------- Comment From naynj...@ibm.com 2020-04-03 00:35 EDT-------
With Michael's help, I could get the right key for the kernel.
I updated the new key and then tried booting to signed kernel in secure boot
enabled state.
It seems kernel is being verified.
# kexec -l /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic
kexec syscall failed: Permission denied ----> Expected to fail as insecure
load is disabled during secure boot
# kexec -s /var/petitboot/mnt/dev/sdb6/boot/vmlinux-5.4.0-21-generic
# dmesg | tail -f
[ 9.573882] IPv6: ADDRCONF(NETDEV_CHANGE): enP5p1s0f0: link becomes ready
[ 94.085611] ima: impossible to appraise a kernel image without a file
descriptor; try using kexec_file_load syscall.
[ 94.085615] ima: impossible to appraise a kernel image without a file
descriptor; try using kexec_file_load syscall.
[ 102.049306] ima dump: 01 00 00 00 00 00 00 00 fd 1c 00 00 00 00 00 00
................
[ 102.049308] ima dump: 28 00 00 00 00 00 00 00 0a 00 00 00 bc b0 e5 18
(...............
[ 102.049309] ima dump: b7 9d e0 d7 f2 cd 20 b8 a2 9a 70 92 e6 5d b7 ef
...... ...p..]..
[ 102.049310] ima dump: 07 00 00 00 69 6d 61 2d 73 69 67 35 00 00 00 1a
....ima-sig5....
[ 102.049310] ima dump: 00 00 00 73 68 61 31 3a 00 00 00 00 00 00 00 00
...sha1:........
[ 102.049311] ima dump: 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 00
................
[ 102.049312] ima dump: 00 62 6f 6f .boo
However, it failed on doing kexec -e.
It failed at:
[ 42.315484] kexec_core: Starting new kernel
Gave up waiting for root file system device. Common problems:
- Boot args (cat /proc/cmdline)
- Check rootdelay= (did the system wait long enough?)
- Missing modules (cat /proc/modules; ls /dev)
ALERT! UUID=49d000cb-dba2-4d70-809e-38f2b31d0f09 does not exist. Dropping to a
shell!
BusyBox v1.30.1 (Ubuntu 1:1.30.1-4ubuntu5) built-in shell (ash)
Enter 'help' for a list of built-in commands.
(initramfs)
Michael investigated that it seems modules are not getting loaded. He
looked for the modules and they seemed to be signed.
Next we checked the CONFIG. And it seems MODULE_SIG_FORCE is not enabled
though MODULE_SIG and MODULE_SIG_ALL are enabled.
As per powerpc arch specific policies for secure boot which are:
static const char *const secure_and_trusted_rules[] = {
"measure func=KEXEC_KERNEL_CHECK template=ima-modsig",
"measure func=MODULE_CHECK template=ima-modsig",
"appraise func=KEXEC_KERNEL_CHECK appraise_flag=check_blacklist
appraise_type=imasig|modsig",
#ifndef CONFIG_MODULE_SIG_FORCE
"appraise func=MODULE_CHECK appraise_flag=check_blacklist
appraise_type=imasig|modsig",
#endif
NULL
As per these policies, if MODULE_SIG_FORCE is not enabled, IMA policy
for MODULE_CHECK gets added. However, IMA looks for keys only in .ima
keyring for module verification and therefore does not find Buildtime
generated key and fails to verify.
I think that explains why booting failed.
We wanted to understand if there is a reason for not enabling
MODULE_SIG_FORCE even though modules are signed at build time.
Michael please add any other info if I missed..
Thanks & Regards,
- Nayna
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1866909
Title:
Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1866909/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
