Shim - Signature des applications et des modules efi

Création : Debian 10.5 / Buster

Sommaire

1 - Préalable

$ sudo dmesg |grep secureboot
[ 0.000000] secureboot: Secure boot enabled
$ ls MOK* 
MOK.der MOK.priv
$ mokutil --list-enrolled |grep Issuer
Issuer: CN=Pengouin
Issuer: CN=Debian Secure Boot CA
CA Issuers - URI:https://dsa.debian.org/secure-boot-ca

2 - Signature d'un module

Le module vboxdrv est pris comme exemple de module à signer

2.1 - Tentative de chargement d'un module non signé

$ sudo aptitude install virtualbox-6.1
...
vboxdrv.sh: failed: modprobe vboxdrv failed. Please use 'dmesg' to find out why.

There were problems setting up VirtualBox. To re-start the set-up process, run
/sbin/vboxconfig as root. If your system is using EFI Secure Boot you may need to sign the
kernel modules (vboxdrv, vboxnetflt, vboxnetadp, vboxpci) before you can load
them. Please see your Linux system's documentation for more information.
.....
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Operation not permitte

$ sudo dmesg
...
[ 4281.609719] Lockdown: modprobe: unsigned module loading is restricted; see https://wiki.debian.org/SecureBoot
$ sudo modinfo vboxdrv |grep sig
$ hexdump -Cv /lib/modules/5.4.0-0.bpo.4-amd64/misc/vboxdrv.ko |tail -n 5
00f07530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00f07540 e0 61 f0 00 00 00 00 00 85 02 00 00 00 00 00 00 |.a..............|
00f07550 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
00f07560 00 00 00 00 00 00 00 00 |........|
00f07568

2.2 - Signature du module

$ sudo /usr/lib/linux-kbuild-4.19/scripts/sign-file sha256 MOK.priv MOK.der /lib/modules/5.4.0-0.bpo.4-amd64/misc/vboxdrv.ko
$ sudo modinfo vboxdrv |grep sig
sig_id: PKCS#7
signer: Pengouin
sig_key: 5A:2C:7D:BE:90:54:2C:91:68:28:38:58:9F:4D:5F:C0:0C:4F:46:CB
sig_hashalgo: sha256
signature: 9C:AA:BC:31:E2:08:07:1A:EB:BE:2C:AA:43:BF:D8:4B:6B:1D:2E:A7:
$ hexdump -Cv /lib/modules/5.4.0-0.bpo.4-amd64/misc/vboxdrv.ko |tail -n 5
00f076e0 d0 66 07 a3 d1 65 d8 4f c2 29 13 f2 4e d4 08 63 |.f...e.O.)..N..c|
00f076f0 fb ad c9 f1 43 00 00 02 00 00 00 00 00 00 00 01 |....C...........|
00f07700 8d 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 75 |.~Module signatu|
00f07710 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |re appended~.|
00f0771d

2.3 - Utilisation

$ sudo modprobe vboxdrv

$ lsmod |grep vboxdrv
vboxdrv 495616 0

$ sudo dmesg |grep vboxdrv
[ 3857.748810] vboxdrv: loading out-of-tree module taints kernel.
[ 3857.758909] vboxdrv: Found 8 processor cores
[ 3857.779428] vboxdrv: TSC mode is Invariant, tentative frequency 2303963291 Hz
[ 3857.779429] vboxdrv: Successfully loaded version 6.1.6 (interface 0x002d0001)

3 - Signature d'un programme efi

L'application tetris.efi téléchargée à partir de la page https://github.com/tsani/tetrefis est prise comme exemple d'application à signer

3.1 - Signature

$ openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem

$ ls MOK*
MOK.der MOK.pem MOK.priv
$ sudo aptitude install sbsigntool
$ sbsign --key MOK.priv --cert MOK.pem tetris.efi --output tetris.efi.signed
warning: data remaining[1291776 vs 1304573]: gaps between PE/COFF sections?
warning: data remaining[1291776 vs 1304576]: gaps between PE/COFF sections?
Signing Unsigned original image

3.2 - Vérification

$ sbverify -l tetris.efi.signed
warning: data remaining[1293312 vs 1306112]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /CN=Pengouin
image signature certificates:
- subject: /CN=Pengouin
issuer: /CN=Pengouin

3.3 - Utilisation

$ sudo mkdir -p /mnt/EFI/MOK
$ sudo cp tetris.efi.signed /boot/efi/EFI/MOK/grubx64.efi
$ sudo cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/MOK/shimx64.efi
$ sudo efibootmgr --create --disk /dev/sda --part 1 --label "tetris" --loader /EFI/MOK/shimx64.efi

3.4 - Changement de plate-forme (testé avec qemu)

$ sudo tree /boot/efi/EFI/MOK
/boot/efi/EFI/MOK
├── grubx64.efi
├── mmx64.efi
├── MOK.der
└── shimx64.efi
"ERROR Verification failes: (0x1A) Security Violation " 

s'affiche. Sélectionner OK, le gestionnaire MOK s'affiche, procéder à l'enregistrement de la clé et redémarrer