drivers.suse.com usage

<
^

Secure Boot Certificate

NOTE: Prior to November 12, 2013 the “SUSE SolidDriver Program” was known as the “Partner Linux Driver Program” (PLDP). Though the signing key still reflects the old name, it remains valid as described here.

The kernel module signatures are used when running SUSE Linux Enterprise in UEFI Secure Boot environment. To ensure the integrity of the running kernel, the kernel will only load modules signed with trusted keys.

The key is considered trusted once the user loads the corresponding Secure Boot certificate into a UEFI key database

UEFI Key Database (key db)

The recommended way to enroll a trusted key into the system is to load the certificate into the UEFI firmwares key db. Reference your system documentation or contact your system manufacture for options to add certificates to the key db. Find the SolidDriver certificate here:

pldp-UEFI-SIGN-Certificate.crt

If there is no user option to maintain keys in the UEFI key db, the next option is to use the Machine Owner Keys database described in the following section.

Machine Owner Keys (MOK) database.

For systems that do not allow user (system admin) control over the UEFI key database, the Machine Owner Key (MOK) database option can be used. Note: it’s recommended to use the key db if at all possible

The certificate can be enrolled into the MOK by installing the following package:

pldp-UEFI-SIGN-Certificate-1.0-1.1.x86_64.rpm

This package contains the UEFI Secure Boot certificate used to sign modules built in SUSE’s Partner Linux Driver Program. It will install the certificate under /etc/uefi/certs as well as prepare it to be enrolled into the MOK database of the firmware.

Installation

Install the package using zypper or YaST as you would any other rpm package. After package installation, the system must be rebooted to complete the process of enrolling the key into the UEFI MOK database. At reboot the following UEFI prompt will be displayed on the system console:

Shim UEFI key management
 
  Continue Boot
_ Enroll MOK
  Enroll key from disk
  Enroll hash from disk

Move cursor to Enroll MOK and hit Enter

[Enroll MOK] 
Input the key number to show the details of the key or
type '0' to continue

1 keys(s) in the key list

Key Number: 1

Type 1 and hit Enter to view the key details:

[Key 1] 
  Serial Number:
    D7:29:BC:83:27:9e:02:91
  Issuer:
    /CN=PLDP Secure Boot Signing Key/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH
/OU=PLDP Team/emailAddress=pldp@suse.de
  Subject:
    /CN=PLDP Secure Boot Signing Key/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH
/OU=PLDP Team/emailAddress=pldp@suse.de
  Validity from:
    Jul  8 14:10:27 2013 GMT
  Validity till:
    Aug 16 14:10:27 2017 GMT
  Fingerprint (SHA1):
     3F E3 22 C2 07 70 C0 14 A1 A6
     D6 92 8D 26 BC F9 5F 6B 23 BB

Key Number: _

After validating that the details shown match the above, Type 0 Enter to continue…

Enroll the key(s)? (y/n): _

Type y Enter to enroll…

Password: _

Enter the root password of the SUSE Linux Enterprise OS that the Secure Boot certificate package was installed on.

Press a key to reboot system

The key is now enrolled. To verify this, check the kernel messages after reboot:

# dmesg | grep "EFI: Loaded cert"
[    2.387702]EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.module_sign'
[    2.387781]EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.module_sign'
[    2.387851]EFI: Loaded cert 'Hewlett-Packard UEFI Secure Boot DB Key: e7203ac28b848d3c03432f6a485dd1f4c7b8e529' linked to '.module_sign'
[    2.388347]EFI: Loaded cert 'SUSE Linux Products GmbH: PLDP Secure Boot Signing Key: ced5e22b63eee758a2e16663a4c2c35bbb54e54f' linked to '.module_sign'

The PLDP Secure Boot Signing Key is in the list of loaded certs. If not, then the key was not enrolled properly.

Using mokutil to list enrolled keys

One can also verify that the certificate is loaded in the MOK database by using the mokutil command:

# mokutil --list-enrolled
[key 1] 
SHA1 Fingerprint: 3f:e3:22:c2:07:70:c0:14:a1:a6:d6:92:8d:26:bc:f9:5f:6b:23:bb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d7:29:bc:83:27:9e:02:91
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, 
OU=PLDP Team/emailAddress=pldp@suse.de
        Validity
            Not Before: Jul  8 14:10:27 2013 GMT
            Not After : Aug 16 14:10:27 2017 GMT
        Subject: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH,
OU=PLDP Team/emailAddress=pldp@suse.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a3:f8:f8:b0:4d:2a:00:5c:0a:39:6c:86:87:e6:
                    9c:a7:dd:7b:9a:a4:20:a0:60:50:7b:34:57:0d:7d:
                    2d:03:26:20:9b:28:28:74:f3:7e:55:29:7e:76:4e:
                    12:fc:e4:a1:9c:27:77:4a:9b:25:e2:50:02:bf:0d:
                    53:bd:81:6a:2d:50:19:07:a3:db:c1:86:93:b2:83:
                    25:84:7f:64:47:9e:d4:80:09:16:1c:2f:f7:df:ca:
                    49:74:42:34:66:f5:d5:17:e7:fd:1a:8f:a1:fd:38:
                    8d:25:b0:f2:27:4a:49:1f:5f:4e:04:86:68:72:b5:
                    d2:bc:74:f1:ca:94:1d:52:a0:11:98:d0:44:57:63:
                    f8:26:7d:7a:7b:ed:dc:a2:b0:1d:55:9c:e7:87:1d:
                    69:da:83:a8:72:9d:44:81:b1:e9:d8:52:80:6c:ed:
                    36:58:35:e6:ad:f7:77:25:2c:e5:a2:b0:7d:6c:42:
                    74:b8:04:1e:75:9f:a4:6d:2b:2d:48:ac:0f:02:5d:
                    db:3b:a6:b1:5d:0c:a8:0d:e1:88:a7:1a:51:8d:57:
                    10:c6:70:cf:6b:0b:bc:84:fa:f9:7f:5a:a8:17:60:
                    c2:92:cf:61:aa:f8:7a:cc:be:81:ab:c7:5c:5d:78:
                    d8:57:71:e0:8d:87:ee:82:4e:64:73:ce:1d:16:dd:
                    55:3b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                CE:D5:E2:2B:63:EE:E7:58:A2:E1:66:63:A4:C2:C3:5B:BB:54:E5:4F
            X509v3 Authority Key Identifier:
                keyid:CE:D5:E2:2B:63:EE:E7:58:A2:E1:66:63:A4:C2:C3:5B:BB:54:E5:4F
            
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
    Signature Algorithm: sha256WithRSAEncryption 
        59:e9:27:4c:8c:a6:d8:29:7a:94:9b:bf:87:70:2f:a8:69:2b:
        dc:62:b4:12:db:11:e3:a1:80:55:9b:c9:7d:f0:7e:b9:2f:70:
        b6:b4:f7:72:de:db:4e:3b:2d:ae:01:50:e8:44:55:e4:fd:31:
        1e:b4:17:60:65:e6:e6:3e:de:17:d5:67:ab:40:1f:ba:d5:cd:
        89:63:1c:7f:45:cd:5a:04:e8:c2:86:b8:d2:7e:b9:9f:1d:3e:
        f1:30:c4:c8:35:66:19:82:24:5e:8d:7c:fb:57:33:31:b3:bf:
        ea:5d:ed:27:e7:54:a2:d9:37:2a:4b:cc:aa:24:af:ce:84:20:
        65:8f:3b:cc:a6:c8:48:4c:9b:c7:64:f8:67:3a:e7:4a:be:e5:
        cd:67:82:20:bb:0b:66:52:f1:bc:05:36:81:dd:4b:47:e9:3d:
        a8:58:65:7a:d3:20:47:7b:19:0a:59:57:be:01:18:04:42:ea:
        3e:ab:dd:af:b6:15:cf:24:34:50:91:d1:6a:c6:92:42:4c:bf:
        11:af:67:93:26:72:c0:a7:86:a6:52:a2:95:a7:a3:a9:56:b5:
        66:83:80:7a:18:5f:00:28:3d:a5:38:27:ab:2e:7a:4f:59:36:
        20:16:10:4a:38:e0:9f:e0:77:2a:f0:6d:43:0b:8e:83:2b:7f:
        55:cc:9a:01

De-Installation

Removing the certificate is similar process to installing it. To remove the certificate from the system, remove the package using zypper or YaST and then reboot the system. At the system console the following UEFI prompt will be displayed:

Shim UEFI key management
 
  Continue Boot
_ Delete MOK
  Enroll key from disk
  Enroll hash from disk

Move cursor to Delete MOK and hit Enter

[Delete MOK] 
Input the key number to show the details of the key or
type '0' to continue

1 keys(s) in the key list

Type 1 Enter to view the key details and after confirming that the details match the key to be deleted, type 0 Enter

Delete the key(s)? (y/n): 

Type y Enter to delete…

Password: _

Enter the root password of the SUSE Linux Enterprise OS that the Secure Boot certificate package was removed from.

Press a key to reboot system

Now the key should be removed from the MOK database.

MOK Demonstration

The following video is a demonstration of using the mokutil package to manage the Machine Owner Keys.

Direct Download: ogg | mp4

MOK Blacklist (MOKx)

Note: The MOK Blacklist functionality is only supported in SUSE Linux Enterprise Server/Desktop 12 and later.

The MOK blacklist allows the user to forbid particular kernel modules from being loaded as identified by the public key of the module signature.

The usage of MOK blacklist is similar to MOK. Just add --mokx or -X to indicate that it’s a MOK blacklist request.

To add a key:

  1. Create the request with mokutil and type a password (or use the root password with “-P”)
   # mokutil -X --import <key>
  1. Reboot the system and enter the MokManger UI. Select Enroll MOKX and type the password. MokManager will reboot the system again.

  2. Boot the system and check the MOK blacklist with mokutil

   # mokutil -X --list-enrolled

References

<
^