Shim - Vérification de la signature de shim, de grub, du noyau et des modules

Création : Debian 10.9 / Buster

Dans une installation standard Debian en mode secure boot (voir Grub2 - Installation - Amorçage EFI)

Ce document indique comment vérifier la signature de ces composants

Sommaire

1 - Vérification de la signature de shim

$ sudo sbverify -l /boot/efi/EFI/debian/shimx64.efi
warning: data remaining[1159744 vs 1322936]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
$ sudo dmesg |grep X.509 |grep "Microsoft Corporation UEFI CA 2011"
[ 2.834246] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
$ wget https://github.com/slytomcat/UEFI-Boot/raw/master/keys/microsoft-uefica-public.crt
$ sudo sbverify --cert microsoft-uefica-public.crt /boot/efi/EFI/debian/shimx64.efi
warning: data remaining[1159744 vs 1322936]: gaps between PE/COFF sections?
Signature verification OK

2 - Vérification de la signature de grubx64

$ sudo sbverify -l /boot/efi/EFI/debian/grubx64.efi
signature 1
image signature issuers:
- /CN=Debian Secure Boot CA
image signature certificates:
- subject: /CN=Debian Secure Boot Signer
issuer: /CN=Debian Secure Boot CA
$ sudo dmesg |grep X.509 |grep "Debian Secure Boot CA"
[ 2.832934] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 2.836182] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
$ wget https://dsa.debian.org/secure-boot-ca
$ openssl x509 -in secure-boot-ca -inform der -outform  pem -out secure-boot-ca.pem
$ sudo sbverify --cert secure-boot-ca.pem /boot/efi/EFI/debian/grubx64.efi
Signature verification OK

3 - Vérification de la signature du noyau

De la même manière que pour grub :
$ locate vmlinuz-$(uname -r)
/boot/vmlinuz-5.4.0-0.bpo.4-amd64
$ sbverify -l /boot/vmlinuz-5.4.0-0.bpo.4-amd64
signature 1
image signature issuers:
- /CN=Debian Secure Boot CA
image signature certificates:
- subject: /CN=Debian Secure Boot Signer
issuer: /CN=Debian Secure Boot CA
$ osslsigncode extract-signature -pem /boot/vmlinuz-5.4.0-0.bpo.4-amd64 vmlinuz.sig
$ openssl pkcs7 -inform pem -print_certs -text -in vmlinuz.sig |tail -19 |tee debian-signer.pem
$ openssl verify -verbose -CAfile debian-ca.pem debian-signer.pem
debian-signer.pem: OK

4 - Vérification de la signature des modules

$ sudo modinfo i915 |grep -E "/lib/modules|signer|signature"
filename: /lib/modules/5.4.0-0.bpo.4-amd64/kernel/drivers/gpu/drm/i915/i915.ko
signer: Debian Secure Boot CA
signature: BA:20:DE:46:B9:B1:C4:B4:72:BD:3C:C6:06:42:C6:78:31:3F:B9:C9:

$ sudo modinfo vboxdrv |grep -E "/lib/modules|signer|signature"
filename: /lib/modules/5.4.0-0.bpo.4-amd64/misc/vboxdrv.ko
signer: Demo
signature: 6A:83:4D:16:41:3C:66:C1:7C:33:E1:2A:F2:E3:2F:A9:DB:2D:BE:D6:
$ hexdump -Cv /lib/modules/5.4.0-0.bpo.4-amd64/kernel/drivers/gpu/drm/i915/i915.ko |tail -n 5
003be1e0 de 0c be 4b 53 98 2b 53 df 29 5c 3f 00 00 02 00 |...KS.+S.)\?....|
003be1f0 00 00 00 00 00 00 01 8c 7e 4d 6f 64 75 6c 65 20 |........~Module |
003be200 73 69 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 |signature append|
003be210 65 64 7e 0a |ed~.|
003be214

$ hexdump -Cv /lib/modules/5.4.0-0.bpo.4-amd64/misc/vboxdrv.ko |tail -n 5
00f05e80 5e b4 82 76 00 ca 8d 83 a3 95 00 00 02 00 00 00 |^..v............|
00f05e90 00 00 00 00 01 8a 7e 4d 6f 64 75 6c 65 20 73 69 |......~Module si|
00f05ea0 67 6e 61 74 75 72 65 20 61 70 70 65 6e 64 65 64 |gnature appended|
00f05eb0 7e 0a |~.|
00f05eb2
$ mokutil -l |grep Issuer |grep Demo