Bug 36335 - Sign kernel modules for UEFI Secure Boot
Sign kernel modules for UEFI Secure Boot
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Kernel
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0
Assigned To: Stefan Gohmann
Janek Walkenhorst
: interim-3
Depends on:
Blocks: 38214 36383 39527
  Show dependency treegraph
 
Reported: 2014-10-29 12:01 CET by Stefan Gohmann
Modified: 2015-10-14 12:17 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2014-10-29 12:01:43 CET
We need at least:

CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_ALL=y

CONFIG_MODULE_SIG_FORCE needs to be checked.
Comment 1 Stefan Gohmann univentionstaff 2014-10-30 10:11:25 CET
root@master701:~# grep CONFIG_MODULE_SIG /boot/config-3.16-ucs89-amd64
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
root@master701:~#
Comment 2 Janek Walkenhorst univentionstaff 2014-10-31 17:07:29 CET
Modules currently seem to not contain the signature.
Signatures seem to be removed by strip:
<http://wiki.gentoo.org/index.php?oldid=109463#Validating_module_signature_support>
Comment 3 Stefan Gohmann univentionstaff 2014-11-03 06:52:31 CET
I've added a manual sign command to the rules file. ucs102 has signed modules:

root@master501:~# hexdump -C /lib/modules/3.16-ucs102-amd64/kernel/arch/x86/crypto/aes-x86_64.ko | tail -n 4
00005e10  14 00 00 00 00 00 02 02  7e 4d 6f 64 75 6c 65 20  |........~Module |
00005e20  73 69 67 6e 61 74 75 72  65 20 61 70 70 65 6e 64  |signature append|
00005e30  65 64 7e 0a                                       |ed~.|
00005e34
root@master501:~#

(In reply to Janek Walkenhorst from comment #2)
> Signatures seem to be removed by strip:

Without the strip command the kernel package is more than 300 MB instead of 30 MB.
Comment 4 Janek Walkenhorst univentionstaff 2014-11-03 16:45:36 CET
Modules are signed, invalid signatures do not load.
Comment 5 Stefan Gohmann univentionstaff 2014-11-26 06:54:13 CET
UCS 4.0-0 has been released:
 http://docs.univention.de/release-notes-4.0-0-en.html
 http://docs.univention.de/release-notes-4.0-0-de.html

If this error occurs again, please use "Clone This Bug".