Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revisionLast revisionBoth sides next revision | ||
uefi_secure_boot [2017/11/08 10:14] – [Getting there] brot | uefi_secure_boot [2017/11/08 11:07] – [Getting there] brot | ||
---|---|---|---|
Line 4: | Line 4: | ||
* Currently the only protection against EvilMaid attacks. | * Currently the only protection against EvilMaid attacks. | ||
- | * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot | + | * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot |
- | ===== How ==== | + | ===== How ===== |
- | There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub | + | There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub |
- | ==== Current | + | ==== Current |
+ | |||
+ | Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility, | ||
- UEFI | - UEFI | ||
- | - [[https:// | + | - Signed |
- | - Linux Kernel + dracut initrd | + | - Signed BLOB of Kernel + Initrd + Commandline |
- | + | ||
- | + | ||
- | === UEFI === | + | |
- | * Current Hardware: Lenovo T470s | + | |
- | * Starting with SecureBoot disabled | + | |
- | * After the new bootloader and kernel load without checking their signatures, we will tackle that | + | |
- | * However: We will try to sign systemd-boot and the kernel starting from the beginning. | + | |
- | + | ||
- | === systemd-boot === | + | |
- | + | ||
- | * Installed with newer systemd | + | |
- | * on gentoo, the " | + | |
==== Getting there ==== | ==== Getting there ==== | ||
Line 164: | Line 153: | ||
=== Creating new kernel === | === Creating new kernel === | ||
Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. | Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. | ||
+ | |||
<code bash> | <code bash> | ||
- | export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./ | + | export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./ |
+ | cp / | ||
+ | --change-section-vma .cmdline=0x30000 --add-section .linux=" | ||
+ | --change-section-vma .initrd=0x3000000 / | ||
+ | sbsign --key / | ||
+ | cp ./ | ||
</ | </ | ||
+ | |||
+ | The new kernel will then be the next default startup if systemd-boot has the following config | ||
+ | |||
+ | <file / | ||
+ | timeout 3 | ||
+ | default gentoo-* | ||
+ | </ | ||
==== Helpful Information ==== | ==== Helpful Information ==== | ||
Line 214: | Line 216: | ||
Taken from https:// | Taken from https:// | ||
- | === create obj from initramfs and kernel | + | === dependencies (on gentoo) |
< | < | ||
- | #!/bin/sh | + | emerge |
- | + | ||
- | echo your kernel cmdline > cmdline.txt | + | |
- | + | ||
- | objcopy \ | + | |
- | + | ||
- | | + | |
- | + | ||
- | --add-section .cmdline=" | + | |
- | + | ||
- | --add-section .linux="/ | + | |
- | + | ||
- | --add-section .initrd="/ | + | |
- | + | ||
- | linuxx64.efi.stub " | + | |
</ | </ | ||
+ | Also, systemd needs the " | ||
=== More links === | === More links === |