Secure Boot on Linux systems

  • May 29, 2017
  • Magnus Carlsson

This is the first post in a 2-part series about Secure Boot and signing modules on Linux:

  1. Secure Boot on Linux systems
  2. Build and install signed Kvaser driver modules


What is Secure Boot?

“Secure Boot” is a UEFI feature that appeared in 2012, with Windows 8 preinstalled computers. All current Ubuntu 64-bit (not 32-bit) versions now support this feature. In brief, Secure Boot works by placing the root of trust in firmware. While other implementations are possible, in practice the chain of trust is achieved via x509 certificates. A root certificate1 is embedded in firmware such that it can then validate the signed bootloader, the signed bootloader can then validate the signed kernel or signed 2nd stage boot loader, and so on. More information about Secure Boot can be found on the Ubuntu wiki.2 In order to use Secure Boot, we need to boot the system using UEFI, instead of the older BIOS.


What is the difference between BIOS and UEFI?

Both initializes a computer and their task is to load an operating system. BIOS boots by reading the first sector on a hard disk, the master boot record (MBR), and executing it. By contrast, UEFI boots by loading EFI program files (with .efi filename extensions) from a partition on the hard disk, known as the EFI System Partition (ESP).3


Did my Linux system boot using UEFI or BIOS?

The easiest way is to check if the folder /sys/firmware/efi exists.

secureBoot:~$ ls /sys/firmware/efi/
config_table  fw_platform_size  runtime      systab
efivars       fw_vendor         runtime-map  vars

The folder /sys/firmware/efi does not appear if the Linux computer was booted using traditional BIOS.

legacy:~$ ls /sys/firmware/efi
ls: cannot access /sys/firmware/efi: No such file or directory

Did my Linux system boot using Secure Boot?

The mokutil command is used to manage Machine Owner Keys (MOK). These keys are used by the shim layer to validate grub2 and kernel images and can also be used to verify that Secure Boot is enabled.

secureBoot:~$ mokutil --sb-state
SecureBoot enabled

We can also use the mokutil command to view all currently enrolled keys.

secureBoot:~$ mokutil --list-enrolled

What are the symptoms of unsigned modules?

If we have compiled and installed the Kvaser driver modules without a valid signature on a computer where Secure Boot is enabled, we will not get any channels reported running the listChannels example, even though we have attached a Kvaser interface.

secureBoot:~$ ./listChannels
Canlib version 5.20
Found 0 channel(s).

We can verify that the Kvaser interface actually was attached and recognized by the USB subsystem using the lsusb command.

secureBoot:~$ lsusb | grep Kvaser
Bus 003 Device 008: ID 0bfd:0108 Kvaser AB

We now look for errors in the system log and will find a variation of the error “Required key not available”.

  apr 19 16:05:38 mypc /usr/sbin/mhydra.sh[22789]: modprobe: ERROR: could not insert ’mhydra’:
Required key not available
  apr 19 16:05:38 mypc systemd-udevd[22776]: Process ’/usr/sbin/mhydra.sh start’ failed
with exit code 1.

This tells us that we need to sign our modules to make them work on our computer. We will take a look at how to build and sign the Kvaser driver modules to be able to use them on a Linux computer that has Secure Boot enabled in the next part.

Footnotes

1 A root certificate is a certificate issued by a trusted Certificate Authority (CA).

2 Read more about Secure Boot on the Ubuntu wiki at https://wiki.ubuntu.com/SecurityTeam/SecureBoot/.

3 A comparison between BIOS and UEFI can be found in the superuser article at https://superuser.com/questions/496026/what-is-the-difference-in-boot-with-bios-and-boot-with-uefi.

Author Image

Magnus Carlsson

Magnus Carlsson is a Software Developer for Kvaser AB and has developed firmware and software for Kv...