uefi_secure_boot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
uefi_secure_boot [2017/11/08 10:14] – [Getting there] brotuefi_secure_boot [2017/11/08 11:07] – [Getting there] brot
Line 4: Line 4:
  
   * Currently the only protection against EvilMaid attacks.   * Currently the only protection against EvilMaid attacks.
-    * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot+    * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot
  
-===== How ====+===== How =====
  
-There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub Kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux+There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux
  
-==== Current Plan ====+==== Current plan ==== 
 + 
 +Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility, without having to chainload from SHIM to GRUB.
  
   - UEFI    - UEFI 
-  - [[https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/|systemd-boot]] +  - Signed [[https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/|systemd-boot]] 
-  - Linux Kernel + dracut initrd +  - Signed BLOB of Kernel + Initrd + Commandline
- +
- +
-=== UEFI === +
-  * Current Hardware: Lenovo T470s +
-  * Starting with SecureBoot disabled +
-    * After the new bootloader and kernel load without checking their signatures, we will tackle that +
-    * However: We will try to sign systemd-boot and the kernel starting from the beginning. +
- +
-=== systemd-boot === +
- +
-  * Installed with newer systemd +
-    * on gentoo, the "gnuefi" useflag is needed that the systemd-boot stuff is added +
  
 ==== Getting there ==== ==== Getting there ====
Line 164: Line 153:
 === Creating new kernel === === Creating new kernel ===
 Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels.
 +
  
 <code bash> <code bash>
-export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" --change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && cp ./kernel-$KVER-signed.efi /boot/efi/+export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && 
 +cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" 
 +--change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" 
 +--change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && 
 +sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && 
 +cp ./kernel-$KVER-signed.efi /boot/efi/ && echo -e "title      Gentoo Linux signed\nversion    $KVER\nlinux      /kernel-$KVER-signed.efi" > /boot/efi/loader/entries/gentoo-$KVER.conf
 </code> </code>
 +
 +The new kernel will then be the next default startup if systemd-boot has the following config
 +
 +<file /boot/efi/loader/loader.conf>
 +timeout 3
 +default gentoo-*
 +</file>
  
 ==== Helpful Information ==== ==== Helpful Information ====
Line 214: Line 216:
 Taken from https://blog.hansenpartnership.com/uefi-secure-boot/ Taken from https://blog.hansenpartnership.com/uefi-secure-boot/
  
-=== create obj from initramfs and kernel ===+=== dependencies (on gentoo) ===
 <code> <code>
-#!/bin/sh +emerge -av pesign efitools
- +
-echo your kernel cmdline > cmdline.txt +
- +
-objcopy \ +
- +
-    --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \ +
- +
-    --add-section .cmdline="cmdline.txt" --change-section-vma .cmdline=0x30000 \ +
- +
-    --add-section .linux="/path/to/your/vmlinuz" --change-section-vma .linux=0x40000 \ +
- +
-    --add-section .initrd="/path/to/your/initrd" --change-section-vma .initrd=0x3000000 \ +
- +
-    linuxx64.efi.stub "$1"+
 </code> </code>
  
 +Also, systemd needs the "gnuefi" USE-Flag
  
 === More links === === More links ===
  • uefi_secure_boot.txt
  • Last modified: 2018/03/05 13:49
  • by 127.0.0.1