Signature of prebuilt kernel modules

Mr-nUUb · August 5, 2024, 5:24pm

Hi!

Currently the prebuilt kernel modules (nvidia, zfs) are not signed, whereas modules patched into the kernel (v4l2loopback) are properly signed. Would it be possible to sign the prebuilt modules with the same key as the kernel. I know, the kernel signing key is autogenerated on every build, but would it be possible to reuse this key?

I’m asking because secureboot is currently not possible with nvidia and zfs. It’s not even possible if shim and dkms are properly setup, because the kernel simply wouldn’t load the machine keyring from MokList. Or maybe the kernel can be built with MokList support?

Best regards
Mr nUUb

ptr1337 · August 5, 2024, 5:56pm

Hi,

they are currently not signed. Arch also does not sign their modules.

Yes, secure boot is working with NVIDIA. I use NVIDIA have have secure boot setup.
See:

Mr-nUUb · August 5, 2024, 6:03pm

Secureboot only partially works. As soon as module signature is enforced or kernel lockdown mode is changed to integrity/confidentiality (defaults to none), the kernel wont load unsigned modules. Here the MokList (setup by shim) would come in, but the kernel is not configured to load them. This would require CONFIG_IMA_ARCH_POLICY and CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT.

ptr1337 · August 5, 2024, 6:05pm

We can not change anything there. If you have the keys, then you can build your own kernel.

We simply do not have any access to the secure boot keys, and therefore we can not sign it.
We would need to get them from Microsoft, which is in our current state not possible.

We will currently only provide the sbctl secure boot way, any other is not supported.

Mr-nUUb · August 5, 2024, 6:24pm

I’m not talking about getting everything properly signed by Microsoft.

In the first paragraph I’m talking about the key that gets autogenerated during kernel compilation. Would it be possible to extract this key and sign prebuilt modules with it? Like this here:
```
$ modinfo amdgpu
...
sig_id:         PKCS#7
signer:         Build time autogenerated kernel key
sig_key:        7F:...
sig_hashalgo:   sha512
signature:      30:...
...
```
In the second paragraph I’m talking about enabling kernel support for the MokList using aforementioned kconfig options. I don’t know if the kernel must be properly signed for this to work though.

ptr1337 · August 5, 2024, 7:05pm

Would it be possible to extract this key and sign prebuilt modules with it? Like this here:

No, this is not possible. We are following here archlinux defaults and this will also continue.

Mr-nUUb · August 5, 2024, 7:44pm

I’m sorry to have upset you.

ptr1337 · August 5, 2024, 7:47pm

You did not upset me - but we will not do customization in terms of the common kernel build yet.

Mr-nUUb · August 5, 2024, 7:53pm

I don’t quite get that statement. The common kernel of Cachy OS is already heavily customized.

ptr1337 · August 6, 2024, 6:19am

We are following in terms of config, PKGBUILD as well as packaging archlinux. This never changed.