Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
uefi_secure_boot [2017/11/03 21:22] – [Helpful Information] brot | uefi_secure_boot [2018/03/05 13:49] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 4: | Line 4: | ||
* Currently the only protection against EvilMaid attacks. | * Currently the only protection against EvilMaid attacks. | ||
- | * LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot | + | * LUKS isnt that useful if someone modifies your initrd from an USB-stick and saves your password for cryptsetup somewhere in /boot |
- | ===== How ==== | + | ===== How ===== |
- | There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub | + | There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub |
- | ==== Current | + | ==== Current |
+ | |||
+ | Using only EFI-Stub kernels isnt that elegant, because we would need to change the EFI-Boot-Config everytime. So we want a bit more flexibility, | ||
- UEFI | - UEFI | ||
- | - [[https:// | + | - Signed |
- | - Linux Kernel + dracut initrd | + | - Signed BLOB of Kernel + Initrd + Commandline |
+ | ==== Getting there ==== | ||
- | === UEFI === | + | === first steps: new bootloader and EFI-stub-kernel |
- | * Current Hardware: Lenovo T470s | + | |
- | * Starting with SecureBoot disabled | + | |
- | * After the new bootloader and kernel load without checking their signatures, we will tackle that | + | |
- | * However: We will try to sign systemd-boot and the kernel | + | |
- | === systemd-boot === | + | First we will change the bootloader and ensure that we can load an unsigned EFI-Stub-kernel, |
- | * Installed with newer systemd | + | == installing |
- | * on gentoo, the " | + | |
+ | The EFI System Partition (ESP) needs to be mounted, and the efivars need to be readable | ||
- | ==== Getting there ==== | + | < |
- | < | + | |
- | #installing systemd-boot | + | |
bootctl --path=/ | bootctl --path=/ | ||
+ | </ | ||
+ | |||
+ | == New EFI-bootable kernel image == | ||
+ | <code bash> | ||
+ | cd / | ||
+ | make menuconfig | ||
+ | |||
+ | # set CONFIG_EFI_STUB=y | ||
- | #new efi-stub kernel | ||
- | cd / | ||
- | (set efi-stub to y) | ||
make -j6 && make modules_install | make -j6 && make modules_install | ||
+ | cp ./ | ||
+ | |||
+ | #also, new initrd | ||
dracut / | dracut / | ||
+ | </ | ||
- | brot-thinkpad-t470s linux # cat / | + | == Add the new kernel to the systemd-boot list == |
+ | |||
+ | <file bash / | ||
timeout 3 | timeout 3 | ||
default gentoo | default gentoo | ||
- | + | </ | |
- | brot-thinkpad-t470s linux # cat / | + | <file bash / |
title Gentoo | title Gentoo | ||
linux /kernel.efi | linux /kernel.efi | ||
initrd | initrd | ||
options | options | ||
+ | </ | ||
+ | == test the new bootloader and EFI-kernel == | ||
+ | Try to boot the new kernel with systemd-boot. If something goes wrong, you can just use the previous bootloader (in most cases GRUB2) by selecting it in the UEFI boot menu. | ||
+ | |||
+ | === preparing for secure boot: creating keys === | ||
+ | I got most of the commands for the keygeneration and the key-entry from the wonderful [[https:// | ||
+ | |||
+ | == key and signature list generation == | ||
+ | |||
+ | We generate the PK (Plattform Key), KEK (Key Exchange Key) and a DB (Signature Database) certs and keys. The DB will be used to sign our kernel, however, the PK needs to sign the KEK and the KEK will sign the DB key. Also, we get the current keys from EFI and create merged signature lists - so that we can keep the Microsoft Keys if we want to. | ||
+ | |||
+ | <code bash> | ||
+ | mkdir / | ||
+ | |||
+ | #create new keys - save the passwords somewhere save, and create a backup of the keys. | ||
+ | openssl req -new -x509 -newkey rsa:2048 -subj "/ | ||
+ | openssl req -new -x509 -newkey rsa:2048 -subj "/ | ||
+ | openssl req -new -x509 -newkey rsa:2048 -subj "/ | ||
+ | |||
+ | #get current state of the key-databases | ||
+ | efi-readvar -v PK -o old_PK.esl | ||
+ | efi-readvar -v KEK -o old_KEK.esl | ||
+ | efi-readvar -v db -o old_db.esl | ||
+ | |||
+ | #for insertion into the UEFI we need siglists | ||
+ | cert-to-efi-sig-list -g " | ||
+ | sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth | ||
+ | cert-to-efi-sig-list -g " | ||
+ | sign-efi-sig-list -a -k PK.key -c PK.crt KEK KEK.esl KEK.auth | ||
+ | cert-to-efi-sig-list -g " | ||
+ | sign-efi-sig-list -a -k KEK.key -c KEK.crt db db.esl db.auth | ||
+ | |||
+ | #create compound-signature-lists - so that we preserve the Microsoft and OEM Keys. | ||
+ | cat old_KEK.esl KEK.esl > compound_KEK.esl | ||
+ | cat old_db.esl db.esl > compound_db.esl | ||
+ | sign-efi-sig-list -k PK.key -c PK.crt KEK compound_KEK.esl compound_KEK.auth | ||
+ | sign-efi-sig-list -k KEK.key -c KEK.crt db compound_db.esl compound_db.auth | ||
</ | </ | ||
- | === Dependencies (on gentoo) === | + | == changing to setup mode/ |
- | < | + | |
- | emerge | + | Go in the UEFI-Setup, navigate to the Secure Boot settings. There should be a option to either enter "Setup Mode" or "Clear all Keys" - or both. Clearing all keys will automatically enter setup mode. Then, reboot to insert the keys. |
+ | |||
+ | < | ||
+ | # Variant: Keep OEM and Microsoft keys | ||
+ | efi-updatevar -e -f compound_db.esl db | ||
+ | efi-updatevar -e -f compound_KEK.esl KEK | ||
+ | efi-updatevar | ||
</ | </ | ||
- | === Generating Keys === | + | <code bash> |
+ | # Variant: Only own keys | ||
+ | efi-updatevar -e -f db.esl db | ||
+ | efi-updatevar -e -f KEK.esl KEK | ||
+ | efi-updatevar -f PK.auth PK | ||
+ | </ | ||
+ | After the PK has been set, the system should switch to "User Mode" | ||
+ | == building a new kernel and signing it == | ||
+ | Thanks to [[https:// | ||
+ | |||
+ | <code bash> | ||
+ | cd / | ||
+ | dracut ./ | ||
+ | cat / | ||
+ | objcopy --add-section .osrel=/ | ||
+ | sbsign --key db.key --cert db.crt --output / | ||
+ | </ | ||
+ | |||
+ | We need to add this new kernel as a new boot-entry in systemd-boot | ||
+ | |||
+ | <file / | ||
+ | title Kernel signed | ||
+ | linux / | ||
+ | </ | ||
+ | |||
+ | Also, we need to sign the systemd-boot bootloader | ||
+ | |||
+ | <code bash> | ||
+ | #sign the bootloader | ||
+ | cp / | ||
+ | sbsign --key db.key --cert db.crt --output / | ||
+ | </ | ||
+ | |||
+ | Everything should be prepared for the first Secure boot :) | ||
+ | |||
+ | === First secure boot === | ||
+ | Even after the "User Mode" has been enabled, Secure Boot itself should still be disabled. We should change that in the UEFI setup, and try to boot the signed bootloader and the signed kernel-initramfs-blob. If everything works now, good job, you can now secure boot. | ||
+ | |||
+ | :!: **If you have no password for the UEFI setup, Secure Boot can just be disabled. So, for Secure Boot to be effective, set a reasonable safe password for the UEFI Setup.** :!: | ||
+ | |||
+ | === Creating new kernel === | ||
+ | Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. | ||
+ | |||
+ | |||
+ | <code bash> | ||
+ | export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./ | ||
+ | cp / | ||
+ | --change-section-vma .cmdline=0x30000 --add-section .linux=" | ||
+ | --change-section-vma .initrd=0x3000000 / | ||
+ | sbsign --key / | ||
+ | cp ./ | ||
+ | </ | ||
+ | |||
+ | The new kernel will then be the next default startup if systemd-boot has the following config | ||
+ | |||
+ | <file / | ||
+ | timeout 3 | ||
+ | default gentoo-* | ||
+ | </ | ||
==== Helpful Information ==== | ==== Helpful Information ==== | ||
+ | |||
+ | This stuff is copied from other blogs/ | ||
=== Signing EFI Binaries === | === Signing EFI Binaries === | ||
Line 71: | Line 182: | ||
Taken from: https:// | Taken from: https:// | ||
+ | |||
+ | < | ||
+ | sbsign --key test-key.rsa --cert test-cert.pem --output grubx64.efi / | ||
+ | cp / | ||
+ | cp grubx64.efi / | ||
+ | </ | ||
+ | |||
+ | Taken from https:// | ||
+ | |||
=== Generating own Keys === | === Generating own Keys === | ||
Line 95: | Line 215: | ||
Taken from https:// | Taken from https:// | ||
+ | |||
+ | === dependencies (on gentoo) === | ||
+ | < | ||
+ | emerge -av pesign efitools | ||
+ | </ | ||
+ | |||
+ | Also, systemd needs the " | ||
=== More links === | === More links === | ||
Line 102: | Line 229: | ||
http:// | http:// | ||
https:// | https:// | ||
+ | https:// | ||
+ | https:// | ||
+ | http:// | ||
+ | |||