drivers.suse.com usage
Secure Boot Certificate
NOTE: Prior to November 12, 2013 the “SUSE SolidDriver Program” was known as the “Partner Linux Driver Program” (PLDP). Though the signing key still reflects the old name, it remains valid as described here.
The kernel module signatures are used when running SUSE Linux Enterprise in UEFI Secure Boot environment. To ensure the integrity of the running kernel, the kernel will only load modules signed with trusted keys.
The key is considered trusted once the user loads the corresponding Secure Boot certificate into a UEFI key database
UEFI Key Database (key db)
The recommended way to enroll a trusted key into the system is to load the certificate into the UEFI firmwares key db. Reference your system documentation or contact your system manufacture for options to add certificates to the key db. Find the SolidDriver certificate here:
pldp-UEFI-SIGN-Certificate.crt
If there is no user option to maintain keys in the UEFI key db, the next option is to use the Machine Owner Keys database described in the following section.
Machine Owner Keys (MOK) database.
For systems that do not allow user (system admin) control over the UEFI key database, the Machine Owner Key (MOK) database option can be used. Note: it’s recommended to use the key db if at all possible
The certificate can be enrolled into the MOK by installing the following package:
pldp-UEFI-SIGN-Certificate-1.0-1.1.x86_64.rpm
This package contains the UEFI Secure Boot certificate used to sign modules built in SUSE’s Partner Linux Driver Program. It will install the certificate under /etc/uefi/certs as well as prepare it to be enrolled into the MOK database of the firmware.
Installation
Install the package using zypper or YaST as you would any other rpm package. After package installation, the system must be rebooted to complete the process of enrolling the key into the UEFI MOK database. At reboot the following UEFI prompt will be displayed on the system console:
Shim UEFI key management
Continue Boot
_ Enroll MOK
Enroll key from disk
Enroll hash from diskMove cursor to Enroll MOK and hit Enter
[Enroll MOK]
Input the key number to show the details of the key or
type '0' to continue
1 keys(s) in the key list
Key Number: 1Type 1 and hit Enter to view the key details:
[Key 1]
Serial Number:
D7:29:BC:83:27:9e:02:91
Issuer:
/CN=PLDP Secure Boot Signing Key/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH
/OU=PLDP Team/emailAddress=pldp@suse.de
Subject:
/CN=PLDP Secure Boot Signing Key/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH
/OU=PLDP Team/emailAddress=pldp@suse.de
Validity from:
Jul 8 14:10:27 2013 GMT
Validity till:
Aug 16 14:10:27 2017 GMT
Fingerprint (SHA1):
3F E3 22 C2 07 70 C0 14 A1 A6
D6 92 8D 26 BC F9 5F 6B 23 BB
Key Number: _After validating that the details shown match the above, Type 0 Enter to continue…
Enroll the key(s)? (y/n): _Type y Enter to enroll…
Password: _Enter the root password of the SUSE Linux Enterprise OS that the Secure Boot certificate package was installed on.
Press a key to reboot systemThe key is now enrolled. To verify this, check the kernel messages after reboot:
# dmesg | grep "EFI: Loaded cert"
[ 2.387702]EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.module_sign'
[ 2.387781]EFI: Loaded cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to '.module_sign'
[ 2.387851]EFI: Loaded cert 'Hewlett-Packard UEFI Secure Boot DB Key: e7203ac28b848d3c03432f6a485dd1f4c7b8e529' linked to '.module_sign'
[ 2.388347]EFI: Loaded cert 'SUSE Linux Products GmbH: PLDP Secure Boot Signing Key: ced5e22b63eee758a2e16663a4c2c35bbb54e54f' linked to '.module_sign'The PLDP Secure Boot Signing Key is in the list of loaded certs. If not, then the key was not enrolled properly.
Using mokutil to list enrolled keys
One can also verify that the certificate is loaded in the MOK database by using the mokutil command:
# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 3f:e3:22:c2:07:70:c0:14:a1:a6:d6:92:8d:26:bc:f9:5f:6b:23:bb
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d7:29:bc:83:27:9e:02:91
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH,
OU=PLDP Team/emailAddress=pldp@suse.de
Validity
Not Before: Jul 8 14:10:27 2013 GMT
Not After : Aug 16 14:10:27 2017 GMT
Subject: CN=PLDP Secure Boot Signing Key, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH,
OU=PLDP Team/emailAddress=pldp@suse.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a3:f8:f8:b0:4d:2a:00:5c:0a:39:6c:86:87:e6:
9c:a7:dd:7b:9a:a4:20:a0:60:50:7b:34:57:0d:7d:
2d:03:26:20:9b:28:28:74:f3:7e:55:29:7e:76:4e:
12:fc:e4:a1:9c:27:77:4a:9b:25:e2:50:02:bf:0d:
53:bd:81:6a:2d:50:19:07:a3:db:c1:86:93:b2:83:
25:84:7f:64:47:9e:d4:80:09:16:1c:2f:f7:df:ca:
49:74:42:34:66:f5:d5:17:e7:fd:1a:8f:a1:fd:38:
8d:25:b0:f2:27:4a:49:1f:5f:4e:04:86:68:72:b5:
d2:bc:74:f1:ca:94:1d:52:a0:11:98:d0:44:57:63:
f8:26:7d:7a:7b:ed:dc:a2:b0:1d:55:9c:e7:87:1d:
69:da:83:a8:72:9d:44:81:b1:e9:d8:52:80:6c:ed:
36:58:35:e6:ad:f7:77:25:2c:e5:a2:b0:7d:6c:42:
74:b8:04:1e:75:9f:a4:6d:2b:2d:48:ac:0f:02:5d:
db:3b:a6:b1:5d:0c:a8:0d:e1:88:a7:1a:51:8d:57:
10:c6:70:cf:6b:0b:bc:84:fa:f9:7f:5a:a8:17:60:
c2:92:cf:61:aa:f8:7a:cc:be:81:ab:c7:5c:5d:78:
d8:57:71:e0:8d:87:ee:82:4e:64:73:ce:1d:16:dd:
55:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
CE:D5:E2:2B:63:EE:E7:58:A2:E1:66:63:A4:C2:C3:5B:BB:54:E5:4F
X509v3 Authority Key Identifier:
keyid:CE:D5:E2:2B:63:EE:E7:58:A2:E1:66:63:A4:C2:C3:5B:BB:54:E5:4F
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
Signature Algorithm: sha256WithRSAEncryption
59:e9:27:4c:8c:a6:d8:29:7a:94:9b:bf:87:70:2f:a8:69:2b:
dc:62:b4:12:db:11:e3:a1:80:55:9b:c9:7d:f0:7e:b9:2f:70:
b6:b4:f7:72:de:db:4e:3b:2d:ae:01:50:e8:44:55:e4:fd:31:
1e:b4:17:60:65:e6:e6:3e:de:17:d5:67:ab:40:1f:ba:d5:cd:
89:63:1c:7f:45:cd:5a:04:e8:c2:86:b8:d2:7e:b9:9f:1d:3e:
f1:30:c4:c8:35:66:19:82:24:5e:8d:7c:fb:57:33:31:b3:bf:
ea:5d:ed:27:e7:54:a2:d9:37:2a:4b:cc:aa:24:af:ce:84:20:
65:8f:3b:cc:a6:c8:48:4c:9b:c7:64:f8:67:3a:e7:4a:be:e5:
cd:67:82:20:bb:0b:66:52:f1:bc:05:36:81:dd:4b:47:e9:3d:
a8:58:65:7a:d3:20:47:7b:19:0a:59:57:be:01:18:04:42:ea:
3e:ab:dd:af:b6:15:cf:24:34:50:91:d1:6a:c6:92:42:4c:bf:
11:af:67:93:26:72:c0:a7:86:a6:52:a2:95:a7:a3:a9:56:b5:
66:83:80:7a:18:5f:00:28:3d:a5:38:27:ab:2e:7a:4f:59:36:
20:16:10:4a:38:e0:9f:e0:77:2a:f0:6d:43:0b:8e:83:2b:7f:
55:cc:9a:01De-Installation
Removing the certificate is similar process to installing it. To remove the certificate from the system, remove the package using zypper or YaST and then reboot the system. At the system console the following UEFI prompt will be displayed:
Shim UEFI key management
Continue Boot
_ Delete MOK
Enroll key from disk
Enroll hash from diskMove cursor to Delete MOK and hit Enter
[Delete MOK]
Input the key number to show the details of the key or
type '0' to continue
1 keys(s) in the key listType 1 Enter to view the key details and after confirming that the details match the key to be deleted, type 0 Enter
Delete the key(s)? (y/n): Type y Enter to delete…
Password: _Enter the root password of the SUSE Linux Enterprise OS that the Secure Boot certificate package was removed from.
Press a key to reboot systemNow the key should be removed from the MOK database.
MOK Demonstration
The following video is a demonstration of using the mokutil package to manage the Machine Owner Keys.
MOK Blacklist (MOKx)
Note: The MOK Blacklist functionality is only supported in SUSE Linux Enterprise Server/Desktop 12 and later.
The MOK blacklist allows the user to forbid particular kernel modules from being loaded as identified by the public key of the module signature.
The usage of MOK blacklist is similar to MOK. Just add --mokx or -X to indicate that it’s a MOK blacklist request.
To add a key:
- Create the request with mokutil and type a password (or use the root password with “-P”)
# mokutil -X --import <key>Reboot the system and enter the MokManger UI. Select
Enroll MOKXand type the password. MokManager will reboot the system again.Boot the system and check the MOK blacklist with mokutil
# mokutil -X --list-enrolled