Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Secure Boot: Stuck at "signing boot files"
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
ermor
n00b
n00b


Joined: 05 Jan 2025
Posts: 4

PostPosted: Sun Jan 05, 2025 7:14 pm    Post subject: Secure Boot: Stuck at "signing boot files" Reply with quote

Hello everyone,

I've recently installed Gentoo and I'm currently trying to enable Secure Boot (https://wiki.gentoo.org/wiki/Secure_Boot). Everything seems to have gone well so far, but now I'm trying to sign my boot files and the link doesn't really seem to account for my situation. It expects me to be using a Unified Kernel Image and GPG encrypted keys, but I'm using the distribution kernel with GRUB and symmetrically protected keyfiles, and it's a bit unclear to me what I should be signing, and the exact commands I should use.

I remembered there being a step to sign the distribution kernel in the handbook (https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel#Distribution_kernels) and I tried to follow it by giving the paths to my db.key and db.cer, but the subsequent emerge apparently really wants these to be PEM, and there was no step to create these specific file formats, so I'm not too sure what it's about.

I've also found this link (https://www.reddit.com/r/Gentoo/comments/15w78vw/confusion_with_secure_booting_signing_boot_files/) that seems to indicate I should sign the distribution kernel and GRUB, but it doesn't say how and the emerge I got seemed to imply my Nvidia drivers would also need to be signed, so it doesn't seem to be complete either.

Does anyone have any insight on what I should do?
Back to top
View user's profile Send private message
zen_desu
Tux's lil' helper
Tux's lil' helper


Joined: 25 Oct 2024
Posts: 107

PostPosted: Sun Jan 05, 2025 7:41 pm    Post subject: Reply with quote

Most sections on the secure boot wiki page should include steps for plain/openssl protected keys as well as GPG ones.

The file extension can be changed, just be sure you're using the cert and key accordingly. The guide uses .key for the key, and .crt for the cert. Portage needs the 'db' key.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
ermor
n00b
n00b


Joined: 05 Jan 2025
Posts: 4

PostPosted: Mon Jan 06, 2025 8:51 pm    Post subject: Reply with quote

Thanks for your help! I've gone a bit farther in the process, but for some reason the proprietary Nvidia drivers refuse signing, and I can't emerge them.

According to the log:

Code:

- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password: ../openssl-3.3.2/pem/pem_pkey.c:159


I didn't say earlier, sorry, but I have the "modules-sign" and "secureboot" USE flags and the MODULES_SIGN_KEY, MODULES_SIGN_CERT, SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT paths filled in with my db.key and db.crt (turned into .pem), and MODULES_SIGN_HASH="sha256".

Interestingly enough, the log mentions my key and cert files so it reads the paths given in my make.conf, but I'm not asked for my PEM password, which I assume is the problem. Am I supposed to give it to the install process in some other way?

EDIT: I though of signing the drivers manually, and I found this topic (https://forums.gentoo.org/viewtopic-p-8844330.html) which suggests a possible solution to my problem, but I'm not sure which modules NeddySeagoon is talking about. Sorry if this is a dumb question, I'm just starting, but would anyone know precisely where these modules would be? Hopefully I can still sign them even though the emerge fails.
Back to top
View user's profile Send private message
beeburrt
n00b
n00b


Joined: 11 Dec 2024
Posts: 1
Location: PNW

PostPosted: Wed Jan 08, 2025 10:53 am    Post subject: Reply with quote

Quote:

would anyone know precisely where these modules would be?


I don’t know the answer to that (/sys/module?) but here’s this:

The Linux Kernel Module Programming Guide

https://sysprog21.github.io/lkmpg/
Back to top
View user's profile Send private message
ermor
n00b
n00b


Joined: 05 Jan 2025
Posts: 4

PostPosted: Wed Jan 08, 2025 7:02 pm    Post subject: Reply with quote

beeburrt wrote:
Quote:

would anyone know precisely where these modules would be?


I don’t know the answer to that (/sys/module?) but here’s this:

The Linux Kernel Module Programming Guide

https://sysprog21.github.io/lkmpg/

Thanks a lot, I'll give it a look!

I also found this link, might be of interest : https://forums.gentoo.org/viewtopic-p-8725256.html

I'll try and see if signing these modules manually helps.


Last edited by ermor on Sun Jan 12, 2025 4:23 pm; edited 1 time in total
Back to top
View user's profile Send private message
ermor
n00b
n00b


Joined: 05 Jan 2025
Posts: 4

PostPosted: Sun Jan 12, 2025 4:23 pm    Post subject: Reply with quote

ermor wrote:
beeburrt wrote:
Quote:

would anyone know precisely where these modules would be?


I don’t know the answer to that (/sys/module?) but here’s this:

The Linux Kernel Module Programming Guide

https://sysprog21.github.io/lkmpg/

Thanks a lot, I'll give it a look!

I also found this link, might be of interest : https://forums.gentoo.org/viewtopic-p-8725256.html

I'll try and see if signing these modules manually helps.

So I tried signing the modules myself, but it fails with the same message I already posted, without asking me for my PEM code. Can't help but notice that the command that fails in the install process (and that I tried to perform manually) is very similar to the one used in my link (the kernel-provided perl script in the Kernel module signing optional step), except that the x509 key file is replaced with my cert:
Code:
/usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 /lib/modules/Kernel-Version-modules-path/video/nvidia-uvm.ko

I wonder if the script expects a public key, but I don't use one, I have symmetrically protected keyfiles.

Going back to the Secure Boot article, it says:
Quote:
Basic usage with an unencrypted db private key:
sudo sbsign --key custom_config/db.key --cert custom_config/db.crt --output /efi/signed-vmlinuz /boot/vmlinuz

Presumably, if I use the command, replacing the last bit with my module and the output bit with whatever name I want to give it, I suppose I'd be asked my PEM code.

That said, how would I go about manually installing the drivers once they're signed? Sorry if this is a dumb question, I'm not used to these sort of things yet. Or even better, assuming I guessed the issue right, how could I alter the emerge process so that it signs the modules that way instead of the usual way?
Back to top
View user's profile Send private message
zen_desu
Tux's lil' helper
Tux's lil' helper


Joined: 25 Oct 2024
Posts: 107

PostPosted: Sun Jan 12, 2025 6:55 pm    Post subject: Reply with quote

Kernel module signing and secure boot signing are two separate procedures, try not to get them confused. Both processes use public cryptography but use different keys for different purposes. Private keys can be protected with another layer of encryption but this should be considered separately from how the underlying key is used.

The kernel, bootloader, any code which is executed by the firmware directly, must be signed with the DB key.
Kernel modules much be signed with the kernel's module signing key.

I believe the modules-sign use flag for nvidia-drivers should use your kernel's module signing key automatically to sign the kmods when the are installed.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 470
Location: Nijmegen

PostPosted: Thu Jan 16, 2025 10:48 am    Post subject: Reply with quote

ermor wrote:
Thanks for your help! I've gone a bit farther in the process, but for some reason the proprietary Nvidia drivers refuse signing, and I can't emerge them.

According to the log:

Code:

- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password: ../openssl-3.3.2/pem/pem_pkey.c:159




This sounds a lot like: https://bugs.gentoo.org/935733

Try disabling FEATURES=pid-sandbox.

Quote:
Presumably, if I use the command, replacing the last bit with my module and the output bit with whatever name I want to give it, I suppose I'd be asked my PEM code.


You cannot, the kernel is a PE/COFF type executable and sbsign can add a signature to that according to the specifications of that format. The kernel modules are ELF type executables and must be signed using the kernel's sign-file according to the specifications of this other format. You can use the same key for both (provided the key is compatible with both use cases), but you cannot use one signing tool to sign executable files in a different format then it expects.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum