Ubuntu
linux package

  1. Bug #1866909
  2. Comment #19

Comment 19 for bug 1866909

Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-04-03 00:35 EDT-------
With Michael's help, I could get the right key for the kernel.
I updated the new key and then tried booting to signed kernel in secure boot enabled state.

It seems kernel is being verified.
# kexec -l /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic
kexec syscall failed: Permission denied ----> Expected to fail as insecure load is disabled during secure boot

# kexec -s /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic
# dmesg | tail -f
[ 9.573882] IPv6: ADDRCONF(NETDEV_CHANGE): enP5p1s0f0: link becomes ready
[ 94.085611] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.
[ 94.085615] ima: impossible to appraise a kernel image without a file descriptor; try using kexec_file_load syscall.
[ 102.049306] ima dump: 01 00 00 00 00 00 00 00 fd 1c 00 00 00 00 00 00 ................
[ 102.049308] ima dump: 28 00 00 00 00 00 00 00 0a 00 00 00 bc b0 e5 18 (...............
[ 102.049309] ima dump: b7 9d e0 d7 f2 cd 20 b8 a2 9a 70 92 e6 5d b7 ef ...... ...p..]..
[ 102.049310] ima dump: 07 00 00 00 69 6d 61 2d 73 69 67 35 00 00 00 1a ....ima-sig5....
[ 102.049310] ima dump: 00 00 00 73 68 61 31 3a 00 00 00 00 00 00 00 00 ...sha1:........
[ 102.049311] ima dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00 ................
[ 102.049312] ima dump: 00 62 6f 6f .boo

However, it failed on doing kexec -e.
It failed at:

[ 42.315484] kexec_core: Starting new kernel
Gave up waiting for root file system device. Common problems:
- Boot args (cat /proc/cmdline)
- Check rootdelay= (did the system wait long enough?)
- Missing modules (cat /proc/modules; ls /dev)
ALERT! UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09 does not exist. Dropping to a shell!
BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu5) built-in shell (ash)
Enter 'help' for a list of built-in commands.
(initramfs)

Michael investigated that it seems modules are not getting loaded. He looked for the modules and they seemed to be signed.

Next we checked the CONFIG. And it seems MODULE_SIG_FORCE is not enabled though MODULE_SIG and MODULE_SIG_ALL are enabled.

As per powerpc arch specific policies for secure boot which are:
static const char *const secure_and_trusted_rules[] = {
"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
"measure func=MODULE_CHECK template=ima-modsig",
"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG_FORCE
"appraise func=MODULE_CHECK appraise_flag=check_blacklist appraise_type=imasig|modsig",
#endif
NULL

As per these policies, if MODULE_SIG_FORCE is not enabled, IMA policy for MODULE_CHECK gets added. However, IMA looks for keys only in .ima keyring for module verification and therefore does not find Buildtime generated key and fails to verify.

I think that explains why booting failed.

We wanted to understand if there is a reason for not enabling MODULE_SIG_FORCE even though modules are signed at build time.

Michael please add any other info if I missed..

Thanks & Regards,
- Nayna