booting error when using code signing for linux kernel image

[apoorvmunshi]

Hello ,

Image link : image link

We are trying to implement code signing while using ipxe.

Case 1 : We implemented code signing by following commands given on the ipxe documentation.It worked.

Case 2: We turned on HTTPS option, embedded our private root certificate in ipxe binary, installed self-signed cert on our nginx server. As you can see in the screenshot, the fetching of our script "debian.ipxe" over HTTPS is successful. However, code signing seems to fail.

Please help. Thank you in advance.

[NiKiZe]

The http://ipxe.org/0216eb3c errors points to x509 not being able to validate,
maybe you could build with DEBUG=x509 to get more information about what the cause might be.

Could you post your scripts, and maybe also trying the commands one by one, to see exactly what fails?

[apoorvmunshi]

(2016-04-09 18:31)NiKiZe Wrote:  The http://ipxe.org/0216eb3c errors points to x509 not being able to validate,
maybe you could build with DEBUG=x509 to get more information about what the cause might be.

Could you post your scripts, and maybe also trying the commands one by one, to see exactly what fails?

hi NikiZe ,

Please find the image of the debug messages here:

dubug messages

The commands in our script are as follows:

#!ipxe
imgtrust
kernel https://192.168.1.42/debian/vmlinuz
imgstat
imgverify vmlinuz https://192.168.1.42/debian/vmlinuz.sig
imgstat
module https://192.168.1.42/debian/initrd.img
imgargs vmlinuz boot=live config username=live fetch=http://192.168.1.42/debian/filesystem.squashfs
boot

Any help is deeply appreciated. Also, just for your information, we followed the exact steps given on the ipxe manual.

[NiKiZe]

I'm no expert on the iPXE cert, but until someone with more knowledge comes along...

based on ipxe.org/0216eb3c and "X509 chain ... found no usable certificates" would suggest to me that the .sig does not match the cert or vice versa.

Searching for ipxe "found no usable certificates" hopefully gives more insights.

[apoorvmunshi]

1. openssl req -newkey rsa -keyout codesign.key -out codesign.req
2. openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt

3. openssl cms -sign -binary -noattr -in vmlinuz -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig



The ca.cnf file is for my own private CA infrastructure and it has digitalSignature key usage extension and the codeSigning extended key usage extension enabled.

Ca.cnf format:

[ ca ]

default_ca = ca_default

[ ca_default ]

certificate = ca.crt

private_key = ca.key

serial = ca.srl

database = ca.idx

new_certs_dir = /home/apoorv/projects/signed

default_md = default

policy = policy_anything

preserve = yes

default_days = 90

unique_subject = no

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = optional

emailAddress = optional

[ cross ]

basicConstraints = critical,CA:true

keyUsage = critical,cRLSign,keyCertSign

[ codesigning ]

keyUsage = digitalSignature

extendedKeyUsage = codeSigning

Command : openssl cms -verify -binary -content vmlinuz -inform DER -in vmlinuz.sig -CAfile ca.crt

Output:

Verification failure 140187569694352:error:2E099064:CMS routines:CMS_SIGNERINFO_VERIFY_CERT:certificate verify error:cms_smime.c:287:Verify error:unsupported certificate purpose


Can anyone please help me what is going wrong here ?

[apoorvmunshi]

Hello everyone ,
We solved the problem by entering the following commands:

openssl req -newkey rsa -keyout codesign.key -out codesign.req

openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt

openssl cms -sign -binary -noattr -in vmlinuz -purpose any -signer codesign.crt -inkey codesign.key -certfile ca.crt -outform DER -out vmlinuz.sig


It seems that adding the purpose -any option solved the problem.

Thank you for your help.