Re: Certificate used to sign Fedora kernels for UEFI Secure Boot?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 13, 2019 at 2:03 PM Kevin Fenzi <kevin@xxxxxxxxx> wrote:
> On 8/12/19 8:35 AM, Josh Boyer wrote:
> > On Mon, Aug 12, 2019 at 11:23 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >> On Fri, Aug 9, 2019 at 8:31 AM Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> >>>
> >>> Hello all,
> >>>
> >>> I'm not sure if this is the place for this, but if not perhaps you
> >>> could point me in the right direction?
> >>>
> >>> I'm looking for the certificate associated with the key used to sign
> >>> the Fedora kernels for UEFI Secure Boot.  What little information I've
> >>> found indicates that it should be part of the "shim" package sources,
>
> Well, you likely want to look at the pesign package for the signing
> information, but the cert isn't in there either. It's in smart cards
> attached to kernel builder machines. When the kernel builds on those the
> spec sees that and uses pesign to sign them, otherwise it uses a 'test'
> cert to sign things.
>
> May I ask why you want the cert?

I'm working on extensions to tboot to support kernel signatures
instead of hashes.  Not wanting to reinvent the wheel I figured I
would reuse the signed PECOFF format used by UEFI Secure Boot; the
Fedora kernels are one of the kernels I've been using for testing.

While it is still a work in progress, I will be presenting on this
topic next week at LSS-NA.

> >>> but it isn't there, and looking back and random points in it's history
> >>> I can't seem to find it.  I've found the CA used to sign this mystery
> >>> certificate, but not the kernel's signing certificate.  Any help you
> >>> can provide would be appreciated.
> >>>
> >>> For reference, this is the certificate I'm looking for:
> >>>
> >>>         Signer #0:
> >>>                Subject: /CN=Fedora Secure Boot Signer
> >>>                Issuer : /CN=Fedora Secure Boot CA
> >>>                Serial : 9976F70F
> >>>
> >>> ... and no, I'm obviously not asking for the private key, just an
> >>> authoritative source for the public key certificate :)
>
> We don't have one currently, because I guess we didn't think this would
> be of use to anyone. If there is some use case for it to be published,
> we can do so...

It seems like one would want to publish the certificates used to sign
their kernel images, at the very least publish the CA if not the
entire chain.  Outside the kernel image itself, the only place I could
find the "CN=Fedora Secure Boot CA" was in the signing request for the
UEFI shim; I couldn't find the "CN=Fedora Secure Boot Signer" anywhere
but the kernel image.

Since I'm just doing dev/test at the moment I extracted the signing
cert from the kernel image and I'm using that, but that isn't a
good/general solution for a number of reasons.

FWIW, once I have something that is working properly and suitable for
upstreaming (it is still a prototype) I plan to work on getting it
merged into the tboot upstream.  However, regardless of my work on
tboot, I think it would be nice to be able to verify a kernel
signature without relying on the certificate chain stored within the
kernel.

-- 
paul moore
www.paul-moore.com
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux