Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qemu: enroll certificate in MOK for dm-verity and kernel mods #3018

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

bluca
Copy link
Member

@bluca bluca commented Sep 11, 2024

Automatically enroll the secure boot certificate in MOK, and also set the boolean so that the kernel trusts it to verify kernel modules and dm-verity volumes. This requires secure boot to be enabled to be effective, otherwise the kernel will ignore it.

@bluca bluca force-pushed the ovmf_enroll_mok branch 2 times, most recently from d97c368 to 8c11ee2 Compare September 11, 2024 20:41
mkosi/qemu.py Fixed Show fixed Hide fixed
mkosi/qemu.py Fixed Show fixed Hide fixed
@bluca bluca force-pushed the ovmf_enroll_mok branch 2 times, most recently from fe6e3ce to b529b90 Compare September 11, 2024 20:48
mkosi/qemu.py Fixed Show fixed Hide fixed
@bluca bluca force-pushed the ovmf_enroll_mok branch 2 times, most recently from b302c2c to 62800e0 Compare September 11, 2024 20:56
mkosi/qemu.py Fixed Show fixed Hide fixed
mkosi/qemu.py Outdated Show resolved Hide resolved
mkosi/qemu.py Outdated Show resolved Hide resolved
mkosi/qemu.py Outdated Show resolved Hide resolved
@bluca bluca force-pushed the ovmf_enroll_mok branch 3 times, most recently from e9c7226 to 4127292 Compare September 12, 2024 09:24
pyproject.toml Outdated Show resolved Hide resolved
mkosi/qemu.py Outdated
Comment on lines 731 to 752
if config.secure_boot_certificate:
run(
[
"virt-fw-vars",
"--input", vars,
"--output", ovmf_vars.name,
"--set-json", ovmf_json.name,
"--loglevel", "WARNING",
],
sandbox=config.sandbox(
binary=qemu,
options=[
"--bind", ovmf_vars.name, ovmf_vars.name,
"--ro-bind", ovmf_json.name, ovmf_json.name,
"--ro-bind", vars, vars,
],
),
)
else:
shutil.copy2(vars, Path(ovmf_vars.name))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be dropped, just because the image is built with a secure boot certificate shouldn't imply that we automatically add it to any given OVMF variables, especially ones provided by the user.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's now skipped if there are user-provided vars

mkosi/qemu.py Outdated
Comment on lines 652 to 695
# In order to make the kernel use mkosi.crt to verify dm-verity volumes, we need to
# create runtime and volatile EFI variables, MokListTrustedRT and MokListRT, as
# it's only from kernel 6.11 that db is used for this purpose. Note that, unlike
# certificates in db, the certificates in MOK are only used if secure boot is enabled.
# First create an efivar with the certificate, and then read it and convert to the
# json format that virt-fw-vars expects.
# attr=4 means EFI_VARIABLE_RUNTIME_ACCESS, and the GUID is the well-known MOK one.

mok_sigdb = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-ovmf-vars-sigdb-"))
run(
[
"virt-fw-sigdb",
"--add-cert", "605dab50-e046-4300-abb6-3dd810dd8b23", config.secure_boot_certificate,
"--output", mok_sigdb.name,
],
sandbox=config.sandbox(
binary=qemu,
options=[
"--bind", mok_sigdb.name, mok_sigdb.name,
"--ro-bind", config.secure_boot_certificate, config.secure_boot_certificate,
],
),
)

mok_json = {
"version": 2,
"variables": [
{
"name": "MokListRT",
"guid": "605dab50-e046-4300-abb6-3dd810dd8b23",
"attr": 4,
"data": mok_sigdb.read().hex(),
},
{
"name": "MokListTrustedRT",
"guid": "605dab50-e046-4300-abb6-3dd810dd8b23",
"attr": 4,
"data": "01",
},
],
}
ovmf_json.write(json.dumps(mok_json).encode())
ovmf_json.flush()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make this a function and call it from within the custom if block and assert on secure_boot_certificate

Automatically enroll the secure boot certificate in MOK, and also set
the boolean so that the kernel trusts it to verify kernel modules and
dm-verity volumes. This requires secure boot to be enabled to be
effective, otherwise the kernel will ignore it.
Comment on lines +732 to +733
if (config.secure_boot_certificate and
(config.qemu_firmware_variables == Path("microsoft") or not config.qemu_firmware_variables)):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned in Telegram, I would really prefer we don't conditionalize based on whether there's a secure boot certificate configured or not as that's build time configuration and not runtime configuration. So if you'd like to have this for the microsoft keys as well please gate it behind a new constant for QemuFirmwareVariables= named microsoft+mok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

3 participants