Skip to content

MOK keys not imported into kernel keyring

Description:

Hello.

Forgive me if this is my own ignorance. From my attempts at a proper secure boot chain I've noticed that the official linux (aswell as -lts) kernel package of Arch Linux doesn't import the MOK key(s) into it's keyring (%:.machine). With the result that out-of-tree (dkms) signed kernel modules won't load when using 'lockdown=confidentiality' and/or 'module.sig_enforce=1'.

In the system I'm testing this on, Secure Boot is enabled with custom PK via Setup Mode using sbctl, but the result is the same using other methods for enrolling, or when using Microsofts vendor keys.

I'm using shim together with systemd-boot (renamed to grubx64.efi in order to chainload from the official Arch Linux shim package). Both are signed using sbctl, as well are the kernels. MOK is imported with 'mokutil --import' & 'mokutil --trust-mok', at reboot mmx64.efi loads up and imports the MOK into the database. The dkms modules are signed and I've verified that their signatures are valid.

Using my own custom compiled kernel with most options enabled will actually import the MOK into %:.machine and signed dkms modules will load properly in this setup (with lockdown and sig_enforce). The official kernel packages however will not. I've spent quite a few hours trying to figure out which kernel option(s) are actually needed for this to work, but I've not yet managed to narrow it down.

Unless this is simply my own mistake with misunderstanding the Secure Boot chain together with the linux kernel, then if possible, I wish to ask for the needed options to be included in the official kernel build of Arch Linux so that it would be possible to use properly signed dkms modules together with Secure Boot, lockdown=confidentiality and/or module.sig_enfore=1 enabled.

As time permits I will keep trying to narrow down the needed kernel option(s).

Regards, Johan

Additional info:

  • package version(s): 6.8.1.arch1-1
  • config and/or log files: n/a
  • link to upstream bug report, if any: n/a

Steps to reproduce:

  1. Set up Secure Boot with shim.efi, mmx64.efi and systemd-boot (renamed to grubx64.efi since thats what shim wants)
  2. Create MOK keys and sign the module(s) with them
  3. Import the MOK keys with mokutil --import mok.pub
  4. Trust MOK keys with mokutil --trust-mok
  5. Reboot and shim will launch mmx64.efi to enroll and trust MOK keys
  6. Verify if MOK keys are loaded into kernel keyring: keyctl list %:.machine
  7. Since MOK keys don't get imported, signed modules wont load when using 'lockdown=confidentiality' and/or 'module.sig_enforce=1'
Edited by Johan Dahlberg
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information