Light

aneesh-neelam / uefi-secureboot-signtool Goto Github PK

View Code? Open in Web Editor NEW

27.0 3.0 5.0 23 KB

Script to sign external Linux kernel modules for UEFI Secure Boot.

License: GNU General Public License v2.0

Shell 100.00%

uefi secure-boot linux-kernel linux-kernel-module

uefi-secureboot-signtool's Introduction

UEFI Secure Boot sign tool

The default signed Linux kernel on Ubuntu (>=16.04.x), Fedora and perhaps on other distributions as well, won't load unsigned external kernel modules if Secure Boot is enabled on UEFI systems. Hence, any external kernel modules like the proprietary Nvidia kernel driver, Oracle VM VirtualBox's host/guest kernel driver etc. won't work.

External kernel modules must be signed for UEFI Secure Boot using a Machine Owner Key (MOK). This is useful if you can't or don't wish to disable Secure Boot on your UEFI-enabled system.

UEFI Secure Boot Sign Tool can be used to sign kernel modules. Essentially, it is a wrapper around the sign-file binary in the kernel sources.

The systemd service can be enabled to automatically sign specific kernel modules with user's own once setup is complete.

Install and Setup

Fedora Dependencies:

kernel-devel
mokutil
openssl
Any text editor

Extract/Install the files in their respective locations. Download installation script from the releases page and run install.sh as root.

# ./install.sh

Generating a Public and Private X.509 Key Pair:

Generate a X.509 Key Pair as the UEFI Secure Boot Machine Owner Key.

$ openssl req -new -x509 -newkey rsa:2048 -keyout "/etc/sb-signtool/keyfiles/sb.priv" -outform DER -out "/etc/sb-signtool/keyfiles/sb_pub.der" -nodes -days 36500 -subj "/CN=<your name>/"

Import Public Key into UEFI-enabled System:

# mokutil --import "/etc/sb-signtool/sb_pub.der"

Edit the UEFI Secure Boot Sign Tool config file(s):

Must edit the following file before running script:

/etc/sb-signtool/modules.conf

You can check out an example file in the documentation.

Usage

Must run the Signing Tool every time a kernel module is rebuilt or when a new kernel is installed. Or enable the systemd service to do that on boot.

Run the UEFI Secure Boot Signing Tool:

# /usr/bin/sb-signtool-sign

Enable the systemd service:

# systemctl enable sb-signtool.service

TODO

Packaging and distribution for Ubuntu, Fedora, Arch Linux etc.

Contributing and License

Feel free to create GitHub Issues and issue Pull Requests to contribute to this project.

Code released under GNU General Public License v2.0.

uefi-secureboot-signtool's People

Contributors

Stargazers

Watchers

Forkers

stewlab kuboosoft rastuszhang twau

uefi-secureboot-signtool's Issues

Running Tool Errors

> sb-signtool-sign
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
Usage: scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
At main.c:245:
- SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178
sign-file: /lib/modules/4.4.0-128-generic/#/updates/dkms/snapapi26.ko.~signed~: No such file or directory
At main.c:245:
- SSL error:02001002:system library:fopen:No such file or directory: bss_file.c:175
- SSL error:2006D080:BIO routines:BIO_new_file:no such file: bss_file.c:178
sign-file: /lib/modules/4.4.0-128-generic/#/updates/dkms/snumbd26.ko.~signed~: No such file or directory
At main.c:268:
- SSL error:0200B015:system library:fread:Is a directory: bss_file.c:251
- SSL error:20082002:BIO routines:FILE_READ:system lib: bss_file.c:252
At main.c:303:
- SSL error:0200B015:system library:fread:Is a directory: bss_file.c:251
- SSL error:20082002:BIO routines:FILE_READ:system lib: bss_file.c:252
sign-file: /lib/modules/4.4.0-128-generic/: Is a directory

Certificates Path

the instructions to run the cert import need to be updated to

/etc/sb-signtool/keyfiles/sb_pub.der

or the path to which the certs are created needs to be changed in the preceding command.

Sign modules that are compressed

Some modules are configured to be compressed and stored in formats such as *.ko.xz (XZ compression)

Must update script to uncompress, sign and recompress modules compressed using gzip or xz.

Alternative to this

Must find a way to integrate with DKMS for this to work perfectly. What if DKMS signs the module when it builds it? We could provide a script that DKMS could call automatically when a kernel module is built.

The current script and service can still be used for certain things that may not use DKMS like Oracle VirtualBox sourced directly from Oracle. Someone correct me if I'm wrong.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.