{"id":302,"date":"2023-08-03T09:14:02","date_gmt":"2023-08-03T09:14:02","guid":{"rendered":"https:\/\/d-mashina.net\/?p=302"},"modified":"2023-08-03T09:17:59","modified_gmt":"2023-08-03T09:17:59","slug":"debian-secureboot-in-veeam","status":"publish","type":"post","link":"https:\/\/d-mashina.net\/index.php\/2023\/08\/03\/debian-secureboot-in-veeam\/","title":{"rendered":"Debian, SecureBoot in Veeam"},"content":{"rendered":"<div class=\"reader-article-content reader-article-content--content-blocks\" dir=\"ltr\">\n<p class=\"reader-text-block__paragraph\">Moja priljubljena \u201cdesktop\u201d in \u201cserver\u201d Linux distribucija je Debian. Trenutno na \u201cdesktopih\u201d uporabljam Debian 11 in na le-teh imam vklopljen SecureBoot. Za arhiviranje najraje uporabljam program Veeam oz. Veeam Linux Agent Free, ki j za moje potrebe odli\u010den in trenutno \u0161e zastonj.<\/p>\n<p class=\"reader-text-block__paragraph\">Veeam Linux Agent v razli\u010dici 5.0.1 deluje kon\u010dno tudi na Debian 11, ampak zatakne pa se s SecureBoot, saj ob namestitvi repozitorija in namestitvi paketov veeam in veeamsnap, konfiguraciji programa in zagonu javi takoj na za\u010detku napako :<\/p>\n<p class=\"reader-text-block__paragraph\"><strong>Failed to load module [veeamsnap] with parameters [zerosnapdata=1 debuglogging=0 snapstore_b\u2026<\/strong><\/p>\n<p class=\"reader-text-block__paragraph\">Po prebiranju namestitvene dokumentacije za Debian 11 sem ugotovil, da potrebujem name\u0161\u010dene:<\/p>\n<p class=\"reader-text-block__paragraph\"><strong>linux-image-*-dbg <\/strong>in<strong> linux-headers-$(uname -r)<\/strong><\/p>\n<p class=\"reader-text-block__paragraph\">pakete, toda namestitev modula veeamsnap je \u0161e vedno javljala napako. Ugotovil sem, da je kernel zaklenjen z opcijo <strong>kernel_lockdown<\/strong>, ki se avtomati\u010dno vklopi kadar je vklopljen SecureBoot in namestitev nepodpisanih modulov, kot je veeamsnap ni mogo\u010da. Tukaj smo postavljeni pred dilemo, ali onemogo\u010dit SecureBoot ali se poigrat s podpisom.<\/p>\n<p class=\"reader-text-block__paragraph\">Po prebiranju dokumentacije, kon\u010dno ugotovim, da je crt certifikat od Veeamsnap na voljo v datoteki:<\/p>\n<p class=\"reader-text-block__paragraph\"><a href=\"https:\/\/repository.veeam.com\/.private\/rpm\/el\/8\/x86_64\/veeamsnap-ueficert-5.0.1.4493-1.noarch.rpm\">https:\/\/repository.veeam.com\/.private\/rpm\/el\/8\/x86_64\/veeamsnap-ueficert-5.0.1.4493-1.noarch.rpm<\/a><\/p>\n<p class=\"reader-text-block__paragraph\">in obstaja samo za RPM sisteme. Zato sem snel omenjeno datoteko in jo s porgramom alien pretvoril v DEB obliko in po odprtju DEB paketa skopiral certifikat na moj sistem.<\/p>\n<p class=\"reader-text-block__paragraph\">Nato sem pognal \u0161e ukaz:<\/p>\n<p class=\"reader-text-block__paragraph\"><strong>sudo mokutil &#8211;import veeamsnap-ueficert.crt<\/strong><\/p>\n<p class=\"reader-text-block__paragraph\">in vpisal klju\u010d med zaupanja vredne.<\/p>\n<p class=\"reader-text-block__paragraph\">Ampak to ni vse, saj zgornji certifikat velja samo za module, ki jih je izdal Veeam. Modul na na\u0161em sistemu je kreiran s pomo\u010djo DKMS in to pomeni, da ga ni ustvaril Veeam ampak mi sami. Zato moramo najprej kreirat svoj par klju\u010dev za podpis s pomo\u010djo ukazov:<\/p>\n<ul>\n<li>ustvarimo imenik, kjer bomo shranjevali klju\u010de in se prestavimo vanj:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>mkdir -p \/var\/lib\/shim-signed\/mok\/ <\/strong><\/p>\n<ul>\n<li>v tem imeniku kreiramo klju\u010de:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj &#8220;\/CN=PoljubnoIme\/&#8221; -nodes<\/strong><\/p>\n<p class=\"reader-text-block__paragraph\"><strong>openssl x509 -inform der -in MOK.der -out MOK.pem<\/strong><\/p>\n<ul>\n<li>ne pozabimo namestit ukaza sbsingtool:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>apt install sbsigntool<\/strong><\/p>\n<ul>\n<li>uvozimo certifikat:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>sudo mokutil &#8211;import MOK.der<\/strong><\/p>\n<ul>\n<li>pregledamo ali je le ta uvo\u017een:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>sudo mokutil \u2013list-new<\/strong><\/p>\n<ul>\n<li>prestavimo se v imenik, kjer so z DKMS kreirani moduli:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>cd \/lib\/modules\/$(uname -r)\/updates\/dkms<\/strong><\/p>\n<ul>\n<li>in module podpi\u0161emo:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>for i in *.ko ; do \/usr\/lib\/linux-kbuild-5.10\/scripts\/sign-file sha256 \/var\/lib\/shim-signed\/mok\/MOK.priv \/var\/lib\/shim-signed\/mok\/MOK.der &#8220;$i&#8221; ; done<\/strong><\/p>\n<ul>\n<li>pregledamo ali je modul podpisan:<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\"><strong>modinfo veeamsnap<\/strong><\/p>\n<ul>\n<li>in ponovno za\u017eenemo ra\u010dunalnik.<\/li>\n<\/ul>\n<p class=\"reader-text-block__paragraph\">Po ponovnem zagonu se nam odpre UEFI zaslon &#8220;SHIM UEFI Key Management&#8221;, kjer uvozimo certifikat (Enroll MOK) in izvedemo ponovi zagon. Po ponovnem zagonu je certifikat podpisan in program Veeam Agent oz. arhiviranje deluje brez napak.<\/p>\n<p class=\"reader-text-block__paragraph\">V pomo\u010d vam bodo ukazi za pregled ali je SecureBoot vklopljen:<\/p>\n<p class=\"reader-text-block__paragraph\"><strong>sudo mokutil \u2013sb-state<\/strong><\/p>\n<p class=\"reader-text-block__paragraph\">seznam zaupanja vrednih klju\u010dev:<\/p>\n<p class=\"reader-text-block__paragraph\"><strong>sudo keyctl list %:.builtin_trusted_keys<\/strong><\/p>\n<p class=\"reader-text-block__paragraph\">in klju\u010di, ki so na voljo va\u0161emu sistemu:<\/p>\n<p class=\"reader-text-block__paragraph\"><strong>sudo keyctl list %:.platform<\/strong><\/p>\n<p class=\"reader-text-block__paragraph\">Edina te\u017eava tega je v tem, da je proceduro podpisa modulov in uvoza klju\u010dev potrebno izvajati ob vsaki nadgradnji kernela.<\/p>\n<p class=\"reader-text-block__paragraph\">Na ta na\u010din sem re\u0161il te\u017eavo z uporabo nepodpisanih kernel modulov drugih proizvajalcev, kar nam lahko pride prav tudi pri stre\u017enikih, ki imajo dodatne module za upravljanje s strojno opremo \u2013 recimo IBM in HP stre\u017eniki.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Moja priljubljena \u201cdesktop\u201d in \u201cserver\u201d Linux distribucija je Debian. Trenutno na \u201cdesktopih\u201d uporabljam Debian 11 in na le-teh imam vklopljen SecureBoot. Za arhiviranje najraje uporabljam program Veeam oz. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[78,39],"tags":[],"class_list":["post-302","post","type-post","status-publish","format-standard","hentry","category-it","category-opensource"],"_links":{"self":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts\/302","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/comments?post=302"}],"version-history":[{"count":1,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts\/302\/revisions"}],"predecessor-version":[{"id":303,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/posts\/302\/revisions\/303"}],"wp:attachment":[{"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/media?parent=302"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/categories?post=302"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/d-mashina.net\/index.php\/wp-json\/wp\/v2\/tags?post=302"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}