This is the first post in a 2-part series about Secure Boot and signing modules on Linux:
- Secure Boot on Linux systems
- Build and install signed Kvaser driver modules
“Secure Boot” is a UEFI feature that appeared in 2012, with Windows 8 preinstalled computers. All current Ubuntu 64-bit (not 32-bit) versions now support this feature. In brief, Secure Boot works by placing the root of trust in firmware. While other implementations are possible, in practice the chain of trust is achieved via x509 certificates. A root certificate1 is embedded in firmware such that it can then validate the signed bootloader, the signed bootloader can then validate the signed kernel or signed 2nd stage boot loader, and so on. More information about Secure Boot can be found on the Ubuntu wiki.2 In order to use Secure Boot, we need to boot the system using UEFI, instead of the older BIOS.
Both initializes a computer and their task is to load an operating system. BIOS boots by reading the first sector on a hard disk, the master boot record (MBR), and executing it. By contrast, UEFI boots by loading EFI program files (with .efi filename extensions) from a partition on the hard disk, known as the EFI System Partition (ESP).3
The easiest way is to check if the folder
secureBoot:~$ ls /sys/firmware/efi/ config_table fw_platform_size runtime systab efivars fw_vendor runtime-map vars
/sys/firmware/efi does not appear if the Linux computer was booted using traditional BIOS.
legacy:~$ ls /sys/firmware/efi ls: cannot access /sys/firmware/efi: No such file or directory
mokutil command is used to manage Machine Owner Keys (MOK). These keys are used by the shim layer to validate grub2 and kernel images and can also be used to verify that Secure Boot is enabled.
secureBoot:~$ mokutil --sb-state SecureBoot enabled
We can also use the
mokutil command to view all currently enrolled keys.
secureBoot:~$ mokutil --list-enrolled
If we have compiled and installed the Kvaser driver modules without a valid signature on a computer where Secure Boot is enabled, we will not get any channels reported running the
listChannels example, even though we have attached a Kvaser interface.
secureBoot:~$ ./listChannels Canlib version 5.20 Found 0 channel(s).
We can verify that the Kvaser interface actually was attached and recognized by the USB subsystem using the
secureBoot:~$ lsusb | grep Kvaser Bus 003 Device 008: ID 0bfd:0108 Kvaser AB
We now look for errors in the system log and will find a variation of the error “Required key not available”.
apr 19 16:05:38 mypc /usr/sbin/mhydra.sh: modprobe: ERROR: could not insert ’mhydra’: Required key not available apr 19 16:05:38 mypc systemd-udevd: Process ’/usr/sbin/mhydra.sh start’ failed with exit code 1.
This tells us that we need to sign our modules to make them work on our computer. We will take a look at how to build and sign the Kvaser driver modules to be able to use them on a Linux computer that has Secure Boot enabled in the next part.
1 A root certificate is a certificate issued by a trusted Certificate Authority (CA).
3 A comparison between BIOS and UEFI can be found in the superuser article at https://superuser.com/questions/496026/what-is-the-difference-in-boot-with-bios-and-boot-with-uefi.