Secure boot and packaging third-party kernel modules
David Sommerseth
davids at redhat.com
Fri May 29 12:40:59 UTC 2015
On 28/05/15 17:45, Josh Boyer wrote:
> On Thu, May 28, 2015 at 11:26 AM, David Sommerseth <davids at redhat.com> wrote:
>>
>> Hi,
>>
>> I've started poking into packaging the mhvtl project for Fedora and
>> EPEL. This package also contains a kernel module, which normally works
>> fine - until you hit Secure Boot.
>>
>> So I was wondering how to handle this the best way. AFAIK, there are
>> currently no plans to get the mhvtl.ko kernel module into the upstream
>> kernel.
>
> Where can I read more information on this project, and why that might be?
Duh! I'm so into this I forget to add better project info ...
<https://sites.google.com/site/linuxvtl2/>
> It is worth noting that Fedora does not allow packages other than the
> kernel to ship kernel modules.
Oh, I was not aware of that. But compiling a kernel module "on-the-fly"
is acceptable for Fedora?
[...snip...]
>> My current idea to solve this is to:
>>
>> * Have a "preparation" script which the admin is required to run
>> on a new system. This scripts generates the needed key material and
>> runs mokutil which installs the key. It will then provide enough
>> information so that the admin can reboot the system and get the MOK
>> key installed.
>>
>> * Have a unit file which runs a ExecStartPre= script. This script
>> will check if the key material exists. If it does, it will check
>> if the mhvtl.ko module for the currently running kernel exists.
>> If the module is missing, it will compile it, sign it and load it.
>> Failures along the way will cause the unit file to fail all together.
>> When the ExecStartPre= script has completed successfully, it will
>> start the needed processes it normally would do.
>>
>>
>> Any thoughts or comments to this approach? Anyone got a better idea?
>
> The above approach seems mostly sane. It does seem like a lot of
> hassle, but it's what is required if you want to leave SB validation
> enabled. Otherwise, you could have your preparation script disable
> mokutil validation at the risk of no longer leveraging the SB
> protections for grub, the kernel, or the kernel modules. Shim is
> still validated by UEFI itself as SB is still enabled in the firmware.
I generally prefer the most strict approaches, I don't want users to
feel that a package I introduce may lower the overall security in any
way - unless that is the only working alternative. I do see it doesn't
makes it "easy" to implement, but that's how it is.
>> Yes, I do know it is not good to have the keying material for the
>> signing too easily available. So I'm also keen to hear ideas how to
>> protect the key better. With that said, I'm planning on only providing
>> access to the key file to the root user only. And I'll look into if I
>> can restrict the accesss even further with some SELinux rules (so only
>> the ExecStartPre= script can access it together with the "preparation"
>> script.
>>
>> Another thought ... Are there other packages who could benefit of such a
>> solution if it was made more generic? I'm willing to investigate into
>> this too, if there are more users out there ... Or if someone has
>> already done that - no need to reinvent the wheel!
>
> I'm not aware of any. The one place that might be worth looking is
> rpmfusion, as I would expect they need to do something similar for the
> kernel module packages they build if they care about running with SB
> enabled.
Thanks!
--
kind regards,
David Sommerseth
More information about the devel
mailing list