-
Notifications
You must be signed in to change notification settings - Fork 184
UEFI Secure Boot Compatibility
Some OSV’s (Operating System Vendors) have added support to their distributions for UEFI Secure Boot. When running an OS with UEFI Secure Boot enabled on your platform, the following operations are blocked by the OS:
- Inserting kernel modules that are not digitally signed
- MSR (Model Specific Register) writes from user space using the generic MSR kernel module
Intel® Resource Director Technology (RDT) features are programmed by reading and writing CPU MSR’s. The intel-cmt-cat software is a user space library and set of utilities for programming Intel® RDT and hence is not compatible with UEFI Secure Boot. Currently, there are 2 solutions to overcome this issue.
If using Linux with kernel 4.10 or above, the library can be initialized to use kernel frameworks (perf and resctrl) to do resource monitoring and allocation. These frameworks are compatible with UEFI Secure Boot as they are running in kernel space and are part of the OS distribution. To use the library OS interface, please refer to the Usage Examples wiki page.
For older kernels, it is possible to enable MSR writes from user space when UEFI Secure Boot is enabled. This can be done by manually editing the generic MSR kernel module, signing it with a MOK (Machine Owner’s Key) and inserting the module.
To do this, follow these steps: (Tested on Ubuntu 14.04.5)
- Download the kernel source code for your kernel to your current directory
# apt-get install dpkg-dev
# apt-get source linux-image-$(uname -r)
- Create a separate directory to copy and build the MSR module
# mkdir -p ~/kernel/msr/
# cp ./linux-X.X.X/arch/x86/kernel/msr.c ~/kernel/msr/
- Manually edit the MSR module source code to remove “secure_modules()” conditions that cause it to return an error
108,109c108,109
< if (secure_modules())
< return -EPERM;
---
> /* if (secure_modules()) */
> /* return -EPERM; */
158,161c158,161
< if (secure_modules()) {
< err = -EPERM;
< break;
< }
---
> /* if (secure_modules()) { */
> /* err = -EPERM; */
> /* break; */
> /* } */- Build the MSR kernel module
For information on building the kernel module see: http://www.tldp.org/LDP/lkmpg/2.6/html/x181.html - Sign the out-of-tree driver with the MOK key
For information on how to sign the driver see: https://01.org/linuxgraphics/gfx-docs/drm/admin-guide/module-signing.html
Example:
# /usr/src/linux-headers-X.X.X-X-generic/scripts/sign-file sha256 ../../MOK/MOK_private_key.priv ../../MOK/MOK_public_key.der msr.ko
- Insert the signed out-of-tree module
# insmod ./msr.ko
Note: For kernels/distros (e.g. RHEL7.x) that have the generic MSR kernel module statically built into the kernel, a kernel rebuild is required after the modifications to the MSR module.
The intel-cmt-cat library and tools should now work as expected with UEFI Secure Boot enabled on the platform.