UEFI Secure Boot kasutamine virtuaalse riistvaraga OVMF

Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti

Sissejuhatus

UEFI Secure Boot ...

Tööpõhimõte

Kui arvutil on Secure Boot UEFI haldusliideses välja lülitatud, siiski saab

  • operatsioonisüsteemi seest mokutil abil tegeleda võtmetega
  • käivitades efishellist MokManager.efi rakendust tegeleda võtmetega

Need käsud grub proptis töötavad sarnaselt nagu linux ja initrd, aga kasutavad 'EFI handover protocol' protokolli 

grub> linuxefi ...
grub> initrdefi ...

Käivitamine

Tundub, et Secure Boot võimelise OVMF saab 2016 sügisel Debian v. 9 Stretch paketihaldusest 

# apt-get install ovmf qemu-system-x86 xterm

fail 

/usr/share/qemu/OVMF.fd

Käivitamiseks sobib öelda 

# qemu-system-x86_64 -enable-kvm -pflash /var/tmp/o/OVMF.fd

ja seejärel efi shellis öelda 'exit' ning jõutakse Setup keskkonda.

QEMU

PK jt sertifikaatide OVMF.fd tõmmisesse lisamiseks tuleb serdid tekitada (või kopeerida valmis serdid, nt Canonicali oma) 

# TODO

kävitada uefi keskkond 

# qemu-system-x86_64 --enable-kvm -net none -m 384 -pflash /usr/share/qemu/OVMF.fd -hda fat:/home/sb/fat

Kiire ad-hoc virtuaalse arvuti juurutamiseks sobib öelda nt 

# qemu-system-x86_64 --enable-kvm -m 1536 \
  -drive file=/usr/share/qemu/OVMF.fd,if=pflash \
  -drive file=/dev/system/root_ubu1604,if=ide \
  -drive file=ubuntu-16.04-server-amd64.iso,if=ide,media=cdrom \
  -net nic -net tap,ifname=tap0,script=no,downscript=no

Kasulikud lisamaterjalid

Signeerimine

# apt-get install sbsigntool

failisüsteemi tekivad

  • sbverify
  • TODO

UEFI muutujate esitamine 

# efi-readvar
Variable PK, length 1448
PK: List 0, type X509
    Signature 0, size 1420, owner f5a96b31-dba0-4faa-a42a-7a0c9832768e
        Subject:
            O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 PK Key
        Issuer:
            C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA
Variable KEK, length 4310
KEK: List 0, type X509
    Signature 0, size 1421, owner f5a96b31-dba0-4faa-a42a-7a0c9832768e
        Subject:
            O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 KEK key
        Issuer:
            C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA
KEK: List 1, type X509
    Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
KEK: List 2, type X509
    Signature 0, size 1273, owner 2879c886-57ee-45cc-b126-f92f24f906b9
        Subject:
            CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de
        Issuer:
            CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de
Variable db, length 5915
db: List 0, type X509
    Signature 0, size 1420, owner f5a96b31-dba0-4faa-a42a-7a0c9832768e
        Subject:
            O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 DB key
        Issuer:
            C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA
db: List 1, type X509
    Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
db: List 2, type X509
    Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
db: List 3, type X509
    Signature 0, size 1296, owner 2879c886-57ee-45cc-b126-f92f24f906b9
        Subject:
            CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de
        Issuer:
            CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de
Variable dbx, length 76
dbx: List 0, type SHA256
    Signature 0, size 48, owner 00000000-0000-0000-0000-000000000000
        Hash:6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d
Variable MokList has no entries

kus

  • PK - riistvara tootja sertifikaat (O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 PK Key)
  • KEK - muu hulgas US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
  • TODO

Komplektide salvestamine 

# efi-readvar -v PK -o old_PK.esl
# efi-readvar -v KEK -o old_KEK.esl
# efi-readvar -v db -o old_db.esl
# efi-readvar -v dbx -o old_dbx.esl
# mokutil --export

Komplektide kustutamine toimub UEFI Setup keskkonnast, tulemusena 

# efi-readvar 
Variable PK has no entries
Variable KEK has no entries
Variable db has no entries
Variable dbx has no entries
Variable MokList has no entries

GRUB efi rakenduse signeerimine 

# mv /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/ubuntu/grubx64-orig.efi
# sbsign --key PK.key --cert PK.crt --output /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/ubuntu/grubx64-orig.efi

GRUB efi rakenduse kontrollimine 

# sbverify --cert /home/sb/fat/PK.crt /boot/efi/EFI/ubuntu/grubx64.efi 
Signature verification OK

MOK (Machine's Own Key) ...

.efi rakenduse signeerijate esitamiseks 

# sbverify --verbose /boot/efi/EFI/ubuntu/shimx64.efi 
warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
certificate store:
PKCS7 verification failed
...

Signeeritud faili signatuuri salvestamine 

# sbattach --detach vmlinuz-4.8.0-22-generic.efi.signature vmlinuz-4.8.0-22-generic.efi.signed

Kas secure boot on sisse lülitatud, saab küsida töötavas süsteemis 

# cat /proc/sys/kernel/secure_boot
1

# cat /proc/sys/kernel/moksbstate_disabled
0

# mokutil --sb-state
SecureBoot enabled

GRUB2 efi rakenduse signeerimine 

$ openssl genrsa -out test-key.rsa 2048
$ openssl req -new -x509 -sha256 \
       -subj '/CN=test-key' -key test-key.rsa -out test-cert.pem
$ openssl x509 -in test-cert.pem -inform PEM \
       -out test-cert.der -outform DER

$ sbsign --key test-key.rsa --cert test-cert.pem \
       --output grubx64.efi /boot/efi/efi/ubuntu/grubx64.efi

Ubuntu signeeritud grubx64.efi efi rakenduse moodustamine, tekib /boot/efi/EFI/ubuntu/grubx64.efi 

# grub-install --uefi-secure-boot

MOK

MOK andmestikust sertifikaadi exportimine 

# mkdir /var/tmp/mok-export
# cd /var/tmp/mok-export
# mokutil --export
# ls -ld
16806721      4 -rw-r--r--   1  root     root         1080 Dec 25 00:48 ./MOK-0001.der
16806724      4 -rw-r--r--   1  root     root          876 Dec 25 00:48 ./MOK-0002.der

MOK andmestikku sertifikaadi importimine 

# mokutil --import sertifikaadinimi.der
input password: xxxx
input password again: xxxx

Muudatuse kehtestamiseks tuleb arvutit rebootida ja kui shim.efi rakendus käivitab mok.efi rakendust (nagu ta ikka teeb), siis ta avastab, et laaditud on sertifikaat ja küsib, kas seda kasutada. Tegevus toimib konsoolil. Antud juhul vastata jaatavalt ja seejuures tuleb sisetada sama 'xxxx' parool.

MOK andmestikus olevate sertifikaatide nimekirja küsimine 

# mokutil --list-enrolled | egrep -i 'SHA1|Issuer'
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
SHA1 Fingerprint: 7e:68:65:1d:52:68:5f:7b:f5:8e:a0:1d:78:4d:2f:90:d3:f4:0f:0a
        Issuer: CN=Fedora Secure Boot CA
                CA Issuers - URI:https://fedoraproject.org/wiki/Features/SecureBoot

Misc

Ubuntu efitools paketis on huvitavaid efi rakendusi, nt KeyTool PK, KEK, DB, DBX ja MOK andmestike haldamiseks 

# dpkg -L efitools | egrep "\.efi$"
/usr/share/efitools/efi/HelloWorld.efi
/usr/share/efitools/efi/HashTool.efi
/usr/share/efitools/efi/Loader.efi
/usr/share/efitools/efi/UpdateVars.efi
/usr/share/efitools/efi/PreLoader.efi
/usr/share/efitools/efi/ReadVars.efi
/usr/share/efitools/efi/LockDown.efi
/usr/share/efitools/efi/KeyTool.efi
/usr/share/efitools/efi/SetNull.efi

Siin ja seal soovitatakse lähtestada OVMF võtmete komplektid sedasi 

FS0:\> EnrollDefaultKeys.efi
info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1
info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0

2023 sügis märkused

Kernel Lockdown

Osutub, et Ubuntu v. 20.04, Debian v. 11 jt käitumisele on iseloomulik, et SB enabled režiimis rakendataks automaatselt 'kernel lockdown'. See avaldub nt selliselt 

# mokutil --sb-state
SecureBoot enabled

# blktrace -a discard -d /dev/vda -o - | blkparse -i -
Thread 1 failed open /sys/kernel/debug/block/vda/trace1: 1/Operation not permitted
Thread 0 failed open /sys/kernel/debug/block/vda/trace0: 1/Operation not permitted
Thread 3 failed open /sys/kernel/debug/block/vda/trace3: 1/Operation not permitted
Thread 2 failed open /sys/kernel/debug/block/vda/trace2: 1/Operation not permitted
FAILED to start thread on CPU 0: 1/Operation not permitted
FAILED to start thread on CPU 1: 1/Operation not permitted
FAILED to start thread on CPU 2: 1/Operation not permitted
FAILED to start thread on CPU 3: 1/Operation not permitted

# dmesg -T | tail -n 4
[Sun Sep  3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7
[Sun Sep  3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7
[Sun Sep  3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7
[Sun Sep  3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7

Kasulikud lisamaterjalid

Pärit leheküljelt "https://www.auul.pri.ee/wiki/index.php?title=UEFI_Secure_Boot_kasutamine_virtuaalse_riistvaraga_OVMF&oldid=749"