uefi_secure_boot

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
uefi_secure_boot [2017/11/08 10:14] – [Getting there] brotuefi_secure_boot [2018/03/05 13:49] (current) – external edit 127.0.0.1
Line 4: Line 4:
  
   * Currently the only protection against EvilMaid attacks.   * Currently the only protection against EvilMaid attacks.
-    * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot+    * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot
  
-===== How ====+===== How =====
  
-There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub Kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux+There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub kernels, booting directly from UEFI to a chain of UEFI -> SHIM -> GRUB2 -> Linux
  
-==== Current Plan ====+==== Current plan ==== 
 + 
 +Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility, without having to chainload from SHIM to GRUB.
  
   - UEFI    - UEFI 
-  - [[https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/|systemd-boot]] +  - Signed [[https://www.freedesktop.org/wiki/Software/systemd/systemd-boot/|systemd-boot]] 
-  - Linux Kernel + dracut initrd +  - Signed BLOB of Kernel + Initrd + Commandline
- +
- +
-=== UEFI === +
-  * Current Hardware: Lenovo T470s +
-  * Starting with SecureBoot disabled +
-    * After the new bootloader and kernel load without checking their signatures, we will tackle that +
-    * However: We will try to sign systemd-boot and the kernel starting from the beginning. +
- +
-=== systemd-boot === +
- +
-  * Installed with newer systemd +
-    * on gentoo, the "gnuefi" useflag is needed that the systemd-boot stuff is added +
  
 ==== Getting there ==== ==== Getting there ====
Line 84: Line 73:
  
 #create new keys - save the passwords somewhere save, and create a backup of the keys. #create new keys - save the passwords somewhere save, and create a backup of the keys.
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -sha256 
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -sha256 
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot DB/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 +openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot DB/" -keyout db.key -out db.crt -days 3650 -sha256 
  
 #get current state of the key-databases #get current state of the key-databases
Line 164: Line 153:
 === Creating new kernel === === Creating new kernel ===
 Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels.
 +
  
 <code bash> <code bash>
-export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" --change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && cp ./kernel-$KVER-signed.efi /boot/efi/+export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && 
 +cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" 
 +--change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" 
 +--change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && 
 +sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && 
 +cp ./kernel-$KVER-signed.efi /boot/efi/ && echo -e "title      Gentoo Linux signed\nversion    $KVER\nlinux      /kernel-$KVER-signed.efi" > /boot/efi/loader/entries/gentoo-$KVER.conf
 </code> </code>
 +
 +The new kernel will then be the next default startup if systemd-boot has the following config
 +
 +<file /boot/efi/loader/loader.conf>
 +timeout 3
 +default gentoo-*
 +</file>
  
 ==== Helpful Information ==== ==== Helpful Information ====
Line 214: Line 216:
 Taken from https://blog.hansenpartnership.com/uefi-secure-boot/ Taken from https://blog.hansenpartnership.com/uefi-secure-boot/
  
-=== create obj from initramfs and kernel ===+=== dependencies (on gentoo) ===
 <code> <code>
-#!/bin/sh +emerge -av pesign efitools
- +
-echo your kernel cmdline > cmdline.txt +
- +
-objcopy \ +
- +
-    --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \ +
- +
-    --add-section .cmdline="cmdline.txt" --change-section-vma .cmdline=0x30000 \ +
- +
-    --add-section .linux="/path/to/your/vmlinuz" --change-section-vma .linux=0x40000 \ +
- +
-    --add-section .initrd="/path/to/your/initrd" --change-section-vma .initrd=0x3000000 \ +
- +
-    linuxx64.efi.stub "$1"+
 </code> </code>
  
 +Also, systemd needs the "gnuefi" USE-Flag
  
 === More links === === More links ===
  • uefi_secure_boot.1510136065.txt.gz
  • Last modified: 2017/11/08 10:14
  • by brot