Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
uefi_secure_boot [2017/11/08 10:14]
brot [Getting there]
uefi_secure_boot [2017/11/08 11:07]
brot [Getting there]
Line 4: Line 4:
  
   * Currently the only protection against EvilMaid attacks.   * Currently the only protection against EvilMaid attacks.
-    * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot+    * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot
  
-===== How ====+===== How =====
  
-There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub ​Kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux+There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub ​kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux
  
-==== Current ​Plan ====+==== Current ​plan ==== 
 + 
 +Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility,​ without having to chainload from SHIM to GRUB.
  
   - UEFI    - UEFI 
-  - [[https://​www.freedesktop.org/​wiki/​Software/​systemd/​systemd-boot/​|systemd-boot]] +  - Signed ​[[https://​www.freedesktop.org/​wiki/​Software/​systemd/​systemd-boot/​|systemd-boot]] 
-  - Linux Kernel + dracut initrd +  - Signed BLOB of Kernel + Initrd + Commandline
- +
- +
-=== UEFI === +
-  * Current Hardware: Lenovo T470s +
-  * Starting with SecureBoot disabled +
-    * After the new bootloader and kernel load without checking their signatures, we will tackle that +
-    * However: We will try to sign systemd-boot and the kernel starting from the beginning. +
- +
-=== systemd-boot === +
- +
-  * Installed with newer systemd +
-    * on gentoo, the "​gnuefi"​ useflag is needed that the systemd-boot stuff is added +
  
 ==== Getting there ==== ==== Getting there ====
Line 164: Line 153:
 === Creating new kernel === === Creating new kernel ===
 Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels.
 +
  
 <code bash> <code bash>
-export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./​initramfs.img --force --no-compress -H $KVER --omit "​i18n"​ --add-drivers i915 && cp /​proc/​cmdline ./​cmdline.txt && objcopy --add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="​./​cmdline.txt"​ --change-section-vma .cmdline=0x30000 --add-section .linux="​./​arch/​x86/​boot/​bzImage"​ --change-section-vma .linux=0x40000 --add-section .initrd="​./​initramfs.img"​ --change-section-vma .initrd=0x3000000 /​usr/​lib/​systemd/​boot/​efi/​linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /​root/​efi-keys-try1/​db.key --cert /​root/​efi-keys-try1/​db.crt --output ./​kernel-$KVER-signed.efi ./​kernel-$KVER.efi && mount /boot/efi && cp ./​kernel-$KVER-signed.efi /boot/efi/+export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./​initramfs.img --force --no-compress -H $KVER --omit "​i18n"​ --add-drivers i915 && ​
 +cp /​proc/​cmdline ./​cmdline.txt && objcopy --add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="​./​cmdline.txt" ​
 +--change-section-vma .cmdline=0x30000 --add-section .linux="​./​arch/​x86/​boot/​bzImage"​ --change-section-vma .linux=0x40000 --add-section .initrd="​./​initramfs.img" ​
 +--change-section-vma .initrd=0x3000000 /​usr/​lib/​systemd/​boot/​efi/​linuxx64.efi.stub kernel-$KVER.efi && ​
 +sbsign --key /​root/​efi-keys-try1/​db.key --cert /​root/​efi-keys-try1/​db.crt --output ./​kernel-$KVER-signed.efi ./​kernel-$KVER.efi && mount /boot/efi && ​
 +cp ./​kernel-$KVER-signed.efi /​boot/​efi/ ​&& echo -e "​title ​     Gentoo Linux signed\nversion ​   $KVER\nlinux ​     /​kernel-$KVER-signed.efi"​ > /​boot/​efi/​loader/​entries/​gentoo-$KVER.conf
 </​code>​ </​code>​
 +
 +The new kernel will then be the next default startup if systemd-boot has the following config
 +
 +<file /​boot/​efi/​loader/​loader.conf>​
 +timeout 3
 +default gentoo-*
 +</​file>​
  
 ==== Helpful Information ==== ==== Helpful Information ====
Line 214: Line 216:
 Taken from https://​blog.hansenpartnership.com/​uefi-secure-boot/​ Taken from https://​blog.hansenpartnership.com/​uefi-secure-boot/​
  
-=== create obj from initramfs and kernel ​===+=== dependencies (on gentoo) ​===
 <​code>​ <​code>​
-#!/bin/sh +emerge ​-av pesign efitools
- +
-echo your kernel cmdline > cmdline.txt +
- +
-objcopy \ +
- +
-    ​--add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 \ +
- +
-    --add-section .cmdline="​cmdline.txt"​ --change-section-vma .cmdline=0x30000 \ +
- +
-    --add-section .linux="/​path/​to/​your/​vmlinuz"​ --change-section-vma .linux=0x40000 \ +
- +
-    --add-section .initrd="/​path/​to/​your/​initrd"​ --change-section-vma .initrd=0x3000000 \ +
- +
-    linuxx64.efi.stub "​$1"​+
 </​code>​ </​code>​
  
 +Also, systemd needs the "​gnuefi"​ USE-Flag
  
 === More links === === More links ===
uefi_secure_boot.txt · Last modified: 2018/03/05 13:49 (external edit)
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0