booting error when using code signing for linux kernel image
|
2016-04-06, 05:52
(This post was last modified: 2016-04-14 00:36 by apoorvmunshi.)
Post: #1
|
|||
|
|||
booting error when using code signing for linux kernel image
Hello , Image link : image link We are trying to implement code signing while using ipxe. Case 1 : We implemented code signing by following commands given on the ipxe documentation.It worked. Case 2: We turned on HTTPS option, embedded our private root certificate in ipxe binary, installed self-signed cert on our nginx server. As you can see in the screenshot, the fetching of our script "debian.ipxe" over HTTPS is successful. However, code signing seems to fail. Please help. Thank you in advance. |
|||
2016-04-09, 18:31
Post: #2
|
|||
|
|||
RE: booting error when using code signing for linux kernel image
The http://ipxe.org/0216eb3c errors points to x509 not being able to validate,
maybe you could build with DEBUG=x509 to get more information about what the cause might be. Could you post your scripts, and maybe also trying the commands one by one, to see exactly what fails? Use GitHub Discussions VRAM bin |
|||
2016-04-12, 04:03
(This post was last modified: 2016-04-14 02:19 by apoorvmunshi.)
Post: #3
|
|||
|
|||
RE: booting error when using code signing for linux kernel image
(2016-04-09 18:31)NiKiZe Wrote: The http://ipxe.org/0216eb3c errors points to x509 not being able to validate, hi NikiZe , Please find the image of the debug messages here: dubug messages The commands in our script are as follows: #!ipxe imgtrust kernel https://192.168.1.42/debian/vmlinuz imgstat imgverify vmlinuz https://192.168.1.42/debian/vmlinuz.sig imgstat module https://192.168.1.42/debian/initrd.img imgargs vmlinuz boot=live config username=live fetch=http://192.168.1.42/debian/filesystem.squashfs boot Any help is deeply appreciated. Also, just for your information, we followed the exact steps given on the ipxe manual. |
|||
2016-04-12, 07:16
Post: #4
|
|||
|
|||
RE: booting error when using code signing for linux kernel image
I'm no expert on the iPXE cert, but until someone with more knowledge comes along...
based on ipxe.org/0216eb3c and "X509 chain ... found no usable certificates" would suggest to me that the .sig does not match the cert or vice versa. Searching for ipxe "found no usable certificates" hopefully gives more insights. Use GitHub Discussions VRAM bin |
|||
2016-04-14, 00:35
Post: #5
|
|||
|
|||
RE: booting error when using code signing for linux kernel image
1. openssl req -newkey rsa -keyout codesign.key -out codesign.req
2. openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt 3. openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enabled. Ca.cnf format: [ ca ] default_ca = ca_default [ ca_default ] certificate = ca.crt private_key = ca.key serial = ca.srl database = ca.idx new_certs_dir = /home/apoorv/projects/signed default_md = default policy = policy_anything preserve = yes default_days = 90 unique_subject = no [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = optional emailAddress = optional [ cross ] basicConstraints = critical,CA:true keyUsage = critical,cRLSign,keyCertSign [ codesigning ] keyUsage = digitalSignature extendedKeyUsage = codeSigning Command : openssl cms -verify -binary -content vmlinuz -inform DER -in vmlinuz.sig -CAfile ca.crt Output: Verification failure 140187569694352:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:unsupported certificate purpose Can anyone please help me what is going wrong here ? |
|||
2016-04-15, 21:07
Post: #6
|
|||
|
|||
RE: booting error when using code signing for linux kernel image
Hello everyone ,
We solved the problem by entering the following commands: openssl req -newkey rsa -keyout codesign.key -out codesign.req openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt openssl cms -sign -binary -noattr -in vmlinuz -purpose any -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig It seems that adding the purpose -any option solved the problem. Thank you for your help. |
|||
« Next Oldest | Next Newest »
|
User(s) browsing this thread: 3 Guest(s)