AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Free EF CheckSum Manager 2023.112/25/2024 ![]() ![]() With the above in mind when debugging such an issue a logical first step is to check if the module or kernel contains a valid signature and if yes by whom. The gory details of how all this intricate machinery works are way outside the scope of this write up, but one possible reason for the failure is that the module or kernel image either doesn’t contain a valid signature at all or it contains one, but the signer is not in the kernel’s list of trusted parties. When loading a module or doing a kexec fails because of a problem with signature verification it may not be trivial to find out exactly why. Unfortunately this extra security comes at the price of additional complexity. With the correct config options enabled (CONFIG_MODULE_SIG_FORCE and CONFIG_KEXEC_SIG_FORCE) the kernel will itself check the signatures when loading a module or performing a kexec. So now the bootloader (or even the UEFI firmware directly) can verify the signature on the kernel image it’s loading. To extend this “chain of trust” one step further the Linux kernel has gained support for digitally signing kernel images and modules too. The usual boot process for a PC running Linux nowadays is that the UEFI loads a small piece of software (called shim), which in turn loads the bootloader (usually GRUB), and at each step the previous one makes sure the next is digitally signed by a trusted party. For this to be effective it has to start at the moment you power on your computer. The Zero trust security model gaining popularity lately also stipulates – “never trust, always verify”, and do it at every step, always. After a brief period of uncertainty this is now well supported by default in many Linux distributions. ![]() It’s been quite a while since the introduction of UEFI and Secure Boot, which ensures that only code bearing a signature by a trusted party will get executed by the firmware. ![]()
0 Comments
Read More
Leave a Reply. |