I don't think so. rEFInd isn't installed by default with any of the default distributions that I'm aware of; users install it manually as an alternative to GRUB. I think a note on the Secure Boot wiki page would be sufficient to let people who use rEFInd know that they should explicitly check for its keys before making their own.
Jason --- Now instead of four in the eights place / you’ve got three, ‘Cause you added one / (That is to say, eight) to the two, / But you can’t take seven from three, / So you look at the sixty-fours.... On Tue, Apr 9, 2019 at 9:18 PM Ping Cheng <pingli...@gmail.com> wrote: > > On Tue, Apr 9, 2019 at 3:17 PM Gerecke, Jason <killert...@gmail.com> wrote: >> >> From: Jason Gerecke <jason.gere...@wacom.com> >> >> Previously we would only automatically discover Ubuntu's shim MOK if one >> had been created. We now also try to use the kernel's autogenerated key >> if present, and the key generated by rEFInd (though this may be inside >> a directory that only root can read from). > > > Does this mean we should prompt users to compile input-wacom under root? > > It’s quite a lot of work. Thank you for your effort, Jason! > > Acked-by: Ping Cheng <ping.ch...@wacom.com> for the whole set. > > Cheers, > Ping > >> >> >> Signed-off-by: Jason Gerecke <jason.gere...@wacom.com> >> --- >> configure.ac | 52 ++++++++++++++++++++++++++++++++-------------------- >> 1 file changed, 32 insertions(+), 20 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index fa88ade..5353705 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -248,6 +248,25 @@ dnl >> ======================================================= >> dnl Module signing >> AC_DEFUN([WACOM_LINUX_READ_CONFIG], [grep -sh '^$1=' >> $WCM_KERNEL_DIR/.config /boot/config-$MODUTS | head -n1 | cut -d= -f2- | sed >> -e 's/^"\(.*\)"$/\1/']) >> >> +AC_DEFUN([WACOM_LINUX_FILE_IF_EXISTS], [test -f "$1" && readlink -e "$1"]) >> + >> +AC_DEFUN([WACOM_LINUX_CHECK_KEYCERT], >> +if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then >> + AC_MSG_CHECKING(for $1 key at $2) >> + KEYFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$2])) >> + RESULT=$(test -z "$KEYFILE" && echo "no" || echo "yes") >> + AC_MSG_RESULT([$RESULT]) >> + AC_MSG_CHECKING(for $1 cert at $3) >> + CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$3])) >> + RESULT=$(test -z "$CERTFILE" && echo "no" || echo "yes") >> + AC_MSG_RESULT([$RESULT]) >> + if test -n "$KEYFILE" -a -n "$CERTFILE"; then >> + MODSIGN_PRIVFILE="$KEYFILE" >> + MODSIGN_CERTFILE="$CERTFILE"; >> + fi >> +fi) >> + >> + >> MODSIGN_ENABLE=default >> MODSIGN_HASHALGO= >> MODSIGN_PRIVFILE= >> @@ -290,20 +309,6 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" >> = "default"; then >> >> >> >> - # There is no standard location for storing kernel signing keys >> - # and certificates. The kernel itself has CONFIG_MODULE_SIG_KEY >> - # (which contains a key and cert) which likely points to a file >> - # that doesn't exist unless you built the kernel yourself. Most >> - # distributions use the "shim" bootloader which allows "machine >> - # owner keys" (MOK) to be enrolled by the end-user, but only >> - # Ubuntu provides a tool to automatically generate these keys >> - # (`update-secureboot-policy --new-key`); other distros rely on >> - # the user generating the key/cert themselves and keeping it in a >> - # suitably-safe location. >> - # >> - # The kernel should automatically try to sign modules as part of >> - # the `make modules_install` step, so that covers the first case. >> - # In the second case the best we can do is try Ubuntu's location. >> AC_ARG_WITH(signing-key, >> AS_HELP_STRING([--with-signing-key=<trusted.priv>], [Specify >> module signing key location]), >> [MODSIGN_PRIVFILE="$withval"]) >> @@ -311,12 +316,19 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" >> = "default"; then >> AS_HELP_STRING([--with-signing-cert=<trusted.der>], [Specify >> module signing cert location]), >> [MODSIGN_CERTFILE="$withval"]) >> >> - if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then >> - MODSIGN_PRIVFILE=$(ls /var/lib/shim-signed/mok/MOK.priv >> 2>/dev/null || echo "$MODSIGN_PRIVFILE") >> - fi >> - if test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE"; then >> - MODSIGN_CERTFILE=$(ls /var/lib/shim-signed/mok/MOK.der >> 2>/dev/null || echo "$MODSIGN_CERTFILE") >> - fi >> + HASPRIVFILE=$(test "$MODSIGN_PRIVFILE" = "yes" -o -z >> "$MODSIGN_PRIVFILE" && echo 0 || echo 1) >> + HASCERTFILE=$(test "$MODSIGN_CERTFILE" = "yes" -o -z >> "$MODSIGN_CERTFILE" && echo 0 || echo 1) >> + if test "$HASPRIVFILE" -ne "$HASCERTFILE"; then >> + AC_MSG_ERROR([Options '--with-signing-key' and >> '--with-signing-cert' must either both be set or both be unset.]) >> + elif test "$HASPRIVFILE" -eq 1; then >> + # Try to get absolute path, if possible >> + >> MODSIGN_PRIVFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_PRIVFILE]) || echo >> "$MODSIGN_PRIVFILE") >> + >> MODSIGN_CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_CERTFILE]) || echo >> "$MODSIGN_PRIVFILE") >> + else >> + WACOM_LINUX_CHECK_KEYCERT([kernel autogenerated], >> $WCM_KERNEL_DIR/$(WACOM_LINUX_READ_CONFIG([CONFIG_MODULE_SIG_KEY])), >> [$WCM_KERNEL_DIR/certs/signing_key.x509]) >> + WACOM_LINUX_CHECK_KEYCERT([shim MOK], >> [/var/lib/shim-signed/mok/MOK.priv], [/var/lib/shim-signed/mok/MOK.der]) >> + WACOM_LINUX_CHECK_KEYCERT([rEFInd MOK], >> [/etc/refind.d/keys/refind_local.key], [/etc/refind.d/keys/refind_local.cer]) >> + fi >> >> AC_MSG_CHECKING(for module signing key) >> AC_MSG_RESULT([$MODSIGN_PRIVFILE]) >> -- >> 2.21.0 >> _______________________________________________ Linuxwacom-devel mailing list Linuxwacom-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linuxwacom-devel
