Bug 2070866 - Support to sign part kernel
Summary: Support to sign part kernel
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: akmods
Version: 37
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Nicolas Chauvet (kwizart)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-01 09:00 UTC by Nicolas Chauvet (kwizart)
Modified: 2023-05-26 06:48 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug

Attachments (Terms of Use)

Description Nicolas Chauvet (kwizart) 2022-04-01 09:00:14 UTC 
Description of problem:
Adding support to automatically sign 3rd part kernel should be easy with the akmods infrastructure. (like with copr kwizart/kernel-longterm-5.15).


Steps to Reproduce:
1. dnf install sbsigntools
2. openssl x509 -in public_key.der -inform der -outform pem -out public_key.pem
3. sbsign --key private/private_key.priv --cert certs/public_key.pem /boot/vmlinuz-$(uname -r) --output /boot/vmlinuz-$(uname -r).signed
4 sha512sum /boot/vmlinuz-$(uname -r).signed > /boot/.vmlinuz-$(uname -r).signed.hmac
5. Switch to signed kernel in grub.cfg

Actual results:
Boots fine with Secure boot kept enabled.

Expected results:
There is a need to make additional verification

Additional info:
- Side note is the generated Secure Boot CA key is only valid for 10 years. I don't think we should do this as this will make the signature invalid and users might be unable to boot
Comment 1 Nicolas Chauvet (kwizart) 2022-04-01 09:12:57 UTC 
One side effect is that kmod signed with the same key than the kernel is unable to load. I need to figure out why ...
(do we need to sign kmod and kernel with a different key ?)
Comment 2 Nicolas Chauvet (kwizart) 2022-04-06 15:24:32 UTC 
See also.
https://github.com/vathpela/pesign/blob/wip/src/efikeygen.1.mdoc
Comment 3 Ben Cotton 2022-08-09 13:14:25 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 37 development cycle.
Changing version to 37.
Comment 4 knossos456 2023-03-01 11:04:33 UTC 
Hi Nicolas,
I'm trying to use the Copr Lts 5.15 kernel In secure mode.
All is going well if I don't use Dkms.
When I use Dkms for my own modules compiling, without secure mode all is going well also (since months)
But When I activate secure mode ,it found wrong signature.
All other distributions on same computer are working with same Dkms key pair, so the key is correctly enrolled in Nvram and same Dkms version.
I've let a message on Copr site.
xuzhen on dkms github seems to found the issue : https://github.com/dell/dkms/issues/305
Can you include the patch for next releases please?
Many thanks in advance.
Comment 5 Nicolas Chauvet (kwizart) 2023-03-03 08:01:05 UTC 
Thanks for finding the issue with this !
I will add the patch to my 5.15 LT copr on the next kernel update.
Please remind that 6.1 LT is WIP and should have the patch, as I haven't yet rebase on upstream kernel over fedora tree. I will  probably have to sort-out which patches should be kept and other that don't.
Comment 6 knossos456 2023-03-04 18:21:24 UTC 
Hi, last version 5.15 LTS from yesterday is working, thanks to you.
Note You need to log in before you can comment on or make changes to this bug.