|
|
Subscribe / Log in / New account

The return of the lockdown patches

The return of the lockdown patches

Posted Apr 4, 2019 10:16 UTC (Thu) by bluca (subscriber, #118303)
In reply to: The return of the lockdown patches by mjthayer
Parent article: The return of the lockdown patches

The solution is very simple: use KVM! :-P
Just kidding of course - distros like Ubuntu do provide a way for users to sign their own modules, via MOK, in a pretty much automated way after the initial setup. The trouble is that it requires yet another set of patches on top of the lockdown set, that for example Debian doesn't have at the moment. In your experience, does that feature help?
One of the advantages of having this patchset finally merged upstream (fingers crossed!) is that we can then build tooling on top of it that is common between all distros, rather than the patchwork that it is now, where depending on what you run on the story is different.

to post comments

The return of the lockdown patches

Posted Apr 4, 2019 12:18 UTC (Thu) by mjthayer (guest, #39183) [Link] (3 responses)

I still haven't had enough time and energy to work out how the Ubuntu thing works. (Does using DKMS for modules, which we used to do until I decided it was double work and double problems for the same benefit, automate it?) Of course, something in me wonders whether automatically signing kernel modules doesn't defeat the purpose. And the thought of handling every distribution out there separately does not really thrill me, but as you said, consistent tooling would improve things. I do wonder whether something which is both secure and usable is actually possible.

And yes, using KVM for the host part would actually theoretically be possible, though it does not help with our in-kernel networking code, which now presents the same interface to userspace on all supported host platforms. Nor does it help for the Guest Additions.

The return of the lockdown patches

Posted Apr 4, 2019 12:50 UTC (Thu) by bluca (subscriber, #118303) [Link] (2 responses)

It's automated for DKMS, but it can be used manually for binary modules (if you are distributing binary modules you could do that in post-inst like dkms does for example) with the kmodsign command.
Security-wise, it's not too different from normal MOK, in that it requires physical presence at the hardware to enroll the key when it's generated the first time around. And the key is restricted to verification of kernel modules only, it can't be used to verify images or bootloaders.

Some references:

https://wiki.ubuntu.com/UEFI/SecureBoot
https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS
https://wiki.ubuntu.com/UEFI/SecureBoot/Signing

But yes, it's completely specific to Ubuntu at the moment. I've proposed a PR to get the required kernel patches in Debian as the first step, so maybe at some point we'll converge, but most likely not for Buster (if ever).

The return of the lockdown patches

Posted Apr 4, 2019 14:31 UTC (Thu) by mjthayer (guest, #39183) [Link] (1 responses)

Actually, looking at 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch it looks like something we could use. I suppose Ubuntu is important enough to justify duplicating a few lines of shell to get module signing working there. Out of interest, are you the author of that and/or update-secureboot-policy?

The return of the lockdown patches

Posted Apr 4, 2019 14:41 UTC (Thu) by bluca (subscriber, #118303) [Link]

No, I'm just a user.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds