View previous topic :: View next topic |
Author |
Message |
ermor n00b
Joined: 05 Jan 2025 Posts: 4
|
Posted: Sun Jan 05, 2025 7:14 pm Post subject: Secure Boot: Stuck at "signing boot files" |
|
|
Hello everyone,
I've recently installed Gentoo and I'm currently trying to enable Secure Boot (https://wiki.gentoo.org/wiki/Secure_Boot). Everything seems to have gone well so far, but now I'm trying to sign my boot files and the link doesn't really seem to account for my situation. It expects me to be using a Unified Kernel Image and GPG encrypted keys, but I'm using the distribution kernel with GRUB and symmetrically protected keyfiles, and it's a bit unclear to me what I should be signing, and the exact commands I should use.
I remembered there being a step to sign the distribution kernel in the handbook (https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel#Distribution_kernels) and I tried to follow it by giving the paths to my db.key and db.cer, but the subsequent emerge apparently really wants these to be PEM, and there was no step to create these specific file formats, so I'm not too sure what it's about.
I've also found this link (https://www.reddit.com/r/Gentoo/comments/15w78vw/confusion_with_secure_booting_signing_boot_files/) that seems to indicate I should sign the distribution kernel and GRUB, but it doesn't say how and the emerge I got seemed to imply my Nvidia drivers would also need to be signed, so it doesn't seem to be complete either.
Does anyone have any insight on what I should do? |
|
Back to top |
|
|
zen_desu Tux's lil' helper
Joined: 25 Oct 2024 Posts: 109
|
Posted: Sun Jan 05, 2025 7:41 pm Post subject: |
|
|
Most sections on the secure boot wiki page should include steps for plain/openssl protected keys as well as GPG ones.
The file extension can be changed, just be sure you're using the cert and key accordingly. The guide uses .key for the key, and .crt for the cert. Portage needs the 'db' key. _________________ µgRD dev
Wiki writer |
|
Back to top |
|
|
ermor n00b
Joined: 05 Jan 2025 Posts: 4
|
Posted: Mon Jan 06, 2025 8:51 pm Post subject: |
|
|
Thanks for your help! I've gone a bit farther in the process, but for some reason the proprietary Nvidia drivers refuse signing, and I can't emerge them.
According to the log:
Code: |
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password: ../openssl-3.3.2/pem/pem_pkey.c:159
|
I didn't say earlier, sorry, but I have the "modules-sign" and "secureboot" USE flags and the MODULES_SIGN_KEY, MODULES_SIGN_CERT, SECUREBOOT_SIGN_KEY and SECUREBOOT_SIGN_CERT paths filled in with my db.key and db.crt (turned into .pem), and MODULES_SIGN_HASH="sha256".
Interestingly enough, the log mentions my key and cert files so it reads the paths given in my make.conf, but I'm not asked for my PEM password, which I assume is the problem. Am I supposed to give it to the install process in some other way?
EDIT: I though of signing the drivers manually, and I found this topic (https://forums.gentoo.org/viewtopic-p-8844330.html) which suggests a possible solution to my problem, but I'm not sure which modules NeddySeagoon is talking about. Sorry if this is a dumb question, I'm just starting, but would anyone know precisely where these modules would be? Hopefully I can still sign them even though the emerge fails. |
|
Back to top |
|
|
beeburrt n00b
Joined: 11 Dec 2024 Posts: 1 Location: PNW
|
Posted: Wed Jan 08, 2025 10:53 am Post subject: |
|
|
Quote: |
would anyone know precisely where these modules would be?
|
I don’t know the answer to that (/sys/module?) but here’s this:
The Linux Kernel Module Programming Guide
https://sysprog21.github.io/lkmpg/ |
|
Back to top |
|
|
ermor n00b
Joined: 05 Jan 2025 Posts: 4
|
Posted: Wed Jan 08, 2025 7:02 pm Post subject: |
|
|
beeburrt wrote: | Quote: |
would anyone know precisely where these modules would be?
|
I don’t know the answer to that (/sys/module?) but here’s this:
The Linux Kernel Module Programming Guide
https://sysprog21.github.io/lkmpg/ |
Thanks a lot, I'll give it a look!
I also found this link, might be of interest : https://forums.gentoo.org/viewtopic-p-8725256.html
I'll try and see if signing these modules manually helps.
Last edited by ermor on Sun Jan 12, 2025 4:23 pm; edited 1 time in total |
|
Back to top |
|
|
ermor n00b
Joined: 05 Jan 2025 Posts: 4
|
Posted: Sun Jan 12, 2025 4:23 pm Post subject: |
|
|
ermor wrote: | beeburrt wrote: | Quote: |
would anyone know precisely where these modules would be?
|
I don’t know the answer to that (/sys/module?) but here’s this:
The Linux Kernel Module Programming Guide
https://sysprog21.github.io/lkmpg/ |
Thanks a lot, I'll give it a look!
I also found this link, might be of interest : https://forums.gentoo.org/viewtopic-p-8725256.html
I'll try and see if signing these modules manually helps. |
So I tried signing the modules myself, but it fails with the same message I already posted, without asking me for my PEM code. Can't help but notice that the command that fails in the install process (and that I tried to perform manually) is very similar to the one used in my link (the kernel-provided perl script in the Kernel module signing optional step), except that the x509 key file is replaced with my cert:
Code: | /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 /lib/modules/Kernel-Version-modules-path/video/nvidia-uvm.ko |
I wonder if the script expects a public key, but I don't use one, I have symmetrically protected keyfiles.
Going back to the Secure Boot article, it says:
Quote: | Basic usage with an unencrypted db private key:
sudo sbsign --key custom_config/db.key --cert custom_config/db.crt --output /efi/signed-vmlinuz /boot/vmlinuz |
Presumably, if I use the command, replacing the last bit with my module and the output bit with whatever name I want to give it, I suppose I'd be asked my PEM code.
That said, how would I go about manually installing the drivers once they're signed? Sorry if this is a dumb question, I'm not used to these sort of things yet. Or even better, assuming I guessed the issue right, how could I alter the emerge process so that it signs the modules that way instead of the usual way? |
|
Back to top |
|
|
zen_desu Tux's lil' helper
Joined: 25 Oct 2024 Posts: 109
|
Posted: Sun Jan 12, 2025 6:55 pm Post subject: |
|
|
Kernel module signing and secure boot signing are two separate procedures, try not to get them confused. Both processes use public cryptography but use different keys for different purposes. Private keys can be protected with another layer of encryption but this should be considered separately from how the underlying key is used.
The kernel, bootloader, any code which is executed by the firmware directly, must be signed with the DB key.
Kernel modules much be signed with the kernel's module signing key.
I believe the modules-sign use flag for nvidia-drivers should use your kernel's module signing key automatically to sign the kmods when the are installed. _________________ µgRD dev
Wiki writer |
|
Back to top |
|
|
Nowa Developer
Joined: 25 Jun 2014 Posts: 473 Location: Nijmegen
|
Posted: Thu Jan 16, 2025 10:48 am Post subject: |
|
|
ermor wrote: | Thanks for your help! I've gone a bit farther in the process, but for some reason the proprietary Nvidia drivers refuse signing, and I can't emerge them.
According to the log:
Code: |
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../openssl-3.3.2/providers/implementations/encode_decode/decode_epki2pki.c:121
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../openssl-3.3.2/crypto/passphrase.c:178
- SSL error:04800068:PEM routines::bad password: ../openssl-3.3.2/pem/pem_pkey.c:159
|
|
This sounds a lot like: https://bugs.gentoo.org/935733
Try disabling FEATURES=pid-sandbox.
Quote: | Presumably, if I use the command, replacing the last bit with my module and the output bit with whatever name I want to give it, I suppose I'd be asked my PEM code. |
You cannot, the kernel is a PE/COFF type executable and sbsign can add a signature to that according to the specifications of that format. The kernel modules are ELF type executables and must be signed using the kernel's sign-file according to the specifications of this other format. You can use the same key for both (provided the key is compatible with both use cases), but you cannot use one signing tool to sign executable files in a different format then it expects. _________________ OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|