Linux-UNIX: Signing and enrolling a locally built K-TAP

Use the following procedure to sign and enroll a signing key on any database server that requires secure boot and uses a locally built K-TAP. The Guardium® key must be enrolled on the server before you install S-TAP®.

Before you begin

If your site uses secure boot, and you want to use a local K-TAP build, then you can use the kernelModuleSigning.sh script to sign the locally built K-TAP module before you install S-TAP and K-TAP. The kernelModuleSigning.shscript helps automate upgrading or installing a new K-TAP.
To check whether secure boot is enabled on the server, run the following command :
mokutil --sb-state
Response:
  • Secure boot disabled - The procedure is not needed.
  • Secure boot enabled - Complete this procedure to enroll the Guardium key.
Note: If kernelModuleSigning.sh is not included as part of your S-TAP package, then download kernelModuleSigning.sh from Fix Central.

Procedure

  1. If your company already has a public/private signing key, use that signing key. If you do not already have a signing key, use the following example to generate one.
    Enter the following code.
    cat <<EOF >signfile.config
    [ req ]
    distinguished_name = req_distinguished_name
    x509_extensions = v3
    string_mask = utf8only
    prompt = no
    [ req_distinguished_name ]
    O =<Key - Example>
    CN = Secure Boot Signing
    emailAddress = <example@yourcompany.com>
    
    [ v3 ]
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid
    basicConstraints = critical,CA:FALSE
    keyUsage = digitalSignature
    extendedKeyUsage = codeSigning
    
    EOF
    Note: Replace the organization (O) and emailAddress lines with your own information.
    openssl req -config ./signfile.config -new -x509 -newkey rsa:4096 -nodes -days 3650 -outform DER -keyout signfile.priv -out signfile.der
    openssl x509 --inform der --in signfile.der --text --noout > signfile.crt
  2. Use mokutil to enroll your new key in the secure boot cache on database server and follow the instructions in the script.
    For example:
    mokutil –import ./signfile.der
  3. Verify that you have access to the system console.
  4. Restart the system when possible.
    1. During the start-up process, press any key when the system returns the following prompt, Press any key to perform MOK management.
    2. Under Perform MOK Management, select Enroll MOK.
    3. Click View key to see the certificate details, and then press Enter (or choose Continue).
    4. At the system prompt Enroll the key(s)?, click Yes.
    5. Enter the enrollment password (the password that you used with the mokutil --import command in step).
    6. Select Reboot.
  5. Proceed with your standard shell or bundle S-TAP fresh installation. You might need to upgrade afterward. When the installation starts, an error that is similar to the following displays:
    <13>Dec  5 16:25:37 guard_ktap_loader: Custom module ktap-112810-rhel-8-linux-x86_64-xCUSTOMxrh8u5x64t-4.18.0-372.26.1.el8_6.x86_64-x86_64-SMP.ko built for kernel 4.18.0-372.26.1.el8_6.x86_64.
    <13>Dec  5 16:25:46 guard_ktap_loader: Cannot install ktap at this time, please contact IBM.
    Could not start KTAP
    <13>Dec  5 16:25:46 guard_ktap_loader: ktap module is not loaded at this time.
  6. Don't panic! Run the kernelModuleSigning.sh utility on the database server where the S-TAP is running. Follow the instructions that display on the screen to sign your locally built K-TAP module (ktap*xCUSTOM*.ko) with the public and private signing keys.
    After signing the keys, the script walks you through the next steps to finish the installation.

Results

Enter the following code to confirm that the key is available in the system keyring:
cat /proc/keys | grep -i <key_word_of_key>
A successful response is similar to the following example:
# cat /proc/keys | grep -i 'Key-Example'
   0c113cc5 I------     1 perm 1f010000     0     0 asymmetri Key-Example: Secure Boot Signing: 
   6c0351ef68bb6fdd1d24501d461008d98d13b3ca: X509.rsa 8d13b3ca []