Il 27/10/22 21:56, Siddh Raman Pant ha scritto:
I used libsecret (which is used as backend by the Python program named keyring),
with the keyring being stored as root (isn't visible outside root in seahorse).
Can you tell why that may be a bad idea?
It can be a nice solution but I admit I totally ignore how this works and many
questions arose on my mind: how is the keyring first created? Is the keyring
password protected? How is the keyring password asked? Does this work in a
su-ed/sudo-ed text only console? What happens when issuing this command in a
root console, and what would be the output:
# keyring get uefi mok
When talking of Gnome/KDE keyrings my head goes to X11/Wayland, and I prefer
not to run graphical applications as root to avoid making the whole process
more complex and therefore potentially more prone to security issues.
[...]
I won't really want to store password in plaintext...
Agreed, but remember that current dkms is designed to create new MOK key
_without_ a password, it doesn't currently even support using a password
protected MOK key: this is even less secure.
The whole secure boot support is still looking to get a stable shape and I
wouldn't deploy it in a production environment yet; in the meanwhile, while
experimenting it, I can live with a root only readable file containing the
clear-text password.
[...]
What I pointed out was setting sign_file to a bash script. It would solve this
issue too, as the correct path to the actual sign_file binary could be used in
the bash script / handler. dkms would call the bash script with its arguments,
and the script will call the correct binary (passing the arguments to it), as
$kernelver variable would be available to the script.
Yours is indeed a possible solution until the issues will be fixed on the dkms
side IMO: I used a bash sign-file script too at first; but this is actually a
workaround, and looking abstractly at the issue I think that if dkms is
supposed to manage module signing, a fix have to be introduced there.
Also, v3.0.6-4 seems to have the fallback you mentioned. Refer:
https://salsa.debian.org/debian/dkms/-/blob/debian/3.0.6-4/dkms.in#L870
That's not a fallback: when running a Debian distro the * case will never be
executed. In current master tree the * case has been removed and a check has
been added after the case block to set a fallback path if the sign-file
executable wasn't found [1].
[...]
Attached here the patch to dkms I'm currently using to make module signing work.
[1] https://github.com/dell/dkms/blob/master/dkms.in#L893
--- dkms.orig 2022-10-20 21:04:14.000000000 +0200
+++ dkms 2022-10-28 01:05:07.498924847 +0200
@@ -872,24 +872,34 @@
case "$running_distribution" in
debian* )
sign_file="/usr/lib/linux-kbuild-${kernelver%.*}/scripts/sign-file"
+ kconfig="/usr/src/linux-headers-$kernelver/.config"
;;
ubuntu* )
sign_file="$(command -v kmodsign)"
if [[ ! -x "${sign_file}" ]]; then
sign_file="/usr/src/linux-headers-$kernelver/scripts/sign-file"
fi
- ;;
- * )
- sign_file="/lib/modules/$kernelver/build/scripts/sign-file"
+ kconfig="/usr/src/linux-headers-$kernelver/.config"
;;
esac
+ if [[ ! -f "${sign_file}" ]]; then
+ sign_file="/lib/modules/$kernelver/build/scripts/sign-file"
+ fi
+ if [[ ! -f "${kconfig}" ]]; then
+ sign_file="/lib/modules/$kernelver/.config"
+ fi
fi
echo "Sign command: $sign_file"
+ echo "Kernel config: $kconfig"
if [[ ! -f "${sign_file}" ]] || [[ ! -x "${sign_file}" ]]; then
echo "Binary ${sign_file} not found, modules won't be signed"
return
fi
+ if [[ ! -f "${kconfig}" ]]; then
+ echo "Kernel config ${kconfig} not found, modules won't be signed"
+ return
+ fi
if [[ -z "${mok_signing_key}" ]]; then
# No custom key specified, use the default key created by update-secureboot-policy for Ubuntu
@@ -1050,8 +1060,18 @@
[[ ${strip[$count]} != no ]] && strip -g "$built_module"
if [ -n "${do_signing}" ]; then
+ eval " $(grep '^CONFIG_MODULE_SIG_HASH=' $kconfig 2>/dev/null)"
+ case "$CONFIG_MODULE_SIG_HASH" in
+ sha1 | sha224 | sha256 | sha384 | sha512)
+ hashalgo="$CONFIG_MODULE_SIG_HASH"
+ ;;
+ *)
+ hashalgo="sha512"
+ ;;
+ esac
+ unset CONFIG_MODULE_SIG_HASH
echo "Signing module $built_module"
- eval '"$sign_file" sha512 "$mok_signing_key" "$mok_certificate" "$built_module"'
+ eval '"$sign_file" "$hashalgo" "$mok_signing_key" "$mok_certificate" "$built_module"'
fi
if [ "$module_compressed_suffix" = ".gz" ]; then
