Re: [Linuxwacom-devel] [PATCH 5/6] Search for more potential key and cert locations
I don't think so. rEFInd isn't installed by default with any of the default distributions that I'm aware of; users install it manually as an alternative to GRUB. I think a note on the Secure Boot wiki page would be sufficient to let people who use rEFInd know that they should explicitly check for its keys before making their own. Jason --- Now instead of four in the eights place / you’ve got three, ‘Cause you added one / (That is to say, eight) to the two, / But you can’t take seven from three,/ So you look at the sixty-fours On Tue, Apr 9, 2019 at 9:18 PM Ping Cheng wrote: > > On Tue, Apr 9, 2019 at 3:17 PM Gerecke, Jason wrote: >> >> From: Jason Gerecke >> >> Previously we would only automatically discover Ubuntu's shim MOK if one >> had been created. We now also try to use the kernel's autogenerated key >> if present, and the key generated by rEFInd (though this may be inside >> a directory that only root can read from). > > > Does this mean we should prompt users to compile input-wacom under root? > > It’s quite a lot of work. Thank you for your effort, Jason! > > Acked-by: Ping Cheng for the whole set. > > Cheers, > Ping > >> >> >> Signed-off-by: Jason Gerecke >> --- >> configure.ac | 52 >> 1 file changed, 32 insertions(+), 20 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index fa88ade..5353705 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -248,6 +248,25 @@ dnl >> === >> dnl Module signing >> AC_DEFUN([WACOM_LINUX_READ_CONFIG], [grep -sh '^$1=' >> $WCM_KERNEL_DIR/.config /boot/config-$MODUTS | head -n1 | cut -d= -f2- | sed >> -e 's/^"\(.*\)"$/\1/']) >> >> +AC_DEFUN([WACOM_LINUX_FILE_IF_EXISTS], [test -f "$1" && readlink -e "$1"]) >> + >> +AC_DEFUN([WACOM_LINUX_CHECK_KEYCERT], >> +if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then >> + AC_MSG_CHECKING(for $1 key at $2) >> + KEYFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$2])) >> + RESULT=$(test -z "$KEYFILE" && echo "no" || echo "yes") >> + AC_MSG_RESULT([$RESULT]) >> + AC_MSG_CHECKING(for $1 cert at $3) >> + CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$3])) >> + RESULT=$(test -z "$CERTFILE" && echo "no" || echo "yes") >> + AC_MSG_RESULT([$RESULT]) >> + if test -n "$KEYFILE" -a -n "$CERTFILE"; then >> + MODSIGN_PRIVFILE="$KEYFILE" >> + MODSIGN_CERTFILE="$CERTFILE"; >> + fi >> +fi) >> + >> + >> MODSIGN_ENABLE=default >> MODSIGN_HASHALGO= >> MODSIGN_PRIVFILE= >> @@ -290,20 +309,6 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" >> = "default"; then >> >> >> >> - # There is no standard location for storing kernel signing keys >> - # and certificates. The kernel itself has CONFIG_MODULE_SIG_KEY >> - # (which contains a key and cert) which likely points to a file >> - # that doesn't exist unless you built the kernel yourself. Most >> - # distributions use the "shim" bootloader which allows "machine >> - # owner keys" (MOK) to be enrolled by the end-user, but only >> - # Ubuntu provides a tool to automatically generate these keys >> - # (`update-secureboot-policy --new-key`); other distros rely on >> - # the user generating the key/cert themselves and keeping it in a >> - # suitably-safe location. >> - # >> - # The kernel should automatically try to sign modules as part of >> - # the `make modules_install` step, so that covers the first case. >> - # In the second case the best we can do is try Ubuntu's location. >> AC_ARG_WITH(signing-key, >> AS_HELP_STRING([--with-signing-key=], [Specify >> module signing key location]), >> [MODSIGN_PRIVFILE="$withval"]) >> @@ -311,12 +316,19 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" >> = "default"; then >> AS_HELP_STRING([--with-signing-cert=], [Specify >> module signing cert location]), >> [MODSIGN_CERTFILE="$withval"]) >> >> - if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then >> - MODSIGN_PRIVFILE=$(ls /var/lib/shim-signed/mok/MOK.priv >> 2>/dev/null || echo "$MODSIGN_PRIVFILE") >> - fi >> - if test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE"; then >> - MODSIGN_CERTFILE=$(ls /var/lib/shim-signed/mok/MOK.der >> 2>/dev/null || echo "$MODSIGN_CERTFILE") >> - fi >> + HASPRIVFILE=$(test "$MODSIGN_PRIVFILE" = "yes" -o -z >> "$MODSIGN_PRIVFILE" && echo 0 || echo 1) >> + HASCERTFILE=$(test "$MODSIGN_CERTFILE" = "yes" -o -z >> "$MODSIGN_CERTFILE" && echo 0 || echo 1) >> + if test "$HASPRIVFILE" -ne "$HASCERTFILE"; then >> + AC_MSG_ERROR([Options '--with-signing-key' and >> '--with-signing-cert' must either both be set or both be unset.]) >> + elif test "$HASPRIVFILE" -eq 1;
Re: [Linuxwacom-devel] [PATCH 5/6] Search for more potential key and cert locations
On Tue, Apr 9, 2019 at 3:17 PM Gerecke, Jason wrote: > From: Jason Gerecke > > Previously we would only automatically discover Ubuntu's shim MOK if one > had been created. We now also try to use the kernel's autogenerated key > if present, and the key generated by rEFInd (though this may be inside > a directory that only root can read from). Does this mean we should prompt users to compile input-wacom under root? It’s quite a lot of work. Thank you for your effort, Jason! Acked-by: Ping Cheng for the whole set. Cheers, Ping > > Signed-off-by: Jason Gerecke > --- > configure.ac | 52 > 1 file changed, 32 insertions(+), 20 deletions(-) > > diff --git a/configure.ac b/configure.ac > index fa88ade..5353705 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -248,6 +248,25 @@ dnl > === > dnl Module signing > AC_DEFUN([WACOM_LINUX_READ_CONFIG], [grep -sh '^$1=' > $WCM_KERNEL_DIR/.config /boot/config-$MODUTS | head -n1 | cut -d= -f2- | > sed -e 's/^"\(.*\)"$/\1/']) > > +AC_DEFUN([WACOM_LINUX_FILE_IF_EXISTS], [test -f "$1" && readlink -e "$1"]) > + > +AC_DEFUN([WACOM_LINUX_CHECK_KEYCERT], > +if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then > + AC_MSG_CHECKING(for $1 key at $2) > + KEYFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$2])) > + RESULT=$(test -z "$KEYFILE" && echo "no" || echo "yes") > + AC_MSG_RESULT([$RESULT]) > + AC_MSG_CHECKING(for $1 cert at $3) > + CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$3])) > + RESULT=$(test -z "$CERTFILE" && echo "no" || echo "yes") > + AC_MSG_RESULT([$RESULT]) > + if test -n "$KEYFILE" -a -n "$CERTFILE"; then > + MODSIGN_PRIVFILE="$KEYFILE" > + MODSIGN_CERTFILE="$CERTFILE"; > + fi > +fi) > + > + > MODSIGN_ENABLE=default > MODSIGN_HASHALGO= > MODSIGN_PRIVFILE= > @@ -290,20 +309,6 @@ if test "$MODSIGN_ENABLE" = "yes" -o > "$MODSIGN_ENABLE" = "default"; then > > > > - # There is no standard location for storing kernel signing keys > - # and certificates. The kernel itself has CONFIG_MODULE_SIG_KEY > - # (which contains a key and cert) which likely points to a file > - # that doesn't exist unless you built the kernel yourself. Most > - # distributions use the "shim" bootloader which allows "machine > - # owner keys" (MOK) to be enrolled by the end-user, but only > - # Ubuntu provides a tool to automatically generate these keys > - # (`update-secureboot-policy --new-key`); other distros rely on > - # the user generating the key/cert themselves and keeping it in a > - # suitably-safe location. > - # > - # The kernel should automatically try to sign modules as part of > - # the `make modules_install` step, so that covers the first case. > - # In the second case the best we can do is try Ubuntu's location. > AC_ARG_WITH(signing-key, > AS_HELP_STRING([--with-signing-key=], > [Specify module signing key location]), > [MODSIGN_PRIVFILE="$withval"]) > @@ -311,12 +316,19 @@ if test "$MODSIGN_ENABLE" = "yes" -o > "$MODSIGN_ENABLE" = "default"; then > AS_HELP_STRING([--with-signing-cert=], > [Specify module signing cert location]), > [MODSIGN_CERTFILE="$withval"]) > > - if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then > - MODSIGN_PRIVFILE=$(ls /var/lib/shim-signed/mok/MOK.priv > 2>/dev/null || echo "$MODSIGN_PRIVFILE") > - fi > - if test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE"; then > - MODSIGN_CERTFILE=$(ls /var/lib/shim-signed/mok/MOK.der > 2>/dev/null || echo "$MODSIGN_CERTFILE") > - fi > + HASPRIVFILE=$(test "$MODSIGN_PRIVFILE" = "yes" -o -z > "$MODSIGN_PRIVFILE" && echo 0 || echo 1) > + HASCERTFILE=$(test "$MODSIGN_CERTFILE" = "yes" -o -z > "$MODSIGN_CERTFILE" && echo 0 || echo 1) > + if test "$HASPRIVFILE" -ne "$HASCERTFILE"; then > + AC_MSG_ERROR([Options '--with-signing-key' and > '--with-signing-cert' must either both be set or both be unset.]) > + elif test "$HASPRIVFILE" -eq 1; then > + # Try to get absolute path, if possible > + > MODSIGN_PRIVFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_PRIVFILE]) || echo > "$MODSIGN_PRIVFILE") > + > MODSIGN_CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_CERTFILE]) || echo > "$MODSIGN_PRIVFILE") > + else > + WACOM_LINUX_CHECK_KEYCERT([kernel autogenerated], > $WCM_KERNEL_DIR/$(WACOM_LINUX_READ_CONFIG([CONFIG_MODULE_SIG_KEY])), > [$WCM_KERNEL_DIR/certs/signing_key.x509]) > + WACOM_LINUX_CHECK_KEYCERT([shim MOK], > [/var/lib/shim-signed/mok/MOK.priv], [/var/lib/shim-signed/mok/MOK.der]) > + WACOM_LINUX_CHECK_KEYCERT([rEFInd MOK], > [/etc/refind.d/keys/refind_local.key], >
[Linuxwacom-devel] [PATCH 5/6] Search for more potential key and cert locations
From: Jason Gerecke Previously we would only automatically discover Ubuntu's shim MOK if one had been created. We now also try to use the kernel's autogenerated key if present, and the key generated by rEFInd (though this may be inside a directory that only root can read from). Signed-off-by: Jason Gerecke --- configure.ac | 52 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/configure.ac b/configure.ac index fa88ade..5353705 100644 --- a/configure.ac +++ b/configure.ac @@ -248,6 +248,25 @@ dnl === dnl Module signing AC_DEFUN([WACOM_LINUX_READ_CONFIG], [grep -sh '^$1=' $WCM_KERNEL_DIR/.config /boot/config-$MODUTS | head -n1 | cut -d= -f2- | sed -e 's/^"\(.*\)"$/\1/']) +AC_DEFUN([WACOM_LINUX_FILE_IF_EXISTS], [test -f "$1" && readlink -e "$1"]) + +AC_DEFUN([WACOM_LINUX_CHECK_KEYCERT], +if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then + AC_MSG_CHECKING(for $1 key at $2) + KEYFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$2])) + RESULT=$(test -z "$KEYFILE" && echo "no" || echo "yes") + AC_MSG_RESULT([$RESULT]) + AC_MSG_CHECKING(for $1 cert at $3) + CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$3])) + RESULT=$(test -z "$CERTFILE" && echo "no" || echo "yes") + AC_MSG_RESULT([$RESULT]) + if test -n "$KEYFILE" -a -n "$CERTFILE"; then + MODSIGN_PRIVFILE="$KEYFILE" + MODSIGN_CERTFILE="$CERTFILE"; + fi +fi) + + MODSIGN_ENABLE=default MODSIGN_HASHALGO= MODSIGN_PRIVFILE= @@ -290,20 +309,6 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" = "default"; then - # There is no standard location for storing kernel signing keys - # and certificates. The kernel itself has CONFIG_MODULE_SIG_KEY - # (which contains a key and cert) which likely points to a file - # that doesn't exist unless you built the kernel yourself. Most - # distributions use the "shim" bootloader which allows "machine - # owner keys" (MOK) to be enrolled by the end-user, but only - # Ubuntu provides a tool to automatically generate these keys - # (`update-secureboot-policy --new-key`); other distros rely on - # the user generating the key/cert themselves and keeping it in a - # suitably-safe location. - # - # The kernel should automatically try to sign modules as part of - # the `make modules_install` step, so that covers the first case. - # In the second case the best we can do is try Ubuntu's location. AC_ARG_WITH(signing-key, AS_HELP_STRING([--with-signing-key=], [Specify module signing key location]), [MODSIGN_PRIVFILE="$withval"]) @@ -311,12 +316,19 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" = "default"; then AS_HELP_STRING([--with-signing-cert=], [Specify module signing cert location]), [MODSIGN_CERTFILE="$withval"]) - if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then - MODSIGN_PRIVFILE=$(ls /var/lib/shim-signed/mok/MOK.priv 2>/dev/null || echo "$MODSIGN_PRIVFILE") - fi - if test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE"; then - MODSIGN_CERTFILE=$(ls /var/lib/shim-signed/mok/MOK.der 2>/dev/null || echo "$MODSIGN_CERTFILE") - fi + HASPRIVFILE=$(test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE" && echo 0 || echo 1) + HASCERTFILE=$(test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE" && echo 0 || echo 1) + if test "$HASPRIVFILE" -ne "$HASCERTFILE"; then + AC_MSG_ERROR([Options '--with-signing-key' and '--with-signing-cert' must either both be set or both be unset.]) + elif test "$HASPRIVFILE" -eq 1; then + # Try to get absolute path, if possible + MODSIGN_PRIVFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_PRIVFILE]) || echo "$MODSIGN_PRIVFILE") + MODSIGN_CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_CERTFILE]) || echo "$MODSIGN_PRIVFILE") + else + WACOM_LINUX_CHECK_KEYCERT([kernel autogenerated], $WCM_KERNEL_DIR/$(WACOM_LINUX_READ_CONFIG([CONFIG_MODULE_SIG_KEY])), [$WCM_KERNEL_DIR/certs/signing_key.x509]) + WACOM_LINUX_CHECK_KEYCERT([shim MOK], [/var/lib/shim-signed/mok/MOK.priv], [/var/lib/shim-signed/mok/MOK.der]) + WACOM_LINUX_CHECK_KEYCERT([rEFInd MOK], [/etc/refind.d/keys/refind_local.key], [/etc/refind.d/keys/refind_local.cer]) + fi AC_MSG_CHECKING(for module signing key) AC_MSG_RESULT([$MODSIGN_PRIVFILE]) -- 2.21.0 ___ Linuxwacom-devel mailing list Linuxwacom-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linuxwacom-devel
