1217741 – slowroll kernel missing lockdown patches

Bug 1217741 - slowroll kernel missing lockdown patches

Summary: slowroll kernel missing lockdown patches

Status:	RESOLVED FIXED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Robert Frohl
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-12-01 14:59 UTC by Michal Suchanek
Modified:	2023-12-18 13:03 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michal Suchanek 2023-12-01 14:59:30 UTC

The slowroll kernel is branched from old 6.1 stable branch, missing the secure boot lockdown patches and config changes that are present in master/stable.

Comment 1 Joey Lee 2023-12-15 07:47:28 UTC

Hi Robert, 

I have reviewed your users/rfrohl/slowroll/lockdown branch and you lost an important patch:

        # Module signing / secure boot
        patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch

Without this patch, the MOK in platform keyring can not be used to verify kernel module. Nvidia kmp will not work. You can copy the above patch from master branch.

On the other hand, if we want to support ARM64 secure_boot-lockdown in slowroll kernel, then you also need to backport:

patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch

For testing, you can check dmesg after system boot from your kernel. Some messages will show:

# dmesg | grep -i secure
[    0.000000] secureboot: Secure boot enabled
[    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
...

When secure boot is enabled, you can check the lockdown mode to auto-raised to integrity mode:

Vigor135:~ # cat /sys/kernel/security/lockdown
none [integrity] confidentiality

Comment 2 Robert Frohl 2023-12-15 10:33:57 UTC

Thanks a lot for looking at the branch!

(In reply to Joey Lee from comment #1)
> 
>         # Module signing / secure boot
>         patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch
> 

I took that patch now. Initially assumed that belonged to something else and did not look at it to closely.

> 
> On the other hand, if we want to support ARM64 secure_boot-lockdown in
> slowroll kernel, then you also need to backport:
> 
> patches.suse/arm64-lock-down-kernel-in-secure-boot-mode.patch

I am currently only building for x86_64, would pick the arm64 patch up once I move to 6.6.

> 
> For testing, you can check dmesg after system boot from your kernel. Some
> messages will show:
> 
> # dmesg | grep -i secure
> [    0.000000] secureboot: Secure boot enabled
> [    0.000000] Kernel is locked down from EFI Secure Boot mode; see man
> kernel_lockdown.7
> ...
> 
> When secure boot is enabled, you can check the lockdown mode to auto-raised
> to integrity mode:
> 
> Vigor135:~ # cat /sys/kernel/security/lockdown
> none [integrity] confidentiality

Good to have the testing details too, thanks!

Comment 3 Robert Frohl 2023-12-18 10:20:50 UTC

Hi Joey

(In reply to Joey Lee from comment #1)
> For testing, you can check dmesg after system boot from your kernel. Some
> messages will show

I would have a question for the system setup: My understanding is that it would require secure boot to be enabled to trigger kernel lockdown. The problem that I face now is that the longterm kernel is signed by a devel key (I am assuming). So shim refuses to load the kernel.

1) Is there a way to test kernel lockdown without the secure boot part (I read that the two are not strictly related, even though lockdown does not make much sense without secure boot) ?

2) Alternatively can I import the key used to sign my kernel somehow, to allow secure boot with the test kernel ? I am using the opensuse repo [0] and the kernel rpm comes with /etc/uefi/certs/9E1329A9.crt. But I am not sure if that can help me somehow.


[0] http://download.opensuse.org/repositories/Kernel:/slowroll/standard/

Comment 4 Michal Suchanek 2023-12-18 11:12:32 UTC

The key should be enrolled when you install the kernel. If it does not boot it's a bug (unless you rejected enrolling the key in shim during boot).

Comment 5 Robert Frohl 2023-12-18 11:26:53 UTC

(In reply to Michal Suchanek from comment #4)
> The key should be enrolled when you install the kernel. If it does not boot
> it's a bug (unless you rejected enrolling the key in shim during boot).

Is it enrolled during package install or during reboot ? Thinking back I might have aborted something during reboot.

Comment 6 Robert Frohl 2023-12-18 11:31:32 UTC

(In reply to Robert Frohl from comment #5)
> (In reply to Michal Suchanek from comment #4)
> > The key should be enrolled when you install the kernel. If it does not boot
> > it's a bug (unless you rejected enrolling the key in shim during boot).
> 
> Is it enrolled during package install or during reboot ? Thinking back I
> might have aborted something during reboot.

Tried and fixed it just now, thanks for the pointer Michal!

Comment 7 Robert Frohl 2023-12-18 11:35:15 UTC

looks good I think:

> # uname -r
> 6.1.68-2.gd8ec790-longterm
> # dmesg | grep -i secure
> [    0.000000] secureboot: Secure boot enabled
> [    0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
> [    0.013129] secureboot: Secure boot enabled
> # cat /sys/kernel/security/lockdown 
> none [integrity] confidentiality

Comment 8 Robert Frohl 2023-12-18 13:03:21 UTC

I believe this should be done, please re-open if you disagree.