Differences

This shows you the differences between two versions of the page.

--- uefi_secure_boot [2017/11/08 10:14] – [Getting there] brot
+++ uefi_secure_boot [2018/03/05 13:49] (current) – external edit 127.0.0.1
@@ Line 4: / Line 4: @@
   * Currently the only protection against EvilMaid attacks.
-    * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot
+    * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot
-===== How ====
+===== How =====
-There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub Kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux
+There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux
-==== Current Plan ====
+==== Current plan ====
+Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility, without having to chainload from SHIM to GRUB.
   - UEFI
-  - [[https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/|systemd-boot]]
+  - Signed [[https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/|systemd-boot]]
-  - Linux Kernel + dracut initrd
+  - Signed BLOB of Kernel + Initrd + Commandline
-=== UEFI ===
-  * Current Hardware: Lenovo T470s
-  * Starting with SecureBoot disabled
-    * After the new bootloader and kernel load without checking their signatures, we will tackle that
-    * However: We will try to sign systemd-boot and the kernel starting from the beginning.
-=== systemd-boot ===
-  * Installed with newer systemd
-    * on gentoo, the "gnuefi" useflag is needed that the systemd-boot stuff is added
 ==== Getting there ====
@@ Line 84: / Line 73: @@
 #create new keys - save the passwords somewhere save, and create a backup of the keys.
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -sha256
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -sha256
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot DB/" -keyout db.key -out db.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot DB/" -keyout db.key -out db.crt -days 3650 -sha256
 #get current state of the key-databases
@@ Line 164: / Line 153: @@
 === Creating new kernel ===
 Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels.
 <code bash>
-export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" --change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && cp ./kernel-$KVER-signed.efi /boot/efi/
+export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && \
+cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" \
+--change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" \
+--change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && \
+sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && \
+cp ./kernel-$KVER-signed.efi /boot/efi/ && echo -e "title      Gentoo Linux signed\nversion    $KVER\nlinux      /kernel-$KVER-signed.efi" > /boot/efi/loader/entries/gentoo-$KVER.conf
 </code>
+The new kernel will then be the next default startup if systemd-boot has the following config
+<file /boot/efi/loader/loader.conf>
+timeout 3
+default gentoo-*
+</file>
 ==== Helpful Information ====
@@ Line 214: / Line 216: @@
 Taken from https://blog.hansenpartnership.com/uefi-secure-boot/
-=== create obj from initramfs and kernel ===
+=== dependencies (on gentoo) ===
 <code>
-#!/bin/sh
+emerge -av pesign efitools
-echo your kernel cmdline > cmdline.txt
-objcopy \
-    --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
-    --add-section .cmdline="cmdline.txt" --change-section-vma .cmdline=0x30000 \
-    --add-section .linux="/path/to/your/vmlinuz" --change-section-vma .linux=0x40000 \
-    --add-section .initrd="/path/to/your/initrd" --change-section-vma .initrd=0x3000000 \
-    linuxx64.efi.stub "$1"
 </code>
+Also, systemd needs the "gnuefi" USE-Flag
 === More links ===