Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Verify Secure Boot Feature on OCI Compute Shielded Instances

Introduction

Secure boot is a Unified Extensible Firmware Interface (UEFI) feature that prevents unauthorized boot loaders and operating systems from booting. Secure Boot validates that the signed firmware’s signature is correct before booting to prevent rootkits, bootkits, and unauthorized software from running before the operating system loads. Boot components that are not properly signed are not allowed to run, preventing the system from booting. This tutorial will guide you through the tasks to verify the secure boot feature on Oracle Cloud Infrastructure (OCI) Compute shielded instances.

Objectives

• Verify the status of secure boot on an OCI Compute shielded instance.

• Build and attempt to load an unsigned kernel module.

• Understand how secure boot enforces the restriction on unsigned modules.

Prerequisites

• An OCI account with permissions to create and manage instances.

• Basic knowledge of Oracle Linux commands and kernel modules.

• OCI Compute shielded instances running Oracle Linux 8. To create a shielded instance and view the supported shapes and platform images for enabling shielded instances, see Shielded Instances.

Task 1: Verify Secure Boot Status in the Shielded Instance

Run the following command to check secure boot status.

sudo mokutil --sb-state

You can see secure boot is enabled.

SecureBoot enabled

Task 2: Set Up the Environment in the Shielded Instance

1. Create a directory for the kernel module.

   mkdir ~/secureboot
   cd ~/secureboot
   

2. Create the kernel module source file named unauthorised_module.c with the following content.

   #include <linux/module.h>
   #include <linux/kernel.h>
   
   static int __init unauthorised_module_init(void) {
       printk(KERN_INFO "Unauthorised module loaded\n");
       return 0;
   }
   
   static void __exit unauthorised_module_exit(void) {
       printk(KERN_INFO "Unauthorised module unloaded\n");
   }
   
   module_init(unauthorised_module_init);
   module_exit(unauthorised_module_exit);
   
   MODULE_LICENSE("GPL");
   MODULE_DESCRIPTION("Unauthorised module");
   MODULE_AUTHOR("Vishak");
   

3. Create a Makefile named Makefile with the following content.

   obj-m += unauthorised_module.o
   
   all:
           make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
   
   clean:
           make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
   

   Note: Ensure that the lines under all: and clean: are indented with a tab and not spaces.

Task 3: Build the Kernel Module

Run the following command to install the GCC Toolset.

make

This will compile the unauthorised_module.c file and produce unauthorised_module.ko.

(Optional) Handle Compiler Compatibility Issues:

If you encounter GCC Toolset version mismatch errors, use the following steps to resolve.

1. Install the GCC Toolset.

   sudo yum install gcc-toolset-11
   

2. Enable the GCC Toolset.

   scl enable gcc-toolset-11 bash
   

Task 4: Load the Unsigned Kernel Module

1. Run the following command to load the kernel module.

   sudo insmod unauthorised_module.ko
   

   If secure boot is enabled and functioning correctly, you should see the following error.

   insmod: ERROR: could not insert module test_module.ko: Key was rejected by service
   

2. Check kernel messages for secure boot enforcement.

   (dmesg -T | grep -i "secure boot"; dmesg -T | tail -5) | less
   

   Look for messages indicating that secure boot prevented the module from loading.

   [Wed Jul 10 14:00:41 2024] secureboot: Secure boot enabled
   [Wed Jul 10 14:00:41 2024] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
   [Wed Jul 24 14:34:51 2024] Loading of unsigned module is rejected
   

Next Steps

In this tutorial, we have successfully verified the functionality of secure boot on your Oracle Linux shielded instance by attempting to load an unsigned kernel module and observing the system response. This confirms that secure boot is active and functioning as expected, enhancing the security of your cloud environment. The advantage of secure boot is that it ensures only trusted and signed software is loaded during the boot process, protecting your instance from malicious or unauthorized code and thereby maintaining the integrity of your system.

In the next tutorial of this series, we will explore additional security features and testing methods for OCI instances.

Acknowledgments

• Author - Vishak Chittuvalapil (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Verify Secure Boot Feature on OCI Compute Shielded Instances

G12203-01

August 2024

Copyright ©2024,

Oracle and/or its affiliates.