Discussion:
Signing kernel
Dmitry Kasatkin
2013-09-25 10:50:58 UTC
Permalink
Hello,

How Ubuntu kernel signing is done?

I am able to use "sbsing" to sign the kernel and boot it from UEFI
boot manager or from other one like gummitboot.

But my Ubuntu grub does not want to boot it..
Just hangs..

Any advises?
--
Thanks,
Dmitry
Andy Whitcroft
2013-09-25 13:47:40 UTC
Permalink
Post by Dmitry Kasatkin
Hello,
How Ubuntu kernel signing is done?
I am able to use "sbsing" to sign the kernel and boot it from UEFI
boot manager or from other one like gummitboot.
But my Ubuntu grub does not want to boot it..
Just hangs..
Any advises?
As far as I know that is the same proceedure as used to sign the
kernels. They are signed using sbsign thought obviously using a secret
key that is specific to Ubuntu. How does gummitboot allow you to add
your personal secret key for your kernels?

-apw
Dmitry Kasatkin
2013-09-25 14:11:57 UTC
Permalink
Post by Andy Whitcroft
Post by Dmitry Kasatkin
Hello,
How Ubuntu kernel signing is done?
I am able to use "sbsing" to sign the kernel and boot it from UEFI
boot manager or from other one like gummitboot.
But my Ubuntu grub does not want to boot it..
Just hangs..
Any advises?
As far as I know that is the same proceedure as used to sign the
kernels. They are signed using sbsign thought obviously using a secret
key that is specific to Ubuntu. How does gummitboot allow you to add
your personal secret key for your kernels?
-apw
I took ownership of the platform by enrolling my own keys: PK, KEK and db.

http://blog.hansenpartnership.com/
http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/

And I do signing using sbsign.
UEFI is able to boot my kernel directly or using UEFI bootloaders such
as gummiboot.

But Ubuntu grub does not want to boot it.
I thought it should use "db" keys to verify.

Or does it use only Canonical key?
--
Thanks,
Dmitry
Andy Whitcroft
2013-09-25 15:10:55 UTC
Permalink
Post by Dmitry Kasatkin
I took ownership of the platform by enrolling my own keys: PK, KEK and db.
http://blog.hansenpartnership.com/
http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/
And I do signing using sbsign.
UEFI is able to boot my kernel directly or using UEFI bootloaders such
as gummiboot.
But Ubuntu grub does not want to boot it.
I thought it should use "db" keys to verify.
Or does it use only Canonical key?
Ok grub2 uses the signature validation service that the 'shim' which loaded
grub installed. Looking at that code it seems to only to check things
aginst the key the shim was built with and with any added vendor keys.
I think the expect you to rebuild and resign shim if you are replacing
the KEK, or to boot things directly from efi as you have replaced the
KEK and can sign yourself.

You might want to bring this up on the ubuntu-installer list, as the
experts in this functionality hang out there.

-apw

Loading...