uefi_secure_boot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
uefi_secure_boot [2017/11/06 13:57] – [Getting there] brotuefi_secure_boot [2017/11/08 10:14] – [Helpful Information] brot
Line 30: Line 30:
  
 ==== Getting there ==== ==== Getting there ====
-<code> + 
-#installing systemd-boot+=== first steps: new bootloader and EFI-stub-kernel === 
 + 
 +First we will change the bootloader and ensure that we can load an unsigned EFI-Stub-kernel, then we will create a signable BLOB 
 + 
 +== installing systemd-boot == 
 + 
 +The EFI System Partition (ESP) needs to be mounted, and the efivars need to be readable 
 + 
 +<code bash>
 bootctl --path=/boot/efi/ install bootctl --path=/boot/efi/ install
 +</code>
 +
 +== New EFI-bootable kernel image ==
 +<code bash>
 +cd /usr/src/linux
 +make menuconfig
 +
 +# set CONFIG_EFI_STUB=y
  
-#new efi-stub kernel 
-cd /usr/src/linux; make menuconfig 
-(set efi-stub to y) 
 make -j6 && make modules_install make -j6 && make modules_install
 cp ./arch/x86/boot/bzImage /boot/efi/kernel.efi cp ./arch/x86/boot/bzImage /boot/efi/kernel.efi
 +
 +#also, new initrd
 dracut /boot/efi/initramfs.img --force --xz -H 4.14.0-rc7 --omit "i18n" --add-drivers i915 dracut /boot/efi/initramfs.img --force --xz -H 4.14.0-rc7 --omit "i18n" --add-drivers i915
 +</code>
  
-brot-thinkpad-t470s linux # cat /boot/efi/loader/loader.conf +== Add the new kernel to the systemd-boot list == 
 + 
 +<file bash /boot/efi/loader/loader.conf>
 timeout 3 timeout 3
 default gentoo default gentoo
- +</file> 
-brot-thinkpad-t470s linux # cat /boot/efi/loader/entries/gentoo.conf +<file bash /boot/efi/loader/entries/gentoo.conf>
 title          Gentoo title          Gentoo
 linux          /kernel.efi linux          /kernel.efi
 initrd         /initramfs.img initrd         /initramfs.img
 options        root=/dev/mapper/cryptroot ro rootflags=subvol=rootfs init=/lib/systemd/systemd rd.luks.allow-discards log_buf_len=4M options        root=/dev/mapper/cryptroot ro rootflags=subvol=rootfs init=/lib/systemd/systemd rd.luks.allow-discards log_buf_len=4M
 +</file>
  
-</code>+== test the new bootloader and EFI-kernel == 
 +Try to boot the new kernel with systemd-boot. If something goes wrong, you can just use the previous bootloader (in most cases GRUB2) by selecting it in the UEFI boot menu.
  
--> Funktioniert!+=== preparing for secure boot: creating keys === 
 +I got most of the commands for the keygeneration and the key-entry from the wonderful [[https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot|Sakaki's EFI Install Guide]] - which is really good and explains what is going on in great depth. Look at his page if you want to know the details.
  
-<code> +=key and signature list generation ==
-mkdir /root/efi-keys-try1 +
-cd /root/efi-keys-try1 +
-openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days 7300 -subj "/CN=Vorname Nachname/" +
-openssl x509 -in PK.crt -out PK.cer -outform DER +
-(... insert gentoo efi secureboot keygeneration and key-enroll )+
  
 +We generate the PK (Plattform Key), KEK (Key Exchange Key) and a DB (Signature Database) certs and keys. The DB will be used to sign our kernel, however, the PK needs to sign the KEK and the KEK will sign the DB key. Also, we get the current keys from EFI and create merged signature lists - so that we can keep the Microsoft Keys if we want to.
  
 +<code bash>
 +mkdir /etc/efikeys; chmod 400 /etc/efikeys; cd /etc/efikeys
  
-brot-thinkpad-t470s linux # dracut /root/initramfs-signed.img --force --no-compress -H 4.14.0-rc7 --omit "i18n" --add-drivers i915 +#create new keys save the passwords somewhere save, and create a backup of the keys. 
-brot-thinkpad-t470s efi-keys-try1 # cat /proc/cmdline > cmdline.txt+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot PK/-keyout PK.key -out PK.crt -days 3650 -nodes -sha256 
 +openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 
 +openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot DB/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 
  
 +#get current state of the key-databases
 +efi-readvar -v PK -o old_PK.esl
 +efi-readvar -v KEK -o old_KEK.esl
 +efi-readvar -v db -o old_db.esl 
  
-brot-thinkpad-t470s efi-keys-try1 # objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="cmdline.txt" --change-section-vma .cmdline=0x30000 --add-section .linux="/usr/src/linux/arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="/root/efi-keys-try1/initramfs-signed.img" --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel.efi+#for insertion into the UEFI we need siglists 
 +cert-to-efi-sig-list -g "$(uuidgen)" PK.crt PK.esl 
 +sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth 
 +cert-to-efi-sig-list -"$(uuidgen)KEK.crt KEK.esl 
 +sign-efi-sig-list --k PK.key -c PK.crt KEK KEK.esl KEK.auth 
 +cert-to-efi-sig-list -"$(uuidgen)" db.crt db.esl 
 +sign-efi-sig-list -a -k KEK.key -c KEK.crt db db.esl db.auth 
  
-brot-thinkpad-t470s efi-keys-try1 # sbsign --key db.key --cert db.crt --output /boot/efi/kernel-signed.efi kernel.efi+#create compound-signature-lists so that we preserve the Microsoft and OEM Keys. 
 +cat old_KEK.esl KEK.esl > compound_KEK.esl 
 +cat old_db.esl db.esl > compound_db.esl 
 +sign-efi-sig-list -k PK.key -c PK.crt KEK compound_KEK.esl compound_KEK.auth 
 +sign-efi-sig-list -k KEK.key -c KEK.crt db compound_db.esl compound_db.auth  
 +</code> 
 + 
 +== changing to setup mode/clearing the keys and inserting keys == 
 + 
 +Go in the UEFI-Setup, navigate to the Secure Boot settingsThere should be a option to either enter "Setup Mode" or "Clear all Keys" - or both. Clearing all keys will automatically enter setup mode. Then, reboot to insert the keys.
  
-brot-thinkpad-t470s efi-keys-try1 # sbsign --key db.key --cert db.crt --output systemd-bootx64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi.bak+<code bash> 
 +# Variant: Keep OEM and Microsoft keys 
 +efi-updatevar --f compound_db.esl db 
 +efi-updatevar --f compound_KEK.esl KEK  
 +efi-updatevar -f PK.auth PK 
 </code> </code>
  
-=== Dependencies (on gentoo) === +<code bash
-<code> +# Variant: Only own keys 
-emerge -av pesign efitools+efi-updatevar -e -f db.esl db 
 +efi-updatevar -e -f KEK.esl KEK  
 +efi-updatevar -f PK.auth PK 
 </code> </code>
  
-=== Generating Keys ===+After the PK has been set, the system should switch to "User Mode"
  
  
 +== building a new kernel and signing it ==
 +Thanks to [[https://bentley.link/secureboot/|Matthew Bentley's blog]], i have found the objtool method of combining the kernel, initramfs and options into one large blob which can be signed.
  
 +<code bash>
 +cd /usr/src/linux
 +dracut ./initramfs.img --force --no-compress -H 4.14.0-rc8 --omit "i18n" --add-drivers i915
 +cat /proc/cmdline > cmdline.txt
 +objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="cmdline.txt" --change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel.efi
 +sbsign --key db.key --cert db.crt --output /boot/efi/kernel-signed.efi kernel.efi
 +</code>
 +
 +We need to add this new kernel as a new boot-entry in systemd-boot
 +
 +<file /boot/efi/loader/entries/gentoo-signed.conf>
 +title          Kernel signed
 +linux          /kernel-signed.efi
 +</file>
 +
 +Also, we need to sign the systemd-boot bootloader
 +
 +<code bash>
 +#sign the bootloader
 +cp /boot/efi/EFI/systemd/systemd-bootx64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi.org
 +sbsign --key db.key --cert db.crt --output /boot/efi/EFI/systemd/systemd-bootx64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi.org
 +</code>
 +
 +Everything should be prepared for the first Secure boot :) 
 +
 +=== First secure boot ===
 +Even after the "User Mode" has been enabled, Secure Boot itself should still be disabled. We should change that in the UEFI setup, and try to boot the signed bootloader and the signed kernel-initramfs-blob. If everything works now, good job, you can now secure boot.
 +
 +:!: **If you have no password for the UEFI setup, Secure Boot can just be disabled. So, for Secure Boot to be effective, set a reasonable safe password for the UEFI Setup.** :!:
 +
 +=== Creating new kernel ===
 +Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels.
 +
 +<code bash>
 +export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" --change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && cp ./kernel-$KVER-signed.efi /boot/efi/
 +</code>
  
 ==== Helpful Information ==== ==== Helpful Information ====
 +
 +This stuff is copied from other blogs/Websites, and has been of use.
  
 === Signing EFI Binaries === === Signing EFI Binaries ===
Line 147: Line 233:
 </code> </code>
  
 +=== dependencies (on gentoo) ===
 +<code>
 +emerge -av pesign efitools
 +</code>
  
 === More links === === More links ===
  • uefi_secure_boot.txt
  • Last modified: 2018/03/05 13:49
  • by 127.0.0.1