Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
uefi_secure_boot [2017/11/08 10:14]
brot [Getting there]
uefi_secure_boot [2017/11/08 11:05]
brot
Line 4: Line 4:
  
   * Currently the only protection against EvilMaid attacks.   * Currently the only protection against EvilMaid attacks.
-    * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot+    * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot
  
-===== How ====+===== How =====
  
-There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub ​Kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux+There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub ​kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux
  
-==== Current ​Plan ====+==== Current ​plan ==== 
 + 
 +Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility,​ without having to chainload from SHIM to GRUB.
  
   - UEFI    - UEFI 
-  - [[https://​www.freedesktop.org/​wiki/​Software/​systemd/​systemd-boot/​|systemd-boot]] +  - Signed ​[[https://​www.freedesktop.org/​wiki/​Software/​systemd/​systemd-boot/​|systemd-boot]] 
-  - Linux Kernel + dracut initrd +  - Signed BLOB of Kernel + Initrd + Commandline
- +
- +
-=== UEFI === +
-  * Current Hardware: Lenovo T470s +
-  * Starting with SecureBoot disabled +
-    * After the new bootloader and kernel load without checking their signatures, we will tackle that +
-    * However: We will try to sign systemd-boot and the kernel starting from the beginning. +
- +
-=== systemd-boot === +
- +
-  * Installed with newer systemd +
-    * on gentoo, the "​gnuefi"​ useflag is needed that the systemd-boot stuff is added +
  
 ==== Getting there ==== ==== Getting there ====
Line 168: Line 157:
 export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./​initramfs.img --force --no-compress -H $KVER --omit "​i18n"​ --add-drivers i915 && cp /​proc/​cmdline ./​cmdline.txt && objcopy --add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="​./​cmdline.txt"​ --change-section-vma .cmdline=0x30000 --add-section .linux="​./​arch/​x86/​boot/​bzImage"​ --change-section-vma .linux=0x40000 --add-section .initrd="​./​initramfs.img"​ --change-section-vma .initrd=0x3000000 /​usr/​lib/​systemd/​boot/​efi/​linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /​root/​efi-keys-try1/​db.key --cert /​root/​efi-keys-try1/​db.crt --output ./​kernel-$KVER-signed.efi ./​kernel-$KVER.efi && mount /boot/efi && cp ./​kernel-$KVER-signed.efi /boot/efi/ export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./​initramfs.img --force --no-compress -H $KVER --omit "​i18n"​ --add-drivers i915 && cp /​proc/​cmdline ./​cmdline.txt && objcopy --add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="​./​cmdline.txt"​ --change-section-vma .cmdline=0x30000 --add-section .linux="​./​arch/​x86/​boot/​bzImage"​ --change-section-vma .linux=0x40000 --add-section .initrd="​./​initramfs.img"​ --change-section-vma .initrd=0x3000000 /​usr/​lib/​systemd/​boot/​efi/​linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /​root/​efi-keys-try1/​db.key --cert /​root/​efi-keys-try1/​db.crt --output ./​kernel-$KVER-signed.efi ./​kernel-$KVER.efi && mount /boot/efi && cp ./​kernel-$KVER-signed.efi /boot/efi/
 </​code>​ </​code>​
 +
 +The new kernel will then be the next default startup if systemd-boot has the following config
 +
 +<file /​boot/​efi/​loader/​loader.conf>​
 +timeout 3
 +default gentoo-*
 +</​file>​
  
 ==== Helpful Information ==== ==== Helpful Information ====
Line 214: Line 210:
 Taken from https://​blog.hansenpartnership.com/​uefi-secure-boot/​ Taken from https://​blog.hansenpartnership.com/​uefi-secure-boot/​
  
-=== create obj from initramfs and kernel ​===+=== dependencies (on gentoo) ​===
 <​code>​ <​code>​
-#!/bin/sh +emerge ​-av pesign efitools
- +
-echo your kernel cmdline > cmdline.txt +
- +
-objcopy \ +
- +
-    ​--add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 \ +
- +
-    --add-section .cmdline="​cmdline.txt"​ --change-section-vma .cmdline=0x30000 \ +
- +
-    --add-section .linux="/​path/​to/​your/​vmlinuz"​ --change-section-vma .linux=0x40000 \ +
- +
-    --add-section .initrd="/​path/​to/​your/​initrd"​ --change-section-vma .initrd=0x3000000 \ +
- +
-    linuxx64.efi.stub "​$1"​+
 </​code>​ </​code>​
  
 +Also, systemd needs the "​gnuefi"​ USE-Flag
  
 === More links === === More links ===
uefi_secure_boot.txt · Last modified: 2018/03/05 13:49 (external edit)
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0