Playing with Secure Boot – Exploring the Various Boot Options and Kernels in Oracle Linux

Playing with Secure Boot

Secure Boot is an additional optional feature implemented in UEFI intended to help prevent malware execution during a boot process. To enable or disable Secure Boot, you need to access your specific UEFI setup program. This is different for each system manufacturer. Check your system documentation to see how to access the UEFI configuration.

The Secure Boot steps are identical to the regular UEFI booting but an important exception is that it requires the components to be signed and authenticated to be loaded and executed (private and public key pairs are used for authentication). It consists of two launch Roots of Trust (RoT) to build the transitive trust chains:

  • The verification RoT is responsible for the signature verification. The verification RoT is the launch RoT, which is what most are referring to when speaking about Secure Boot, and it will lie on the boot flash drive as the RoT for storage to protect the key database. Verify only after the Driver eXecution Environment (DXE) phase, not during the SECurity (SEC) phase.
  • The measurement RoT is responsible for the measurement collection.

Secure Boot will establish a chain of trust by following this process:

  1. First, the first-stage bootloader (shim) signed by Oracle and Microsoft is authenticated; then, it loads the GRUB 2 loader.
  2. The GRUB 2 bootloader validates the kernel signature signed by Oracle and authenticates it before loading and executing the kernel.
  3. The kernel signed by Oracle is authenticated and executed. Secure Boot loads signed/authenticated kernel modules only (for example, all kernel modules included with the kernel RPM and those used with Oracle Ksplice have the corresponding Oracle signatures and the signed/authenticated kernel module running validated, or they would not be loaded).

Now that we have covered some basics of Secure Boot, let’s learn how to sign kernel modules with it. First, before you can sign a module, you will need to install several required packages, including the source for the kernel. Furthermore, you will need to create a signing certificate for a key pair. The private key is used to sign the kernel module, and a public key is added to Secure Boot to a kernel keyring to allow the system to verify the signature.

Getting ready

The first step is to install the UEK development libraries. This is done with the following command:


[root@demo2 ~]# dnf -y  install kernel-uek-devel-`uname -r`

Note

While you can just run dnf install kernel-uek-devel, adding the uname option to the command makes sure that you install the devel packages for the kernel you are currently running. Also, don’t forget to make sure your devel packages are updated after you patch.

As a good practice, it is always recommended to update the system to ensure that you have the most recent kernel and related packages available:
[root@@demo2 ~]# dnf  -y update

This update can take some time, depending on when you last patched the system.

If you are using the UEK, the kernel headers required to compile kernel modules are available in the kernel-uek-devel package. When using the UEFI Secure Boot functionality, Oracle recommends installing and using the UEK. When installing the UEK, also install the devel packages. uname -r is added to the command to make sure the correct headers are installed. This is important if you are not running on the latest kernel version. If you are using the RHCK, use kernel-devel instead of kernel-uek-devel.

It is time to install the utilities required to perform the module signing operations (openssl, keyutils, mokutil, and pesign):


[root@demo2 ~]# dnf -y  install openssl keyutils mokutil pesign

If you require building a module from a source, you can optionally install the Development Tools group to ensure the option to create tools is available:
[root@demo2 ~]# dnf -y  group install “Development Tools”

Leave a Reply

Your email address will not be published. Required fields are marked *

All Rights Reserved 2022-2024