Re: Where are we with SB? What's missing?

To: Ben Hutchings <ben@decadent.org.uk>, Steve McIntyre <steve@einval.com>, Ansgar Burchardt <ansgar@43-1.org>
Cc: Bastian Blank <waldi@debian.org>, debian-efi@lists.debian.org, Luke Faraone <lfaraone@debian.org>
Subject: Re: Where are we with SB? What's missing?
From: Yves-Alexis Perez <corsac@debian.org>
Date: Fri, 07 Dec 2018 21:46:57 +0100
Message-id: <[🔎] 76257d88acb577b314fcc433008d828f1cf0c6ac.camel@debian.org>
In-reply-to: <[🔎] eaff020d3dc1eb8ab4009bebb39713266d70abb9.camel@decadent.org.uk>
References: <20181005180116.v6knu3y4dwhm6iuu@tack.einval.com> <77c954bc179c19dd5ddf8a51221196c3bd0e0896.camel@43-1.org> <20181011155848.4ikpjtiwqe2wqljj@tack.einval.com> <f70a98b80381669af9987ac26e5002fdf5c04442.camel@decadent.org.uk> <20181030012654.tgitf2zjiq6dw6qr@tack.einval.com> <2e45405ab75256fe146ffd0c7596dc2cac3652f8.camel@decadent.org.uk> <20181127195016.yhr432bpmbtyvti6@shell.thinkmo.de> <[🔎] 20181204023808.c76sbjw5nwalovlw@tack.einval.com> <[🔎] 87r2exkp5u.fsf@marvin.43-1.org> <[🔎] 20181204234252.7ti4f46x2tk4aqlu@tack.einval.com> <[🔎] eaff020d3dc1eb8ab4009bebb39713266d70abb9.camel@decadent.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, 2018-12-05 at 03:40 +0000, Ben Hutchings wrote:
> > > Have we tested that grub2 and linux do not allow loading unsigned
> > > kernels / modules? (AFAIK yes, but let's make sure.)
> > 
> > It's definitely worth making sure, yes.
> 
> I haven't tested this recently in linux.

I just did some limited testing and it does work fine. I've added the test key
from Luke in the MOK and enabled secure boot in the bios of my ThinkPad X250.

With that:

- - grub loads fine
- - 4.18 kernel doesn't load
- - 4.19 kernel loads fine
- - dkms locally built modules don't load:
  modprobe hdaps
  modprobe: ERROR: could not insert 'hdaps': Required key not available
  déc. 07 21:42:07 scapa kernel: Lockdown: Loading of unsigned modules is
restricted; see man kernel_lockdown.7
- - kexec doesn't work:
  kexec /boot/vmlinuz-4.18.0-3-amd64 
  kexec_load failed: Operation not permitted
  déc. 07 21:43:13 scapa kernel: Lockdown: kexec of unsigned images is
restricted; see man kernel_lockdown.7

I didn't do advanced stuff to try to execute arbitrary code.

I can't test fwupd because my X250 is not supported at the moment (not sure if
it will be one day).

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlwK3EEACgkQ3rYcyPpX
RFsOKgf9FcCBDHjscz+haU2mYzAqEagCWzI0kafvYTlh339orSj6HTDkBGsmUDRm
MaE9OKl841zw65vwQKxFGyOJPirq9r7iAyenZEtTHOGqrGO6lKCipan6LnJn6Sse
QO1s4/KLW277QMFTQ2Qks0YlPndTnJ7j/wtMw79sFGJLFKuPxZ3qlNZGWNpnPbj7
dT6d1MhEIGfqs1u8XkKopFCPyFlzjLihnjQr65AKrDe+d/Idtxp9rAKtidSn8SrI
vSr7IjdD5B2X3YHXm4BJHOZT8Mc9bdFiN51dBqL6tR7YFEQPNRIuZWo7aKcEA2IB
rPvBH7pBjAi8+kp5XFpNlWYBfyJ5dg==
=8lu3
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: Where are we with SB? What's missing?
  - From: Steve McIntyre <steve@einval.com>
- Re: Where are we with SB? What's missing?
  - From: Ansgar Burchardt <ansgar@43-1.org>
- Re: Where are we with SB? What's missing?
  - From: Steve McIntyre <steve@einval.com>
- Re: Where are we with SB? What's missing?
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Re: Where are we with SB? What's missing?
Next by Date: Processed: your mail
Previous by thread: Re: Where are we with SB? What's missing?
Next by thread: Re: Re: Where are we with SB? What's missing?
Index(es):
- Date
- Thread