-
Notifications
You must be signed in to change notification settings - Fork 328
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qemu: enroll certificate in MOK for dm-verity and kernel mods #3018
base: main
Are you sure you want to change the base?
Conversation
d97c368
to
8c11ee2
Compare
fe6e3ce
to
b529b90
Compare
b302c2c
to
62800e0
Compare
e9c7226
to
4127292
Compare
4127292
to
40864a9
Compare
mkosi/qemu.py
Outdated
if config.secure_boot_certificate: | ||
run( | ||
[ | ||
"virt-fw-vars", | ||
"--input", vars, | ||
"--output", ovmf_vars.name, | ||
"--set-json", ovmf_json.name, | ||
"--loglevel", "WARNING", | ||
], | ||
sandbox=config.sandbox( | ||
binary=qemu, | ||
options=[ | ||
"--bind", ovmf_vars.name, ovmf_vars.name, | ||
"--ro-bind", ovmf_json.name, ovmf_json.name, | ||
"--ro-bind", vars, vars, | ||
], | ||
), | ||
) | ||
else: | ||
shutil.copy2(vars, Path(ovmf_vars.name)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be dropped, just because the image is built with a secure boot certificate shouldn't imply that we automatically add it to any given OVMF variables, especially ones provided by the user.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's now skipped if there are user-provided vars
mkosi/qemu.py
Outdated
# In order to make the kernel use mkosi.crt to verify dm-verity volumes, we need to | ||
# create runtime and volatile EFI variables, MokListTrustedRT and MokListRT, as | ||
# it's only from kernel 6.11 that db is used for this purpose. Note that, unlike | ||
# certificates in db, the certificates in MOK are only used if secure boot is enabled. | ||
# First create an efivar with the certificate, and then read it and convert to the | ||
# json format that virt-fw-vars expects. | ||
# attr=4 means EFI_VARIABLE_RUNTIME_ACCESS, and the GUID is the well-known MOK one. | ||
|
||
mok_sigdb = stack.enter_context(tempfile.NamedTemporaryFile(prefix="mkosi-ovmf-vars-sigdb-")) | ||
run( | ||
[ | ||
"virt-fw-sigdb", | ||
"--add-cert", "605dab50-e046-4300-abb6-3dd810dd8b23", config.secure_boot_certificate, | ||
"--output", mok_sigdb.name, | ||
], | ||
sandbox=config.sandbox( | ||
binary=qemu, | ||
options=[ | ||
"--bind", mok_sigdb.name, mok_sigdb.name, | ||
"--ro-bind", config.secure_boot_certificate, config.secure_boot_certificate, | ||
], | ||
), | ||
) | ||
|
||
mok_json = { | ||
"version": 2, | ||
"variables": [ | ||
{ | ||
"name": "MokListRT", | ||
"guid": "605dab50-e046-4300-abb6-3dd810dd8b23", | ||
"attr": 4, | ||
"data": mok_sigdb.read().hex(), | ||
}, | ||
{ | ||
"name": "MokListTrustedRT", | ||
"guid": "605dab50-e046-4300-abb6-3dd810dd8b23", | ||
"attr": 4, | ||
"data": "01", | ||
}, | ||
], | ||
} | ||
ovmf_json.write(json.dumps(mok_json).encode()) | ||
ovmf_json.flush() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make this a function and call it from within the custom
if block and assert
on secure_boot_certificate
40864a9
to
a754b55
Compare
Automatically enroll the secure boot certificate in MOK, and also set the boolean so that the kernel trusts it to verify kernel modules and dm-verity volumes. This requires secure boot to be enabled to be effective, otherwise the kernel will ignore it.
a754b55
to
7b3d3db
Compare
if (config.secure_boot_certificate and | ||
(config.qemu_firmware_variables == Path("microsoft") or not config.qemu_firmware_variables)): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned in Telegram, I would really prefer we don't conditionalize based on whether there's a secure boot certificate configured or not as that's build time configuration and not runtime configuration. So if you'd like to have this for the microsoft keys as well please gate it behind a new constant for QemuFirmwareVariables=
named microsoft+mok
Automatically enroll the secure boot certificate in MOK, and also set the boolean so that the kernel trusts it to verify kernel modules and dm-verity volumes. This requires secure boot to be enabled to be effective, otherwise the kernel will ignore it.