Skip to content

Add Secure Boot signing guide #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Cuda-Chen wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Secure Boot signing guide #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@ You can build the kernel module and tool with `make`.
Generate test image via `make test.img`, which creates a zeroed file of 50 MiB.

You can then mount this image on a system with the simplefs kernel module installed.
As many computers now have UEFI Secure Boot enabled, you can either disable Secure Boot
or sign the kernel module. To sign the module, refer to [secure-boot-signing-guide.md](./secure-boot-signing-guide.md).

Let's test kernel module:
```shell
$ sudo insmod simplefs.ko
Expand Down
69 changes: 69 additions & 0 deletions secure-boot-signing-guide.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# Secure Boot Kernel Module Signing Guide

To insert the `simplefs.ko` kernel module, you can either
disable secure boot or sign the module.

In this guide, we assume you are using Ubuntu, but for
other distributions it just need the same procedures.

## Step 1: Install Dependencies

You need to install linux kernel header, `mokutil`, `kmod`, and `openssl`.

For Ubuntu you can install by these commands:

```bash
$ sudo apt install linux-headers-$(uname -r)
$ sudo apt install mokutil kmod openssl
```

## Step 2: Generate a MOK Key Pair

Create a private and a public certificate (DER format) to sign your modules:

```bash
$ cat << 'EOF' > mokconfig.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
x509_extensions = myexts

[ req_distinguished_name ]
CN = simplefs MOK Signing Key

[ myexts ]
basicConstraints=CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF

openssl req -new -x509 -newkey rsa:2048 -nodes -days 3650 -outform DER -keyout MOK.priv -out MOK.der -config mokconfig.cnf
```

## Step 3. Enroll the Key with MOKutil

Register your new public key with the shim bootloader. You will be prompted to create a temporary password for the next step.

```bash
$ sudo mokutil --import MOK.der
```

## Step 4. Complete Enrollment in UEFI

1. **Reboot** your computer.
2. Upon booting, the blue **MOK Manager** screen will automatically appear.
3. Select **Enroll MOK** -> **View key** to verify your key details, then confirm the enrollment.
4. Enter the temporary **password** you created in Step 3.
5. Continue to boot into Linux.

## Step 5. Sign `simplefs.ko`

```bash
# Sign 'simplefs.ko'
#$sudo /usr/src/linux-headers-`uname -r`/scripts/sign-file sha256 MOK.priv MOK.der /path/to/simplefs.ko

# Optional: verify the signature is present
$ modinfo /path/to/simplefs.ko | grep -i "signer"
```