Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Next revisionBoth sides next revision | ||
uefi_secure_boot [2017/11/08 10:14] – [Helpful Information] brot | uefi_secure_boot [2017/11/08 11:05] – brot | ||
---|---|---|---|
Line 4: | Line 4: | ||
* Currently the only protection against EvilMaid attacks. | * Currently the only protection against EvilMaid attacks. | ||
- | * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot | + | * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot |
- | ===== How ==== | + | ===== How ===== |
- | There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub | + | There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub |
- | ==== Current | + | ==== Current |
+ | |||
+ | Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility, | ||
- UEFI | - UEFI | ||
- | - [[https:// | + | - Signed |
- | - Linux Kernel + dracut initrd | + | - Signed BLOB of Kernel + Initrd + Commandline |
- | + | ||
- | + | ||
- | === UEFI === | + | |
- | * Current Hardware: Lenovo T470s | + | |
- | * Starting with SecureBoot disabled | + | |
- | * After the new bootloader and kernel load without checking their signatures, we will tackle that | + | |
- | * However: We will try to sign systemd-boot and the kernel starting from the beginning. | + | |
- | + | ||
- | === systemd-boot === | + | |
- | + | ||
- | * Installed with newer systemd | + | |
- | * on gentoo, the " | + | |
==== Getting there ==== | ==== Getting there ==== | ||
Line 168: | Line 157: | ||
export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./ | export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./ | ||
</ | </ | ||
+ | |||
+ | The new kernel will then be the next default startup if systemd-boot has the following config | ||
+ | |||
+ | <file / | ||
+ | timeout 3 | ||
+ | default gentoo-* | ||
+ | </ | ||
==== Helpful Information ==== | ==== Helpful Information ==== | ||
Line 213: | Line 209: | ||
Taken from https:// | Taken from https:// | ||
- | |||
- | === create obj from initramfs and kernel === | ||
- | < | ||
- | #!/bin/sh | ||
- | |||
- | echo your kernel cmdline > cmdline.txt | ||
- | |||
- | objcopy \ | ||
- | |||
- | --add-section .osrel=/ | ||
- | |||
- | --add-section .cmdline=" | ||
- | |||
- | --add-section .linux="/ | ||
- | |||
- | --add-section .initrd="/ | ||
- | |||
- | linuxx64.efi.stub " | ||
- | </ | ||
=== dependencies (on gentoo) === | === dependencies (on gentoo) === | ||
Line 237: | Line 214: | ||
emerge -av pesign efitools | emerge -av pesign efitools | ||
</ | </ | ||
+ | |||
+ | Also, systemd needs the " | ||
=== More links === | === More links === |