

According to the reference below the MODULES_SIGN* variables all work with the modules-sign USE flag. This USE flag seems to only pertain to distribution kernels, and maybe external modules? So maybe not relevant in my case? (I build from gentoo-sources and I don't think I have any "external" kernels. None of my packages have the modules-sign USE flag)

https://devmanual.gentoo.org/eclass-reference/kernel-build.eclass/index.html

According to the next reference the SECUREBOOT_SIGN* variables work with any packages that have the "secureboot" USE flag. For me this is only "systemd-utils".

https://wiki.gentoo.org/wiki/Secure_Boot

Then I guess the kernel options mentioned above are what do the signing and verifying of the (non-external?) modules.

I'm just seeing your reference to the module-signing.rst doc which looks good. I'll check that tomorrow. Thanks.

pietinger · Posted: Tue Dec 26, 2023 2:52 pm Post subject:

Maybe I am wrong here ... then I would like to hear a protest ... but AFAIK all the automatic stuff Gentoo provides for Signing/SecureBoot is only for our dist-kernel (and genkernel?) but not for a manual kernel configuration approach. So, just look into all kernel documentattions and forget the settings in make.conf ... ;-)

As said before I dont sign my external kernel modules because I dont have a module support in my kernel (monolithic kernel). For SecureBoot I did this (english post):
https://forums.gentoo.org/viewtopic-p-8492354.html#8492354

And yes, I have used these keys also for another solution: IMA
(It is described in this german post: https://forums.gentoo.org/viewtopic-t-1158503.html)
_________________
https://wiki.gentoo.org/wiki/User:Pietinger

pietinger · Posted: Tue Dec 26, 2023 3:15 pm Post subject:

Maybe another word to asymetric encryption which is used for signing ... maybe you already know, but maybe interesting for other readers ...

For asymetric encryption you will need a key pair: Two keys which are connected; with one of them you can encrypt something, with the other you can decrypt. You can use this for encryption ... and signing ... it is the same ... only with a changed use of the keys. So I explain shortly asymetric encryption:

You want to send a encrypted mail to a friend. Then you need one key of your friend (called "open key"). You encrypt with this "open key" and only your friend can decrypt it with his second key == the "private key" or "secret key".

Signing is the same the other way round:

You want sign the mail you sent to your friend so it shows that it is really from you:

You encrypt it with YOUR private key (only you have) and your friend can decrypt it with the open key from you (everybody have). Because only you was able to encrypt it with your private key, everybody can check with the well-known open key from you that really you have encrypted it. When we talk about signing then almost everywhere this "open key" is called "certificate". Now what I told is not really true. Not the whole mail was decrypted for signing it. ONLY a HASH was build from your mail ... and ONLY this HASH was encrypted ... So, your friend decrypts the hash of your mail and check if it is the same hash he builds from your mail.

So, for signing you need a secret private key (here in format PEM === Base64) and a "certificate" (here in format DER == ASN.1). The certificate - everybody knows (compiled into the kernel) - is used for verifying if your kernel modules (*) are really encrypted with your secret private key (on your USB stick).

(*) As said before: Not the kernel module itself is encrypted - only the hash of this kernel module is encrypted == signed.
_________________
https://wiki.gentoo.org/wiki/User:Pietinger

sunox · Tux's lil' helper Joined: 26 Jan 2022 Posts: 136

Nice explanation, thanks.

The kernel's MODULE_SIG_KEY wants the signing key and the corresponding certificate in the same file - both in PEM form. I just concatenated my key and cert together so it looked like this:

sunox · Tux's lil' helper Joined: 26 Jan 2022 Posts: 136

This is off-topic, but I would like to shed some of my installed modules if possible. Is there a good way of telling if a module is ever used or not? Maybe checking loaded modules (via lsmod) against the contents of /lib/modules?

pietinger · Posted: Tue Dec 26, 2023 4:11 pm Post subject:

sunox · Tux's lil' helper Joined: 26 Jan 2022 Posts: 136

Thanks. First thing I did was somehow exclude a codepage FAT needed to mount, which is what my boot partition is formatted as. Fun stuff.

Feels good to be secure booted. I guess the last thing I should do is find a better way of storing my keys.

pwnenuser · n00b Joined: 26 Mar 2024 Posts: 4

i have a similar kind of situation, i am using secure boot setup with gentoo-kernel-bin and having nvidia graphics and without signing modules i cant use nvidia drivers

[https://wiki.gentoo.org/wiki/NVIDIA/nvidia-drivers#Kernel_module_signing

according to wiki but dist-kernel does not provide "signing_key.pem" keys

and if i am using my own created keys in MODULES_SIGN_KEY with own created MODULES_SIGN_CERT it has no effect even i tried to sign manully it didnt worked
while reading wiki
[url] https://wiki.gentoo.org/wiki/Signed_kernel_module_support [/url]

AndrewAmmerlaan · Posted: Fri Apr 19, 2024 9:29 pm Post subject:

> so i used shim with my own created keys but it didnt worked

What about shim did not work? Note you'll have to adjust your firmware to load shim instead of sd-boot, and then have shim load sd-boot by naming it grubx64.efi and putting it in the same folder as shim (yes sd-boot has to be named as if it is grub).
_________________
OS: Gentoo 6.7.3-gentoo-dist, ~amd64, 17.1/desktop/plasma/systemd/merged-usr
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400