Page MenuHomeVyOS Platform

add secure boot support
Needs testing, WishlistPublicFEATURE REQUEST

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
c-po changed the task status from In progress to Needs testing.Oct 7 2024, 6:09 PM
c-po removed a project: Restricted Project.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po changed Issue type from Unspecified (please specify) to Feature (new functionality).

Hi c-po

I followed the doc. I had to amend the boot keys bit to include the -out paths.

cd vyos-build
openssl req -new -x509 -newkey rsa:4096 \
  -keyout data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.key \
  -outform DER -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der -days 36500 -subj "/CN=MyMOK/" -nodes
openssl x509 -inform der \
  -in data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \
  -out data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.pem

After that all went well.

sho secure-boot
SecureBoot enabled

show log kernel | match Secure
Oct 12 12:04:28 kernel: Secure boot enabled

Version: VyOS 1.5-rolling-202410121036
Release train: current
Release flavor: iso

Built by: [email protected]
Built on: Sat 12 Oct 2024 10:36 UTC

sudo mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Debian Secure Boot CA
        Validity
            Not Before: Aug 16 18:09:18 2016 GMT
            Not After : Aug  9 18:09:18 2046 GMT
        Subject: CN=Debian Secure Boot CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:95:d4:8b:9b:da:10:ac:2e:ca:82:37:c1:a4:
                    cb:4a:c3:1b:42:93:c2:7a:29:d3:6e:dd:64:af:80:
                    af:ea:66:a2:1b:61:9c:83:0c:c5:6b:b9:35:25:ff:
                    c5:fb:e8:29:43:de:ce:4b:3d:c6:12:4d:b1:ef:26:
                    43:95:68:cd:04:11:fe:c2:24:9b:de:14:d8:86:51:
                    e8:38:43:bd:b1:9a:15:e5:08:6b:f8:54:50:8b:b3:
                    4b:5f:fc:14:e4:35:50:7c:0b:b1:e2:03:84:a8:36:
                    48:e4:80:e8:ea:9f:fa:bf:c5:18:7b:5e:ce:1c:be:
                    2c:80:78:49:35:15:c0:21:cf:ef:66:d5:8a:96:08:
                    2b:66:2f:48:17:b1:e7:ec:82:8f:07:e6:ca:e0:5f:
                    71:24:39:50:0a:8e:d1:72:28:50:a5:9d:21:f4:e3:
                    61:ba:09:03:66:c8:df:4e:26:36:0b:15:0f:63:1f:
                    2b:af:ab:c4:28:a2:56:64:85:8d:a6:55:41:ae:3c:
                    88:95:dd:d0:6d:d9:29:db:d8:c4:68:b5:fc:f4:57:
                    89:6b:14:db:e0:ef:ee:40:0d:62:1f:ea:58:d4:a3:
                    d8:ba:03:a6:97:2e:c5:6b:13:a4:91:77:a6:b5:ad:
                    23:a7:eb:0a:49:14:46:7c:76:e9:9e:32:b4:89:af:
                    57:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access:
                CA Issuers - URI:https://dsa.debian.org/secure-boot-ca
            X509v3 Authority Key Identifier:
                6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
            Netscape Cert Type: critical
                SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME CA, Object Signing CA
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        77:96:3e:47:c9:ce:09:cf:8b:89:ce:59:ed:26:0e:26:0b:b9:
        ad:a9:2b:bd:a1:eb:88:79:02:ff:31:de:fe:f5:6a:07:ef:61:
        13:11:70:1e:bf:9c:4e:66:6c:e1:62:12:97:01:57:65:47:dd:
        4a:c6:f7:f4:de:a8:f1:13:62:cc:83:57:ac:3c:a6:91:15:af:
        55:26:72:69:2e:14:cd:dd:4d:b3:d1:60:24:2d:32:4f:19:6c:
        11:5e:f2:a3:f2:a1:5f:62:0f:30:ae:ad:f1:48:66:64:7d:36:
        44:0d:06:34:3d:2e:af:8e:9d:c3:ad:c2:91:d8:37:e0:ee:7a:
        5f:82:3b:67:8e:00:8a:c4:a4:df:35:16:c2:72:2b:4c:51:d7:
        93:93:9e:ba:08:0d:59:97:f2:e2:29:a0:44:4d:ea:ee:f8:3e:
        02:60:ca:15:cf:4e:9a:25:91:84:3f:b7:5a:c7:ee:bc:6b:80:
        a3:d9:fd:b2:6d:7a:1e:63:14:eb:ef:f1:b0:40:25:d5:e8:0e:
        81:eb:6b:f7:cb:ff:e5:21:00:22:2c:2e:9a:35:60:12:4b:5b:
        5f:38:46:84:0c:06:9c:cf:72:93:62:18:ee:5c:98:d6:b3:7d:
        06:25:39:95:df:4e:60:76:b0:06:7b:08:b0:6e:e3:64:9f:21:
        56:ad:39:0f

[key 2]
SHA1 Fingerprint: c4:43:12:21:d0:f5:67:fd:63:ec:e4:7d:75:53:05:d6:1e:1b:9b:69
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4f:03:07:b9:fc:f5:ac:51:17:bf:ef:32:1b:bb:41:b2:79:77:d0:d7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=MyMOK
        Validity
            Not Before: Oct 12 10:35:50 2024 GMT
            Not After : Sep 18 10:35:50 2124 GMT
        Subject: CN=MyMOK
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:aa:40:55:8a:9e:36:5c:70:04:c3:e7:5e:b9:a6:
                    02:ce:3c:c9:42:c3:4f:fa:aa:55:9f:6a:15:ef:8f:
                    bb:9e:0c:31:ea:b5:ce:66:ce:fa:af:18:55:e1:c1:
                    c7:5e:2b:23:19:38:f8:6a:b3:bf:20:53:91:5e:0a:
                    15:3a:8d:b9:0d:75:a3:f5:86:7c:d5:87:b1:9f:b5:
                    e9:a5:7b:b4:a3:5f:2f:c8:66:e6:7c:f7:97:db:41:
                    33:3d:2c:db:11:ca:12:11:42:17:e7:de:07:2f:01:
                    8e:72:93:95:48:c1:14:61:f5:24:9a:a0:e0:63:62:
                    56:5e:1d:aa:fa:a4:5e:3e:a7:21:5f:e3:b9:0a:b3:
                    66:47:5f:22:e9:e4:61:be:31:26:7e:9e:cd:09:73:
                    42:60:a5:fc:af:0c:f7:ea:13:d3:66:a3:fe:96:41:
                    99:a9:f8:36:eb:64:89:13:9e:6a:38:3a:35:bd:9c:
                    3f:12:62:f4:6c:6a:93:e0:32:f0:e5:22:f0:bf:e7:
                    8c:8e:c2:50:a7:04:ec:95:11:29:e8:09:75:67:82:
                    76:82:4d:b8:b6:e5:e8:84:11:78:d6:0a:04:aa:ef:
                    09:d2:93:2f:66:87:33:4a:ca:ae:9f:29:a8:b0:05:
                    98:e0:51:41:15:e8:40:74:ba:59:5b:d7:35:d5:bc:
                    ec:1f:3a:fe:38:eb:2f:f1:8e:cd:e3:6c:b5:50:86:
                    73:c2:ca:02:4a:e0:4b:2c:73:75:d9:aa:83:81:51:
                    73:cc:7f:7e:f3:d1:11:85:5d:f0:e4:7c:65:7d:5a:
                    bf:71:2f:93:f9:95:79:70:19:da:5d:86:6f:12:8f:
                    b1:cc:9f:70:88:20:84:d4:36:99:dc:89:b1:34:0c:
                    71:42:9e:33:e2:ea:32:ed:ad:3b:e4:79:7a:99:0a:
                    3c:ad:8c:81:58:a5:4e:e1:df:98:a1:87:05:06:94:
                    98:db:e5:e7:6d:71:f9:a5:29:6e:c1:39:8d:35:18:
                    d1:6c:e5:e2:77:7d:56:d2:bf:7f:e3:58:b5:85:f2:
                    2a:31:e7:df:8c:0e:a8:ae:80:2c:44:56:83:2d:b7:
                    4b:f6:a7:e2:07:12:4a:0d:ae:37:8f:99:43:51:64:
                    9c:01:93:5f:91:ff:e7:db:e9:ba:47:66:ea:32:95:
                    7e:ea:1f:82:3f:30:42:b5:a6:5c:7d:7a:bd:bb:54:
                    8d:9c:5f:49:f8:52:02:c1:86:49:3c:88:9d:04:66:
                    18:13:d9:41:1d:c8:fc:40:7d:ad:32:50:c4:05:e3:
                    b9:dd:48:2f:af:e9:6e:a3:54:65:ee:0e:ad:df:ca:
                    43:ce:3b:42:63:45:06:c5:44:ac:e8:63:6e:88:9a:
                    59:9a:3d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                EC:94:D1:C6:B9:D7:1A:76:F7:73:F2:FA:6E:1F:78:DB:D7:F7:66:D7
            X509v3 Authority Key Identifier:
                EC:94:D1:C6:B9:D7:1A:76:F7:73:F2:FA:6E:1F:78:DB:D7:F7:66:D7
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        08:5b:37:1b:4e:df:28:7a:b3:72:b4:17:77:c1:17:d2:9b:50:
        6c:19:c0:8f:c4:18:7a:51:7b:b6:f3:8b:a3:f2:69:75:7d:43:
        cf:5c:8f:69:6d:54:fe:0c:11:2d:b7:41:f1:44:a0:0c:07:16:
        9b:2a:ca:fe:33:c6:c0:a9:8b:2f:ac:d7:60:19:4d:c3:06:dd:
        13:d3:1e:7c:77:60:5c:1a:1d:dc:f0:85:2f:c9:4f:16:c4:8a:
        12:ea:28:b9:ac:13:ee:1c:75:a5:c2:e8:29:c2:f4:7b:bb:b6:
        c2:d3:ce:fc:c9:c1:2c:7d:62:95:ed:f3:a0:98:cd:6b:4b:d2:
        f3:23:03:83:cd:f1:cc:fb:e4:fb:b3:15:11:3d:64:a8:70:0c:
        85:9f:25:3a:64:21:4e:21:47:27:7b:c7:ac:90:9b:f9:d9:c1:
        a1:b3:b9:ce:c4:e6:54:e4:3e:aa:6e:a7:9c:7d:5c:23:99:f6:
        e1:04:3c:f9:e2:58:d6:b1:84:be:ad:17:80:26:2a:0d:cc:03:
        d4:96:0a:af:45:c3:e4:c6:92:03:11:f3:3a:49:db:e7:45:42:
        e6:ec:4e:a2:cb:11:ef:bb:f0:bc:ee:5c:b2:b3:51:96:14:f5:
        2e:a6:da:ec:c6:fb:97:b6:51:1f:90:0c:b5:ae:a3:ca:77:d2:
        bd:2a:77:3e:28:28:89:ee:31:88:3d:f7:03:9c:49:eb:8b:b0:
        22:8d:d8:46:1a:30:2b:fc:a6:d1:d6:52:ec:f0:a2:02:b4:34:
        0d:96:f1:8f:ef:c7:46:b1:8c:ee:b7:f3:10:b4:b1:df:97:be:
        41:7e:b3:85:92:01:37:1d:32:ae:dc:b1:19:dc:bf:32:a5:45:
        89:82:6b:8a:91:d1:ca:bd:e6:d7:9e:c9:07:8c:d2:d9:7c:70:
        a3:f0:a7:73:3f:b4:2f:76:ee:30:f2:ed:15:89:88:0b:8e:0f:
        68:65:c8:43:79:6b:fd:8c:2f:37:c8:4d:02:45:b4:ec:7e:e8:
        92:88:f2:9f:8e:8b:67:ae:88:09:f5:3e:bf:bb:be:05:56:21:
        b9:18:dc:08:46:7e:27:23:1b:e0:8a:9d:a4:47:b7:a3:a1:f4:
        de:32:a5:f5:b4:34:e1:41:1c:f3:d4:ad:98:bb:f0:32:85:f6:
        c6:5f:5f:3a:1d:91:27:79:31:ac:ec:95:c6:d9:6d:07:f2:08:
        62:0e:fc:93:85:c8:0f:8d:a0:4c:de:7c:14:bd:2f:14:f5:45:
        7d:3c:3d:77:bc:db:63:86:36:bc:75:15:50:61:1f:17:ae:10:
        33:0c:01:4a:13:75:40:81:24:88:f1:fa:f5:85:c3:1a:52:df:
        30:a0:f3:fe:7c:e5:30:f2

I have also signed my Realtek driver with the same cert but that did not work. Perhaps we could pick that back up over on T6713

Please let me know if there is anything else you would like me to do re T861

SteveP

Hi,

I have installed the latest rolling release and upon reboot I am getting:

error: bad shim signature
error: you need to load the kernel first

Does this also mean that we can no longer use unsigned drivers with non EFI systems? I can't at the moment.

SteveP

The rolling images are currently not yet secure boot signed. We are in the design and validation how we can to this from a CI/CD perspective in a secure way.

If you have a secure boot system (e.g. using your own keys) you can not install a rolling image on top, as it's not signed and thus violates the secure boot policy resulting in:

error: bad shim signature
error: you need to load the kernel first

To folly go down the secure boot rabbit hole we need our own version of shim which needs to be signed by Microsoft. This requires:

Code signing keys must be backed up, stored, and recovered only by personnel in trusted roles, using at least dual-factor authorization in a physically secured environment.
The private key must be protected with a hardware cryptography module. This includes but is not limited to HSMs, smart cards, smart card–like USB tokens, and TPMs.
The operating environment must achieve a level of security at least equal to FIPS 140-2 Level 2.

And then we can generate an intermediate keypair from this to sign the Kernel to make things update nicely as it's currently done.
You see, also the process behind makes it a bit more complex to fulfill all the requirements. But given that Microsoft passes trust with this (we then can sign our own code) it's good that it's also not that easy.

Hope this scheds some more light to the topic. I will also revise the docs and add some more hints/notes

I have also signed my Realtek driver with the same cert but that did not work. Perhaps we could pick that back up over on T6713

This is expected. As long as the MOK public key is not part of the Kernels Trustchain

https://github.com/vyos/vyos-build/commit/d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c#diff-2961a4cd364fd545ab0f1b74cf1ae4fcd11f0a976354de33931fdcaf25e29419R44

You can not use it for module signing. As otherwise there is no way for the Kernel to validate if the private key you used for signing is trusted or not.

Does this also mean that we can no longer use unsigned drivers with non EFI systems? I can't at the moment. It would be nice if we could choose to use the pre 6.6.52 behaviour if we want to.

There is a module.sig_enforce=0 command which might do it. I have tried it by editing grub but it didn't work.

I have no need personally for secure boot, I only got involved in this one as it seems interesting and a nice fit with the signed r8152 driver issue which I do use (on non EFI systems).

Feel free if you want me to test it further. I'm semi-retired and have a lot of time to play with.

SteveP

module.sig_enforce
                [KNL] When CONFIG_MODULE_SIG is set, this means that
                modules without (valid) signatures will fail to load.
                **Note that if CONFIG_MODULE_SIG_FORCE is set, that
                is always true, so this option does nothing.**

On systems that do not support SecureBoot, mokutil will exit with code 255. This causes show version to break as the cmd() that launches it raises an error. The mokutil execution through cmd() should catch that return code as normal:

--- a/python/vyos/utils/system.py   2024-10-26 23:23:07.040947969 +0000
+++ b/python/vyos/utils/system.py 2024-10-26 23:23:28.131947969 +0000
@@ -145,5 +145,5 @@
     from vyos.utils.boot import is_uefi_system
     if not is_uefi_system():
         return False
-    tmp = cmd('mokutil --sb-state')
+    tmp = cmd('mokutil --sb-state', expect=[255])
     return bool('enabled' in tmp)