Re: [PATCH v2] builddeb: Support signing kernels with the module signing key

From: Julian Andres Klode
Date: Tue Feb 08 2022 - 06:32:58 EST

Next message: Vimal Agrawal: "[PATCH v6] modules: add heuristic when stripping unneeded symbols"
Previous message: Pali Rohár: "Re: [PATCH 1/2] of: net: Add helper function of_get_ethdev_label()"
Next in thread: Matthew Wilcox: "Re: [PATCH v2] builddeb: Support signing kernels with the module signing key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 07, 2022 at 09:33:46PM +0900, Masahiro Yamada wrote:
> Added "Ben Hutchings <ben@xxxxxxxxxxxxxxx>"
>
> On Wed, Jan 5, 2022 at 3:13 AM Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
> >
> > On Wed, Jan 05, 2022 at 12:39:57AM +0900, Masahiro Yamada wrote:
> > > > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > > > +key=
> > > > +if is_enabled CONFIG_EFI_STUB && is_enabled CONFIG_MODULE_SIG; then
> > > > + cert=$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > > > + if [ ! -f $cert ]; then
> > > > + cert=$srctree/$cert
> > > > + fi
> > > > +
> > > > + key=${cert%pem}priv
> > > > + if [ ! -f $key ]; then
> > > > + key=$cert
> > > > + fi
> > >
> > >
> > > I still do not understand this part.
> > >
> > > It is true that the Debian document you referred to creates separate files
> > > for the key and the certificate:
> > > # openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform
> > > DER -out MOK.der -days 36500 -subj "/CN=My Name/" -nodes
> > >
> > > but, is such a use-case possible in Kbuild?
> >
> > If someone has followed the Debian instructions for creating a MOK,
> > then they will have two separate files. We should support both the case
> > where someone has created a Debian MOK and the case where someone has
> > used Kbuild to create this foolish blob with both private and public
> > key in one file.
>
> But, this patch is doing different things than the Debian document.
>
>
> The Debian document you referred to says:
> "Ubuntu puts its MOK key under /var/lib/shim-signed/mok/ and some
> software such as Oracle's virtualbox package expect the key there
> so we follow suit (see 989463 for reference) and put it at the same place"
>
>
>
> In Debian, MOK is generated under /var/lib/shim-signed/mok/,
> and its primary use is for signing the kernel.
> Then, you can reuse it for signing modules as well.

It's worth pointing out that in Ubuntu, the generated MOK key
is for module signing only (extended key usage 1.3.6.1.4.1.2312.16.1.2),
kernels signed with it will NOT be bootable.

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

Next message: Vimal Agrawal: "[PATCH v6] modules: add heuristic when stripping unneeded symbols"
Previous message: Pali Rohár: "Re: [PATCH 1/2] of: net: Add helper function of_get_ethdev_label()"
Next in thread: Matthew Wilcox: "Re: [PATCH v2] builddeb: Support signing kernels with the module signing key"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]