feat: add Secure Boot MOK key enrollment and module signing

Generate DKMS MOK key pair during OS install, sign all unsigned kernel modules, and enroll the MOK certificate using the user's master password. On reboot, MokManager prompts the user to complete enrollment. Re-enrolls on every boot if the key exists but isn't enrolled yet. Adds setup wizard dialog to inform the user about the MokManager prompt.
2026-03-26 02:11:53 +00:00 · 2026-03-11 15:18:13 -06:00
parent 10a5bc0280
commit effcec7e2e
23 changed files with 400 additions and 20 deletions
--- a/build/dpkg-deps/depends
+++ b/build/dpkg-deps/depends
@@ -11,6 +11,7 @@ cifs-utils
 conntrack
 cryptsetup
 curl
+dkms
 dmidecode
 dnsutils
 dosfstools
@@ -36,6 +37,7 @@ lvm2
 lxc
 magic-wormhole
 man-db
+mokutil
 ncdu
 net-tools
 network-manager
--- a/build/image-recipe/build.sh
+++ b/build/image-recipe/build.sh
@@ -299,6 +299,16 @@ if [ "${NVIDIA}" = "1" ]; then
    echo "[nvidia-hook] Removed build dependencies." >&2
 fi

+# Install linux-kbuild for sign-file (Secure Boot module signing)
+KVER_ALL="\$(ls -1t /boot/vmlinuz-* 2>/dev/null | head -n1 | sed 's|.*/vmlinuz-||')"
+if [ -n "\${KVER_ALL}" ]; then
+    KBUILD_VER="\$(echo "\${KVER_ALL}" | grep -oP '^\d+\.\d+')"
+    if [ -n "\${KBUILD_VER}" ]; then
+        echo "[build] Installing linux-kbuild-\${KBUILD_VER} for Secure Boot support" >&2
+        apt-get install -y "linux-kbuild-\${KBUILD_VER}" || echo "[build] WARNING: linux-kbuild-\${KBUILD_VER} not available" >&2
+    fi
+fi
+
 cp /etc/resolv.conf /etc/resolv.conf.bak

 if [ "${IB_SUITE}" = trixie ] && [ "${IB_TARGET_ARCH}" != riscv64 ]; then
--- a/build/lib/scripts/sign-unsigned-modules
+++ b/build/lib/scripts/sign-unsigned-modules
@@ -0,0 +1,76 @@
+#!/bin/bash
+
+# sign-unsigned-modules [--source <dir> --dest <dir>] [--sign-file <path>]
+#                        [--mok-key <path>] [--mok-pub <path>]
+#
+# Signs all unsigned kernel modules using the DKMS MOK key.
+#
+# Default (install) mode:
+#   Run inside a chroot. Finds and signs unsigned modules in /lib/modules in-place.
+#   sign-file and MOK key are auto-detected from standard paths.
+#
+# Overlay mode (--source/--dest):
+#   Finds unsigned modules in <source>, copies to <dest>, signs the copies.
+#   Clears old signed modules in <dest> first. Used during upgrades where the
+#   overlay upper is tmpfs and writes would be lost.
+
+set -e
+
+SOURCE=""
+DEST=""
+SIGN_FILE=""
+MOK_KEY="/var/lib/dkms/mok.key"
+MOK_PUB="/var/lib/dkms/mok.pub"
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --source) SOURCE="$2"; shift 2;;
+        --dest) DEST="$2"; shift 2;;
+        --sign-file) SIGN_FILE="$2"; shift 2;;
+        --mok-key) MOK_KEY="$2"; shift 2;;
+        --mok-pub) MOK_PUB="$2"; shift 2;;
+        *) echo "Unknown option: $1" >&2; exit 1;;
+    esac
+done
+
+# Auto-detect sign-file if not specified
+if [ -z "$SIGN_FILE" ]; then
+    SIGN_FILE="$(ls -1 /usr/lib/linux-kbuild-*/scripts/sign-file 2>/dev/null | head -1)"
+fi
+
+if [ -z "$SIGN_FILE" ] || [ ! -x "$SIGN_FILE" ]; then
+    exit 0
+fi
+
+if [ ! -f "$MOK_KEY" ] || [ ! -f "$MOK_PUB" ]; then
+    exit 0
+fi
+
+COUNT=0
+
+if [ -n "$SOURCE" ] && [ -n "$DEST" ]; then
+    # Overlay mode: find unsigned in source, copy to dest, sign in dest
+    rm -rf "${DEST}"/lib/modules
+
+    for ko in $(find "${SOURCE}"/lib/modules -name '*.ko' 2>/dev/null); do
+        if ! modinfo "$ko" 2>/dev/null | grep -q '^sig_id:'; then
+            rel_path="${ko#${SOURCE}}"
+            mkdir -p "${DEST}$(dirname "$rel_path")"
+            cp "$ko" "${DEST}${rel_path}"
+            "$SIGN_FILE" sha256 "$MOK_KEY" "$MOK_PUB" "${DEST}${rel_path}"
+            COUNT=$((COUNT + 1))
+        fi
+    done
+else
+    # In-place mode: sign modules directly
+    for ko in $(find /lib/modules -name '*.ko' 2>/dev/null); do
+        if ! modinfo "$ko" 2>/dev/null | grep -q '^sig_id:'; then
+            "$SIGN_FILE" sha256 "$MOK_KEY" "$MOK_PUB" "$ko"
+            COUNT=$((COUNT + 1))
+        fi
+    done
+fi
+
+if [ $COUNT -gt 0 ]; then
+    echo "[sign-modules] Signed $COUNT unsigned kernel modules"
+fi
--- a/build/lib/scripts/upgrade
+++ b/build/lib/scripts/upgrade
@@ -83,6 +83,15 @@ if [ -d /sys/firmware/efi ] && [ -f /media/startos/config/efi-installer-entry ];
    fi
 fi

+# Sign unsigned kernel modules for Secure Boot
+SIGN_FILE="$(ls -1 /media/startos/next/usr/lib/linux-kbuild-*/scripts/sign-file 2>/dev/null | head -1)"
+/media/startos/next/usr/lib/startos/scripts/sign-unsigned-modules \
+    --source /media/startos/lower \
+    --dest /media/startos/config/overlay \
+    --sign-file "$SIGN_FILE" \
+    --mok-key /media/startos/config/overlay/var/lib/dkms/mok.key \
+    --mok-pub /media/startos/config/overlay/var/lib/dkms/mok.pub
+
 sync

 umount -Rl /media/startos/next