Automatically Sign Kernels After Installation

$README.md

This script goes into /etc/kernel/postinst.d. You have to make it executable by root, e.g. chown root:root /etc/kernel/postinst.d/00-signing ; chmod u+rx /etc/kernel/postinst.d/00-signing. It assists you with automatically signing freshly installed kernel images using the machine owner key in a way similar to what dkms does. This is mainly useful if you want to use mainline kernels on Ubuntu on Secure Boot enabled systems. This needs shim-signed to be set up. If you have questions this one might help you: https://wiki.ubuntu.com/UEFI/SecureBoot#MOK_generation_and_signing_process While I made this for Ubuntu 20.04, it should work on current Debian based distributions. YMMV.

00-signing

#!/bin/sh

set -e

KERNEL_IMAGE="$2"
MOK_DIRECTORY="/var/lib/shim-signed/mok"

if [ "$#" -ne "2" ] ; then
	echo "Wrong count of command line arguments. This is not meant to be called directly." >&2
	exit 1
fi

if [ ! -x "$(command -v sbsign)" ] ; then
	echo "sbsign not executable. Bailing." >&2
	exit 1
fi


if [ ! -r "$MOK_DIRECTORY/MOK.der" ] ; then
	echo "$MOK_DIRECTORY/MOK.der is not readable." >&2
	exit 1
fi

if [ ! -r "$MOK_DIRECTORY/MOK.priv" ] ; then
	echo "$MOK_DIRECTORY/MOK.priv is not readable." >&2
	exit 1
fi

if [ ! -w "$KERNEL_IMAGE" ] ; then
	echo "Kernel image $KERNEL_IMAGE is not writable." >&2
	exit 1
fi

if [ ! -r "$MOK_DIRECTORY/MOK.pem" ] ; then
	echo "MOK.pem missing. Generating from MOK.der."
	if [ ! -x "$(command -v openssl)" ] ; then
		echo "openssl could not be found. Bailing." >&2
		exit 1
	fi

	openssl x509 -in "$MOK_DIRECTORY/MOK.der" -inform DER -outform PEM -out "$MOK_DIRECTORY/MOK.pem" || { echo "Conversion failed. Bailing." >&2; exit 1 ; }
fi

echo "Signing $KERNEL_IMAGE..."
sbsign --key "$MOK_DIRECTORY/MOK.priv" --cert "$MOK_DIRECTORY/MOK.pem" --output "$KERNEL_IMAGE" "$KERNEL_IMAGE"

Hi @maxried,

I've re-adapted your script in my repository to verify that kernel being signed is actually being installed by mainline, which will prevent any other kernels from being signed.

• Mainline Kernel Signing

The script:

1. Searches for matching deb files downloaded by mainline
2. Downloads the checksum file from the Ubuntu mainline servers
3. Validates the deb file matches the Ubuntu mainline servers using sha256
4. Extracts the kernel image to a temporary directory
5. Compares the image to be signed by the script against the kernel image extracted from the mainline deb file
6. Signs the kernel using the MOK

You will need to adjust the path to the MOK file accordingly.

In addition to that, I've figured out to generate the Machine Owner Key that works with signing kernels for Ubuntu 21.04 and newer. It is not possible to use the Ubuntu generated MOK key, as it has the module signing Extended Key Usage code, which shim fails to validate on loading a kernel image. It expects anything other than 1.3.6.1.4.1.2312.16.1.2, if this code is present in the MOK, it cannot be used to sign kernels to be loaded by shim. The creation of a kernel signing MOK is accomplished using the following script.

• Machine Owner Key Setup

I've tested this using mainline and Ubuntu kernel version v5.13.13 on Ubuntu 21.04. It is possible that earlier version of the debs will use xz compression for the data file inside the mainline deb file, which will cause this script to fail, but anything new should use zstd compression. Could be useful for others.

Cheers,
Berg

Hi @berglh ,

Thank you very much for your research, and for sharing it. This sounds really cool, I'll soon look into it!

Regards,
Max