Poking technologies for enrolling customer key to kernel trusted keyring
a project by joeyli
Updated about 2 years ago. 1 hackers ♥️. 1 follower.

Project Description

The keys in db or mok can be used to verify boot loader and kernel binary for booting. But upstream kernel doesn't trust them for enrolling to trusted keyring because they are enrolled outside the boundaries of kernel. Which means that IMA can not use db/mok keys for verification.

Currently if users/partners want to enroll their keys to the kernel trusted keyring, the user key must be signed by kernel's build-in key. But SUSE will not sign any user key. In upstream, there have some known technologies against this situation:

  • CONFIGSYSTEMEXTRA_CERTIFICATE Reserve a space in kernel binary for enrolling user's key.

  • MokListTrustedRT A new MOK variable be introduced. User can use this variable to tell shim and kernel that the keys in MOK can be trusted by kernel. Which means keys will be enrolled to trusted keyring.

Goal for this Hackweek

Find a good way for SLE/openSUSE user for enrolling their key to trust keyring in kernel. IMA should also trust those keys.

Resources

kernel, shim, mokutil

Join this project

Looking for hackers with the skills:

security shim kernel mok

This project is part of:

Hack Week 21

Activity

  • about 2 years ago: joeyli started this project.
  • about 2 years ago: jzerebecki liked this project.
  • about 2 years ago: joeyli added keyword "security" to this project.
  • about 2 years ago: joeyli added keyword "shim" to this project.
  • about 2 years ago: joeyli added keyword "kernel" to this project.
  • about 2 years ago: joeyli added keyword "mok" to this project.
  • about 2 years ago: joeyli originated this project.


    • Comments

    • jzerebecki
      about 2 years ago by jzerebecki | Reply

      Thank you, good to know. This would make SecureBoot useful for me. Seems MokListTrustedRT is supported since kernel v5.18-rc1: https://github.com/torvalds/linux/blob/eaa54b1458ca84092e513d554dd6d234245e6bef/security/integrity/platformcerts/machinekeyring.c#L57 And since shim 15.5-rc2: https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f

      • joeyli
        about 2 years ago by joeyli | Reply

        Thanks for your information! I will try the .machine keyring with IMA/EVM.

    • joeyli
      about 2 years ago by joeyli | Reply

      My report of hackweek 21 topic in Asia wrap-up meeting: https://mysuse-my.sharepoint.com/:f:/g/personal/jleesusecom/Eh9GI6bsNU5IkhsmgSQR17IBFxGK7eXWhxj1_EvCVo80Pg?e=bc2198

    • joeyli
      about 2 years ago by joeyli | Reply

      Video record of presentation in Asia wrap-up meeting: https://mysuse-my.sharepoint.com/:v:/g/personal/jleesusecom/EaoOJVtjeORAobvoqg75-D0BBgd9E5xkD6KgDGT226F-Tw?e=ma0tUh

    • joeyli
      about 2 years ago by joeyli | Reply

      Environment: shim 15.6, Liunx v5.18 Kernel, openSUSE Tumbleweed

    Similar Projects

    This project is one of its kind!