Hi, another question.With secure boot on, I make a kernel module test.ko Then insmod test.ko: [root@localhost linux]# insmod test.ko insmod: ERROR: could not insert module test.ko: Required key not available
How can I sign my test.ko for CentOS7.1?
If I set secure boot off, insmod test.ko will be successful. w.k.
------------------ Original ------------------ From: "我自己的邮箱";304702903@qq.com; Date: Fri, Jan 22, 2016 03:07 PM To: "eero.volotinen"eero.volotinen@iki.fi; "gordon.messmer"gordon.messmer@gmail.com; Cc: "centos"centos@centos.org; Subject: Re: [CentOS] How to get UEFI setting by shell?
volotinen and gordon.messmer:
thank you for your answers.
w.k.
------------------ Original ------------------ From: "Gordon Messmer";gordon.messmer@gmail.com; Date: Fri, Jan 22, 2016 02:13 PM To: "CentOS mailing list"centos@centos.org;
Subject: Re: [CentOS] How to get UEFI setting by shell?
On 01/21/2016 09:47 PM, wk wrote:
How to check/get UEFI information by shell/bash terminal ? example:if UEFI is enabled? if secure boot is enabled?
Systems that boot via UEFI will have /sys/firmware/efi.
You may have access to your secure boot setting in /sys/firmware/efi/efivars/, or in the output of "bootctl --path /boot/efi status"
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
http://unix.stackexchange.com/questions/157539/cant-load-zfs-kernel-module-o...
So, module must be signed with trusted key, or else it just fails.
Eero 22.1.2016 9.34 ap. "wk" 304702903@qq.com kirjoitti:
Hi, another question.With secure boot on, I make a kernel module test.ko Then insmod test.ko: [root@localhost linux]# insmod test.ko insmod: ERROR: could not insert module test.ko: Required key not available
How can I sign my test.ko for CentOS7.1? If I set secure boot off, insmod test.ko will be successful.w.k.
------------------ Original ------------------ From: "我自己的邮箱";304702903@qq.com; Date: Fri, Jan 22, 2016 03:07 PM To: "eero.volotinen"eero.volotinen@iki.fi; "gordon.messmer"< gordon.messmer@gmail.com>; Cc: "centos"centos@centos.org; Subject: Re: [CentOS] How to get UEFI setting by shell?
volotinen and gordon.messmer:
thank you for your answers.w.k.
------------------ Original ------------------ From: "Gordon Messmer";gordon.messmer@gmail.com; Date: Fri, Jan 22, 2016 02:13 PM To: "CentOS mailing list"centos@centos.org;
Subject: Re: [CentOS] How to get UEFI setting by shell?
On 01/21/2016 09:47 PM, wk wrote:
How to check/get UEFI information by shell/bash terminal ?example:if UEFI is enabled? if secure boot is enabled?
Systems that boot via UEFI will have /sys/firmware/efi.
You may have access to your secure boot setting in /sys/firmware/efi/efivars/, or in the output of "bootctl --path /boot/efi status"
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,volotinen:
as it mentioned in your web link: "Your on the right track your module need to be signed", my question how to sign test_file_system.ko?
thanks, w.k.
------------------ 原始邮件 ------------------ 发件人: "eero.volotinen";eero.volotinen@iki.fi; 发送时间: 2016年1月22日(星期五) 下午3:42 收件人: "CentOS mailing list"centos@centos.org;
主题: Re: [CentOS] How to get UEFI setting by shell?
http://unix.stackexchange.com/questions/157539/cant-load-zfs-kernel-module-o...
So, module must be signed with trusted key, or else it just fails.
Eero 22.1.2016 9.34 ap. "wk" 304702903@qq.com kirjoitti:
Hi, another question.With secure boot on, I make a kernel module test.ko Then insmod test.ko: [root@localhost linux]# insmod test.ko insmod: ERROR: could not insert module test.ko: Required key not available
How can I sign my test.ko for CentOS7.1? If I set secure boot off, insmod test.ko will be successful.w.k.
------------------ Original ------------------ From: "我自己的邮箱";304702903@qq.com; Date: Fri, Jan 22, 2016 03:07 PM To: "eero.volotinen"eero.volotinen@iki.fi; "gordon.messmer"< gordon.messmer@gmail.com>; Cc: "centos"centos@centos.org; Subject: Re: [CentOS] How to get UEFI setting by shell?
volotinen and gordon.messmer:
thank you for your answers.w.k.
------------------ Original ------------------ From: "Gordon Messmer";gordon.messmer@gmail.com; Date: Fri, Jan 22, 2016 02:13 PM To: "CentOS mailing list"centos@centos.org;
Subject: Re: [CentOS] How to get UEFI setting by shell?
On 01/21/2016 09:47 PM, wk wrote:
How to check/get UEFI information by shell/bash terminal ?example:if UEFI is enabled? if secure boot is enabled?
Systems that boot via UEFI will have /sys/firmware/efi.
You may have access to your secure boot setting in /sys/firmware/efi/efivars/, or in the output of "bootctl --path /boot/efi status"
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Well, you cannot sign it as you don't have access to signing key? It might be possible to add keys to secure boot, I am not sure.
Looks like only way to get unsigned modules to work is just disable secure boot..
Eero
pe 22. tammikuuta 2016 klo 12.40 wk 304702903@qq.com kirjoitti:
Hi,volotinen:
as it mentioned in your web link: "Your on the right track your module need to be signed", my questionhow to sign test_file_system.ko?
thanks, w.k.
------------------ 原始邮件 ------------------ 发件人: "eero.volotinen";eero.volotinen@iki.fi; 发送时间: 2016年1月22日(星期五) 下午3:42 收件人: "CentOS mailing list"centos@centos.org;
主题: Re: [CentOS] How to get UEFI setting by shell?
http://unix.stackexchange.com/questions/157539/cant-load-zfs-kernel-module-o...
So, module must be signed with trusted key, or else it just fails.
Eero 22.1.2016 9.34 ap. "wk" 304702903@qq.com kirjoitti:
Hi, another question.With secure boot on, I make a kernel module test.ko Then insmod test.ko: [root@localhost linux]# insmod test.ko insmod: ERROR: could not insert module test.ko: Required key not available
How can I sign my test.ko for CentOS7.1? If I set secure boot off, insmod test.ko will be successful.w.k.
------------------ Original ------------------ From: "我自己的邮箱";304702903@qq.com; Date: Fri, Jan 22, 2016 03:07 PM To: "eero.volotinen"eero.volotinen@iki.fi; "gordon.messmer"< gordon.messmer@gmail.com>; Cc: "centos"centos@centos.org; Subject: Re: [CentOS] How to get UEFI setting by shell?
volotinen and gordon.messmer:
thank you for your answers.w.k.
------------------ Original ------------------ From: "Gordon Messmer";gordon.messmer@gmail.com; Date: Fri, Jan 22, 2016 02:13 PM To: "CentOS mailing list"centos@centos.org;
Subject: Re: [CentOS] How to get UEFI setting by shell?
On 01/21/2016 09:47 PM, wk wrote:
How to check/get UEFI information by shell/bash terminal ?example:if UEFI is enabled? if secure boot is enabled?
Systems that boot via UEFI will have /sys/firmware/efi.
You may have access to your secure boot setting in /sys/firmware/efi/efivars/, or in the output of "bootctl --path /boot/efi status"
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 01/21/2016 11:33 PM, wk wrote:
How can I sign my test.ko for CentOS7.1?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
On 1/22/2016 7:04 AM, Gordon Messmer wrote:
On 01/21/2016 11:33 PM, wk wrote:
How can I sign my test.ko for CentOS7.1?https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
what a pile of security theater that MOK thing is. theater of the absurd, anyways.
It works on linux, it can't be secure?
:)
Eero 22.1.2016 8.54 ip. "John R Pierce" pierce@hogranch.com kirjoitti:
On 1/22/2016 7:04 AM, Gordon Messmer wrote:
On 01/21/2016 11:33 PM, wk wrote:
How can I sign my test.ko for CentOS7.1?https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
what a pile of security theater that MOK thing is. theater of the absurd, anyways.
-- john r pierce, recycling bits in santa cruz
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 1/22/2016 11:00 AM, Eero Volotinen wrote:
It works on linux, it can't be secure?
if you can insert a custom Machine Owner Key into this keyring, then anyone with sufficient ingenuity can, too. which renders the whole signature thing moot, other than as another step to be cracked.
On 01/22/2016 11:11 AM, John R Pierce wrote:
if you can insert a custom Machine Owner Key into this keyring, then anyone with sufficient ingenuity can, too. which renders the whole signature thing moot, other than as another step to be cracked.
I'm not sure you understand mokutil. You do know that in order to enroll a key you must be physically present at the console before the kernel boots, right? In order to enroll a key, you must have admin access in the OS, and physical access to the hardware.
Outside of an immutable key database, I think that's nearly as secure as it's possible to get.
On 1/22/2016 1:23 PM, Gordon Messmer wrote:
On 01/22/2016 11:11 AM, John R Pierce wrote:
if you can insert a custom Machine Owner Key into this keyring, then anyone with sufficient ingenuity can, too. which renders the whole signature thing moot, other than as another step to be cracked.
I'm not sure you understand mokutil. You do know that in order to enroll a key you must be physically present at the console before the kernel boots, right? In order to enroll a key, you must have admin access in the OS, and physical access to the hardware.
in order to install a kernel module without signing, you still need root level access to the OS, so thats nothing new.
Most all servers I run have remote KVM via IPMI, or are VM's, so this can be done without physical presence, unless somehow mokutil disables KVM (keyboard/video/mouse, not kernel virtualization) AND refuses to run in a VM. Sure, if someone has penetrated my IPMI and/or virtualization management, I'm already in a world of hurt, but no physical presence is required.
On 01/22/2016 01:56 PM, John R Pierce wrote:
Sure, if someone has penetrated my IPMI and/or virtualization management, I'm already in a world of hurt
Exactly. IPMI should be on a dedicated VLAN with a bastion host. No other systems should have access to it at all. The servers, especially, should not have access to their own IPMI network. Otherwise, you risk creating exactly that kind of hole, where tasks that are supposed to require console access don't.
Having said that, I have no idea whether or not the virtual console is locked during the secure boot path. Anybody who uses IPMI and secure boot?
On 1/22/2016 2:24 PM, Gordon Messmer wrote:
On 01/22/2016 01:56 PM, John R Pierce wrote:
Sure, if someone has penetrated my IPMI and/or virtualization management, I'm already in a world of hurt
Exactly. IPMI should be on a dedicated VLAN with a bastion host. No other systems should have access to it at all. The servers, especially, should not have access to their own IPMI network. Otherwise, you risk creating exactly that kind of hole, where tasks that are supposed to require console access don't.
Having said that, I have no idea whether or not the virtual console is locked during the secure boot path. Anybody who uses IPMI and secure boot?
for that matter, what about a VM running on a service like Amazon AWS (or pick your virtual server environment) ? AWS provides a remote console, doesn't it?
On 01/22/2016 02:38 PM, John R Pierce wrote:
for that matter, what about a VM running on a service like Amazon AWS (or pick your virtual server environment) ? AWS provides a remote console, doesn't it?
AWS doesn't offer UEFI Secure Boot, so I'm not sure how that's relevant.
It seems like you're reaching for criticisms of mokutil because you don't like it, rather than because there is a demonstrable problem with it.
On 1/22/2016 3:42 PM, Gordon Messmer wrote:
On 01/22/2016 02:38 PM, John R Pierce wrote:
for that matter, what about a VM running on a service like Amazon AWS (or pick your virtual server environment) ? AWS provides a remote console, doesn't it?
AWS doesn't offer UEFI Secure Boot, so I'm not sure how that's relevant.
It seems like you're reaching for criticisms of mokutil because you don't like it, rather than because there is a demonstrable problem with it.
yeah, I just realized, duh, secureboot on a VM is not an issue at all, so never mind all that.
I do think the whole secureboot thing is a bad idea on a general purpose computer system, seems like an attempt at creating product lock in and turning the x86 PC into an appliance, which it really isn't.
On 01/22/2016 04:25 PM, John R Pierce wrote:
I do think the whole secureboot thing is a bad idea on a general purpose computer system, seems like an attempt at creating product lock in and turning the x86 PC into an appliance, which it really isn't.
mokutil is designed to address that concern, specifically. It ensures that you can add your own keys, so that you can run your own OS and modules, while retaining the security aspects of Secure Boot. So mocking mokutil seems very odd, don't you think?
On Fri, Jan 22, 2016, 5:25 PM John R Pierce pierce@hogranch.com wrote:
yeah, I just realized, duh, secureboot on a VM is not an issue at all, so never mind all that.
It is an issue. Hyper V gen 2 has supported UEFI with Secure Boot enabled by default for a few years.
I do think the whole secureboot thing is a bad idea on a general purpose computer system, seems like an attempt at creating product lock in and turning the x86 PC into an appliance, which it really isn't.
It's precisely general purpose computers that are most susceptible to what Secure Boot prevents. What the alternative?
Chris Murphy
-
Chris Murphy -
Eero Volotinen -
Gordon Messmer -
John R Pierce -
wk