From d5b4ad4375e6469c008673e42f6bd658f84f687e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=BBnn=20Ki=C3=A0n-=C3=AEng?= Date: Wed, 5 Oct 2022 16:55:50 +0800 Subject: [PATCH 1/5] Adding the SecureBoot in the 'Before We Begin' --- lkmpg.tex | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lkmpg.tex b/lkmpg.tex index eb2d5008..a3089ceb 100644 --- a/lkmpg.tex +++ b/lkmpg.tex @@ -174,6 +174,21 @@ \subsection{Before We Begin} You will not see it unless you look through your \sh|journalctl| . See \ref{sec:helloworld} for details. To have immediate access to this information, do all your work from the console. + \label{sec:using_x} + \item SecureBoot. + Many modern PC or laptop are shipped with UEFI SecureBoot enabled by default. It is a security standard that can make sure the device boots using only software that is trusted by original equipment manufacturer. + The default Linux kernel from some distributions have also enabled the SecureBoot. For such distribution, the kernel module has to be signed with the security key or you would get the "\emph{ERROR: could not insert module}" when you insert your first hello world module: +\begin{codebash} +insmod ./hello-1.ko +\end{codebash} + And then you can check further with "dmesg"and see the following text: + + \emph{Lockdown: insmod: unsigned module loading is restricted; + see man kernel lockdown.7} + + If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello world" to be inserted. Of course you can go through many complicated steps to generate keys, install keys to your system, and finally sign your module to make it work. However, this needs another chapter for the advanced users but not suitable for beginners. + + \end{enumerate} \section{Headers} From f39fc7492c238238029fee6f6ad3c101f7f6c9a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=BBnn=20Ki=C3=A0n-=C3=AEng?= Date: Thu, 6 Oct 2022 15:33:26 +0800 Subject: [PATCH 2/5] Modify the texts according the comments --- lkmpg.tex | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/lkmpg.tex b/lkmpg.tex index a3089ceb..e3cac15e 100644 --- a/lkmpg.tex +++ b/lkmpg.tex @@ -174,19 +174,22 @@ \subsection{Before We Begin} You will not see it unless you look through your \sh|journalctl| . See \ref{sec:helloworld} for details. To have immediate access to this information, do all your work from the console. - \label{sec:using_x} \item SecureBoot. - Many modern PC or laptop are shipped with UEFI SecureBoot enabled by default. It is a security standard that can make sure the device boots using only software that is trusted by original equipment manufacturer. - The default Linux kernel from some distributions have also enabled the SecureBoot. For such distribution, the kernel module has to be signed with the security key or you would get the "\emph{ERROR: could not insert module}" when you insert your first hello world module: + Many contemporary computers are pre-configured with UEFI SecureBoot enabled. + It is a security standard that can make sure the device boots using only software that is trusted by original equipment manufacturer. + The default Linux kernel from some distributions have also enabled the SecureBoot. + For such distributions, the kernel module has to be signed with the security key or you would get the "\emph{ERROR: could not insert module}" when you insert your first hello world module: \begin{codebash} insmod ./hello-1.ko \end{codebash} - And then you can check further with "dmesg"and see the following text: + And then you can check further with \sh|dmesg| and see the following text: \emph{Lockdown: insmod: unsigned module loading is restricted; - see man kernel lockdown.7} + see man kernel lockdown.7} - If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello world" to be inserted. Of course you can go through many complicated steps to generate keys, install keys to your system, and finally sign your module to make it work. However, this needs another chapter for the advanced users but not suitable for beginners. + If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello world" to be inserted. + Of course you can go through complicated steps to generate keys, install keys to your system, and finally sign your module to make it work. + However, this needs another chapter for the advanced users but not suitable for beginners. \end{enumerate} From d715f2926b3bfd07dfaa98c4fa11804ed6418f3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=BBnn=20Ki=C3=A0n-=C3=AEng?= Date: Fri, 14 Oct 2022 13:49:59 +0800 Subject: [PATCH 3/5] modify the 'hello world' to 'hell-1' --- lkmpg.tex | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lkmpg.tex b/lkmpg.tex index e3cac15e..e01285b9 100644 --- a/lkmpg.tex +++ b/lkmpg.tex @@ -179,6 +179,7 @@ \subsection{Before We Begin} It is a security standard that can make sure the device boots using only software that is trusted by original equipment manufacturer. The default Linux kernel from some distributions have also enabled the SecureBoot. For such distributions, the kernel module has to be signed with the security key or you would get the "\emph{ERROR: could not insert module}" when you insert your first hello world module: + \begin{codebash} insmod ./hello-1.ko \end{codebash} @@ -187,7 +188,7 @@ \subsection{Before We Begin} \emph{Lockdown: insmod: unsigned module loading is restricted; see man kernel lockdown.7} - If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello world" to be inserted. + If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello-1" to be inserted. Of course you can go through complicated steps to generate keys, install keys to your system, and finally sign your module to make it work. However, this needs another chapter for the advanced users but not suitable for beginners. From 318721913e099a0bf179c99e8ce31f4c448421a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=BBnn=20Ki=C3=A0n-=C3=AEng?= Date: Mon, 17 Oct 2022 12:59:00 +0800 Subject: [PATCH 4/5] Add some references for the secureboot --- lkmpg.tex | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lkmpg.tex b/lkmpg.tex index e01285b9..e41853a3 100644 --- a/lkmpg.tex +++ b/lkmpg.tex @@ -190,7 +190,9 @@ \subsection{Before We Begin} If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello-1" to be inserted. Of course you can go through complicated steps to generate keys, install keys to your system, and finally sign your module to make it work. - However, this needs another chapter for the advanced users but not suitable for beginners. + However, this is not suitable for beginners. + Please follow the steps in \href{https://ubuntu.com/blog/how-to-sign-things-for-secure-boot}{how-to-sign-things-for-secure-boot} if you are interested. + And you can learn more with \href{https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/}{Oracle® Linux Working With UEFI Secure Boot} \end{enumerate} From 2e17b703a4b27e2b4a98e407023aeb30b722b084 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?I=C3=BBnn=20Ki=C3=A0n-=C3=AEng?= Date: Sun, 30 Oct 2022 10:52:23 +0800 Subject: [PATCH 5/5] Changine the reference link to SecureBoot in Debian Wiki --- lkmpg.tex | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lkmpg.tex b/lkmpg.tex index e41853a3..29ffc906 100644 --- a/lkmpg.tex +++ b/lkmpg.tex @@ -191,10 +191,7 @@ \subsection{Before We Begin} If you got this message, the simplest way is to disable the UEFI SecureBoot from the PC/laptop boot menu to have your "hello-1" to be inserted. Of course you can go through complicated steps to generate keys, install keys to your system, and finally sign your module to make it work. However, this is not suitable for beginners. - Please follow the steps in \href{https://ubuntu.com/blog/how-to-sign-things-for-secure-boot}{how-to-sign-things-for-secure-boot} if you are interested. - And you can learn more with \href{https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/}{Oracle® Linux Working With UEFI Secure Boot} - - + You could read and follow the steps in \href{https://wiki.debian.org/SecureBoot}{SecureBoot} if you are interested. \end{enumerate} \section{Headers}