Project Description
The keys in db or mok can be used to verify boot loader and kernel binary for booting. But upstream kernel doesn't trust them for enrolling to trusted keyring because they are enrolled outside the boundaries of kernel. Which means that IMA can not use db/mok keys for verification.
Currently if users/partners want to enroll their keys to the kernel trusted keyring, the user key must be signed by kernel's build-in key. But SUSE will not sign any user key. In upstream, there have some known technologies against this situation:
CONFIGSYSTEMEXTRA_CERTIFICATE Reserve a space in kernel binary for enrolling user's key.
MokListTrustedRT A new MOK variable be introduced. User can use this variable to tell shim and kernel that the keys in MOK can be trusted by kernel. Which means keys will be enrolled to trusted keyring.
Goal for this Hackweek
Find a good way for SLE/openSUSE user for enrolling their key to trust keyring in kernel. IMA should also trust those keys.
Resources
kernel, shim, mokutil
This project is part of:
Hack Week 21
Activity
Comments
-
about 2 months ago by jzerebecki | Reply
Thank you, good to know. This would make SecureBoot useful for me. Seems MokListTrustedRT is supported since kernel v5.18-rc1: https://github.com/torvalds/linux/blob/eaa54b1458ca84092e513d554dd6d234245e6bef/security/integrity/platform_certs/machine_keyring.c#L57 And since shim 15.5-rc2: https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f
-
about 2 months ago by joeyli | Reply
My report of hackweek 21 topic in Asia wrap-up meeting: https://mysuse-my.sharepoint.com/:f:/g/personal/jlee_suse_com/Eh9GI6bsNU5IkhsmgSQR17IBFxGK7eXWhxj1_EvCVo80Pg?e=bc2198
-
about 2 months ago by joeyli | Reply
Video record of presentation in Asia wrap-up meeting: https://mysuse-my.sharepoint.com/:v:/g/personal/jlee_suse_com/EaoOJVtjeORAobvoqg75-D0BBgd9E5xkD6KgDGT226F-Tw?e=ma0tUh
-
Similar Projects
Explore Crev as collaborative code audit by pperego
Project Description
Crev [1] is a collabo...
Learn more about Application Security (AppSec) Open Source Tools and Testing Techniques by heidi.bronson
[comment]: # (Please use the project descriptio...
Model checking the BPF verifier by shunghsiyu
Project Description
BPF verifier plays a ...
rust security reviews and cargo-crev by jzerebecki
[comment]: # (Please use the project descriptio...
Kanidm - Modern Opensource Identity Management by firstyear
Project Description
Kanidm is a identity ma...
Nanos Unikernel by rpalethorpe
Project Description
Nanos is a "unikernel...
mac80211_hwsim tool by cfconrad
Project Description
Write a userland tool...
early stage kdump support by mbrugger
[comment]: # (Please use the project descriptio...
generic zswap dedup by ailiopoulos
[comment]: # (Please use the project descriptio...
Rust in linux kernel by dsterba
[comment]: # (Please use the project descriptio...