[PATCH] builddeb: Support signing kernels with a Machine Owner Key

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] builddeb: Support signing kernels with a Machine Owner Key
@ 2021-10-13 20:05 Matthew Wilcox (Oracle)
  2021-10-14  9:46 ` Ard Biesheuvel
  0 siblings, 1 reply; 5+ messages in thread
From: Matthew Wilcox (Oracle) @ 2021-10-13 20:05 UTC (permalink / raw)
  Cc: Matthew Wilcox (Oracle),
	Masahiro Yamada, Michal Marek, Nick Desaulniers, linux-kbuild,
	linux-kernel, efi, debian-kernel, linux-efi

If the config file specifies a signing key, use it to sign
the kernel so that machines with SecureBoot enabled can boot.
See https://wiki.debian.org/SecureBoot

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
---
 scripts/package/builddeb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/scripts/package/builddeb b/scripts/package/builddeb
index 91a502bb97e8..4fa6ff2b5cac 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -147,7 +147,15 @@ else
 	cp System.map "$tmpdir/boot/System.map-$version"
 	cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
 fi
-cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
+
+vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
+if is_enabled CONFIG_MODULE_SIG; then
+	cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
+	key=${cert%pem}priv
+	sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
+else
+	cp "$vmlinux" "$tmpdir/$installed_image_path"
+fi
 
 if is_enabled CONFIG_OF_EARLY_FLATTREE; then
 	# Only some architectures with OF support have this target
-- 
2.32.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
  2021-10-13 20:05 [PATCH] builddeb: Support signing kernels with a Machine Owner Key Matthew Wilcox (Oracle)
@ 2021-10-14  9:46 ` Ard Biesheuvel
  2021-11-04  9:28   ` Masahiro Yamada
  0 siblings, 1 reply; 5+ messages in thread
From: Ard Biesheuvel @ 2021-10-14  9:46 UTC (permalink / raw)
  To: Matthew Wilcox (Oracle)
  Cc: Masahiro Yamada, Michal Marek, Nick Desaulniers,
	Linux Kbuild mailing list, Linux Kernel Mailing List, efi,
	debian-kernel, linux-efi

On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
<willy@infradead.org> wrote:
>
> If the config file specifies a signing key, use it to sign
> the kernel so that machines with SecureBoot enabled can boot.
> See https://wiki.debian.org/SecureBoot
>
> Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>

For the change itself

Acked-by: Ard Biesheuvel <ardb@kernel.org>

although I'd suggest to fix the subject not to refer to Machine Owner
Keys, as I don't see anything shim related here (i.e., if you sign
using a key that is listed in db, it should also work)


> ---
>  scripts/package/builddeb | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 91a502bb97e8..4fa6ff2b5cac 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -147,7 +147,15 @@ else
>         cp System.map "$tmpdir/boot/System.map-$version"
>         cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
>  fi
> -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> +
> +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> +if is_enabled CONFIG_MODULE_SIG; then
> +       cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> +       key=${cert%pem}priv
> +       sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> +else
> +       cp "$vmlinux" "$tmpdir/$installed_image_path"
> +fi
>
>  if is_enabled CONFIG_OF_EARLY_FLATTREE; then
>         # Only some architectures with OF support have this target
> --
> 2.32.0
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
  2021-10-14  9:46 ` Ard Biesheuvel
@ 2021-11-04  9:28   ` Masahiro Yamada
  2021-12-16 22:04     ` Matthew Wilcox
  0 siblings, 1 reply; 5+ messages in thread
From: Masahiro Yamada @ 2021-11-04  9:28 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Matthew Wilcox (Oracle),
	Michal Marek, Nick Desaulniers, Linux Kbuild mailing list,
	Linux Kernel Mailing List, efi, debian-kernel, linux-efi,
	Ben Hutchings

On Thu, Oct 14, 2021 at 6:47 PM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
> <willy@infradead.org> wrote:
> >
> > If the config file specifies a signing key, use it to sign
> > the kernel so that machines with SecureBoot enabled can boot.
> > See https://wiki.debian.org/SecureBoot
> >
> > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
>
> For the change itself
>
> Acked-by: Ard Biesheuvel <ardb@kernel.org>
>
> although I'd suggest to fix the subject not to refer to Machine Owner
> Keys, as I don't see anything shim related here (i.e., if you sign
> using a key that is listed in db, it should also work)
>
>
> > ---
> >  scripts/package/builddeb | 10 +++++++++-
> >  1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > index 91a502bb97e8..4fa6ff2b5cac 100755
> > --- a/scripts/package/builddeb
> > +++ b/scripts/package/builddeb
> > @@ -147,7 +147,15 @@ else
> >         cp System.map "$tmpdir/boot/System.map-$version"
> >         cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> >  fi
> > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > +
> > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > +if is_enabled CONFIG_MODULE_SIG; then
> > +       cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > +       key=${cert%pem}priv
> > +       sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > +else
> > +       cp "$vmlinux" "$tmpdir/$installed_image_path"
> > +fi
> >
> >  if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> >         # Only some architectures with OF support have this target
> > --
> > 2.32.0
> >

How to compile this patch?

"make  bindeb-pkg" fails with
Can't load key from file './certs/signing_key.priv'

Also, sbsign emits "Invalid DOS header magic" error
if CONFIG_EFI_STUB is not set.

The CONFIG name might depend on arch.
CONFIG_EFI for ARCH=arm64, but CONFIG_EFI_STUB for ARCH=x86.

If you require sbsign, you need to update Build-Depends ?

My build log:

masahiro@grover:~/workspace/linux-kbuild$ make  bindeb-pkg -j8
sh ./scripts/package/mkdebian
dpkg-buildpackage -r"fakeroot -u" -a$(cat debian/arch)  -b -nc -uc
dpkg-buildpackage: info: source package linux-upstream
dpkg-buildpackage: info: source version 5.15.0-rc2+-1
dpkg-buildpackage: info: source distribution hirsute
dpkg-buildpackage: info: source changed by masahiro <masahiro@grover>
dpkg-buildpackage: info: host architecture amd64
 dpkg-source --before-build .
 debian/rules binary
make KERNELRELEASE=5.15.0-rc2+ ARCH=x86 KBUILD_BUILD_VERSION=1 -f ./Makefile
  DESCEND objtool
  CALL    scripts/atomic/check-atomics.sh
  CALL    scripts/checksyscalls.sh
  CHK     include/generated/compile.h
Kernel: arch/x86/boot/bzImage is ready  (#1)
make KERNELRELEASE=5.15.0-rc2+ ARCH=x86 KBUILD_BUILD_VERSION=1 -f
./Makefile intdeb-pkg
sh ./scripts/package/builddeb
Can't load key from file './certs/signing_key.priv'
139999825022720:error:02001002:system library:fopen:No such file or
directory:../crypto/bio/bss_file.c:69:fopen('./certs/signing_key.priv','r')
139999825022720:error:2006D080:BIO routines:BIO_new_file:no such
file:../crypto/bio/bss_file.c:76:
make[4]: *** [scripts/Makefile.package:87: intdeb-pkg] Error 1
make[3]: *** [Makefile:1539: intdeb-pkg] Error 2
make[2]: *** [debian/rules:13: binary-arch] Error 2
dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2
make: *** [Makefile:1539: bindeb-pkg] Error 2

CC'ed Ben in case he has more comments.

-- 
Best Regards
Masahiro Yamada

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
  2021-11-04  9:28   ` Masahiro Yamada
@ 2021-12-16 22:04     ` Matthew Wilcox
  2021-12-17 15:29       ` Masahiro Yamada
  0 siblings, 1 reply; 5+ messages in thread
From: Matthew Wilcox @ 2021-12-16 22:04 UTC (permalink / raw)
  To: Masahiro Yamada
  Cc: Ard Biesheuvel, Michal Marek, Nick Desaulniers,
	Linux Kbuild mailing list, Linux Kernel Mailing List, efi,
	debian-kernel, linux-efi, Ben Hutchings

On Thu, Nov 04, 2021 at 06:28:40PM +0900, Masahiro Yamada wrote:
> On Thu, Oct 14, 2021 at 6:47 PM Ard Biesheuvel <ardb@kernel.org> wrote:
> >
> > On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
> > <willy@infradead.org> wrote:
> > >
> > > If the config file specifies a signing key, use it to sign
> > > the kernel so that machines with SecureBoot enabled can boot.
> > > See https://wiki.debian.org/SecureBoot
> > >
> > > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> >
> > For the change itself
> >
> > Acked-by: Ard Biesheuvel <ardb@kernel.org>
> >
> > although I'd suggest to fix the subject not to refer to Machine Owner
> > Keys, as I don't see anything shim related here (i.e., if you sign
> > using a key that is listed in db, it should also work)
> >
> >
> > > ---
> > >  scripts/package/builddeb | 10 +++++++++-
> > >  1 file changed, 9 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > > index 91a502bb97e8..4fa6ff2b5cac 100755
> > > --- a/scripts/package/builddeb
> > > +++ b/scripts/package/builddeb
> > > @@ -147,7 +147,15 @@ else
> > >         cp System.map "$tmpdir/boot/System.map-$version"
> > >         cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> > >  fi
> > > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > > +
> > > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > > +if is_enabled CONFIG_MODULE_SIG; then
> > > +       cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > > +       key=${cert%pem}priv
> > > +       sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > > +else
> > > +       cp "$vmlinux" "$tmpdir/$installed_image_path"
> > > +fi
> > >
> > >  if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> > >         # Only some architectures with OF support have this target
> > > --
> > > 2.32.0
> > >
> 
> How to compile this patch?
> 
> "make  bindeb-pkg" fails with
> Can't load key from file './certs/signing_key.priv'

I'm sorry; I missed this email.

I don't know why you're seeing this error, exactly.  I'm just trying to
automate the step here:

https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_your_kernel

Have you followed the other steps on that page; ie do you have:
signing_key.priv, signing_key.der and signing_key.pem files?

> 
> Also, sbsign emits "Invalid DOS header magic" error
> if CONFIG_EFI_STUB is not set.
> 
> The CONFIG name might depend on arch.
> CONFIG_EFI for ARCH=arm64, but CONFIG_EFI_STUB for ARCH=x86.
> 
> 
> If you require sbsign, you need to update Build-Depends ?

It looks like we should add a few extra checks before running sbsign ...

> sh ./scripts/package/builddeb
> Can't load key from file './certs/signing_key.priv'
> 139999825022720:error:02001002:system library:fopen:No such file or
> directory:../crypto/bio/bss_file.c:69:fopen('./certs/signing_key.priv','r')
> 139999825022720:error:2006D080:BIO routines:BIO_new_file:no such
> file:../crypto/bio/bss_file.c:76:
> make[4]: *** [scripts/Makefile.package:87: intdeb-pkg] Error 1
> make[3]: *** [Makefile:1539: intdeb-pkg] Error 2
> make[2]: *** [debian/rules:13: binary-arch] Error 2
> dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
> make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2
> make: *** [Makefile:1539: bindeb-pkg] Error 2



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] builddeb: Support signing kernels with a Machine Owner Key
  2021-12-16 22:04     ` Matthew Wilcox
@ 2021-12-17 15:29       ` Masahiro Yamada
  0 siblings, 0 replies; 5+ messages in thread
From: Masahiro Yamada @ 2021-12-17 15:29 UTC (permalink / raw)
  To: Matthew Wilcox
  Cc: Ard Biesheuvel, Michal Marek, Nick Desaulniers,
	Linux Kbuild mailing list, Linux Kernel Mailing List, efi,
	debian-kernel, linux-efi, Ben Hutchings

On Fri, Dec 17, 2021 at 7:04 AM Matthew Wilcox <willy@infradead.org> wrote:
>
> On Thu, Nov 04, 2021 at 06:28:40PM +0900, Masahiro Yamada wrote:
> > On Thu, Oct 14, 2021 at 6:47 PM Ard Biesheuvel <ardb@kernel.org> wrote:
> > >
> > > On Wed, 13 Oct 2021 at 22:07, Matthew Wilcox (Oracle)
> > > <willy@infradead.org> wrote:
> > > >
> > > > If the config file specifies a signing key, use it to sign
> > > > the kernel so that machines with SecureBoot enabled can boot.
> > > > See https://wiki.debian.org/SecureBoot
> > > >
> > > > Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
> > >
> > > For the change itself
> > >
> > > Acked-by: Ard Biesheuvel <ardb@kernel.org>
> > >
> > > although I'd suggest to fix the subject not to refer to Machine Owner
> > > Keys, as I don't see anything shim related here (i.e., if you sign
> > > using a key that is listed in db, it should also work)
> > >
> > >
> > > > ---
> > > >  scripts/package/builddeb | 10 +++++++++-
> > > >  1 file changed, 9 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > > > index 91a502bb97e8..4fa6ff2b5cac 100755
> > > > --- a/scripts/package/builddeb
> > > > +++ b/scripts/package/builddeb
> > > > @@ -147,7 +147,15 @@ else
> > > >         cp System.map "$tmpdir/boot/System.map-$version"
> > > >         cp $KCONFIG_CONFIG "$tmpdir/boot/config-$version"
> > > >  fi
> > > > -cp "$($MAKE -s -f $srctree/Makefile image_name)" "$tmpdir/$installed_image_path"
> > > > +
> > > > +vmlinux=$($MAKE -s -f $srctree/Makefile image_name)
> > > > +if is_enabled CONFIG_MODULE_SIG; then
> > > > +       cert=$srctree/$(grep ^CONFIG_MODULE_SIG_KEY= include/config/auto.conf | cut -d\" -f2)
> > > > +       key=${cert%pem}priv
> > > > +       sbsign --key $key --cert $cert "$vmlinux" --output "$tmpdir/$installed_image_path"
> > > > +else
> > > > +       cp "$vmlinux" "$tmpdir/$installed_image_path"
> > > > +fi
> > > >
> > > >  if is_enabled CONFIG_OF_EARLY_FLATTREE; then
> > > >         # Only some architectures with OF support have this target
> > > > --
> > > > 2.32.0
> > > >
> >
> > How to compile this patch?
> >
> > "make  bindeb-pkg" fails with
> > Can't load key from file './certs/signing_key.priv'
>
> I'm sorry; I missed this email.
>
> I don't know why you're seeing this error, exactly.  I'm just trying to
> automate the step here:

[1] Apply your patch
[2] Enable CONFIG_MODULE_SIG
[3] make bindeb-pkg

That's all.


> https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_your_kernel
>
> Have you followed the other steps on that page; ie do you have:
> signing_key.priv, signing_key.der and signing_key.pem files?



certs/signing_key.pem is automatically generated by Kbuild.

There is no such file as signing_key.priv


You can see the content of certs/signing_key.pem
This file contains both certificate and private key.






>
> >
> > Also, sbsign emits "Invalid DOS header magic" error
> > if CONFIG_EFI_STUB is not set.
> >
> > The CONFIG name might depend on arch.
> > CONFIG_EFI for ARCH=arm64, but CONFIG_EFI_STUB for ARCH=x86.
> >
> >
> > If you require sbsign, you need to update Build-Depends ?
>
> It looks like we should add a few extra checks before running sbsign ...
>
> > sh ./scripts/package/builddeb
> > Can't load key from file './certs/signing_key.priv'
> > 139999825022720:error:02001002:system library:fopen:No such file or
> > directory:../crypto/bio/bss_file.c:69:fopen('./certs/signing_key.priv','r')
> > 139999825022720:error:2006D080:BIO routines:BIO_new_file:no such
> > file:../crypto/bio/bss_file.c:76:
> > make[4]: *** [scripts/Makefile.package:87: intdeb-pkg] Error 1
> > make[3]: *** [Makefile:1539: intdeb-pkg] Error 2
> > make[2]: *** [debian/rules:13: binary-arch] Error 2
> > dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2
> > make[1]: *** [scripts/Makefile.package:83: bindeb-pkg] Error 2
> > make: *** [Makefile:1539: bindeb-pkg] Error 2
>
>


-- 
Best Regards
Masahiro Yamada

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-12-17 15:31 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-13 20:05 [PATCH] builddeb: Support signing kernels with a Machine Owner Key Matthew Wilcox (Oracle)
2021-10-14  9:46 ` Ard Biesheuvel
2021-11-04  9:28   ` Masahiro Yamada
2021-12-16 22:04     ` Matthew Wilcox
2021-12-17 15:29       ` Masahiro Yamada

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).