uefi_secure_boot

This is an old revision of the document!


UEFI Secure Boot

  • Currently the only protection against EvilMaid attacks.
    • LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot

There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub Kernels, booting directly from UEFI to a chain of UEFI → SHIM → GRUB2 → Linux

  1. UEFI
  2. Linux Kernel + dracut initrd

UEFI

  • Current Hardware: Lenovo T470s
  • Starting with SecureBoot disabled
    • After the new bootloader and kernel load without checking their signatures, we will tackle that
    • However: We will try to sign systemd-boot and the kernel starting from the beginning.

systemd-boot

  • Installed with newer systemd
    • on gentoo, the “gnuefi” useflag is needed that the systemd-boot stuff is added
#installing systemd-boot
bootctl --path=/boot/efi/ install

#new efi-stub kernel
cd /usr/src/linux; make menuconfig
(set efi-stub to y)
make -j6 && make modules_install
cp ./arch/x86/boot/bzImage /boot/efi/kernel.efi
dracut /boot/efi/initramfs.img --force --xz -H 4.14.0-rc7 --omit "i18n" --add-drivers i915

brot-thinkpad-t470s linux # cat /boot/efi/loader/loader.conf 
timeout 3
default gentoo

brot-thinkpad-t470s linux # cat /boot/efi/loader/entries/gentoo.conf 
title          Gentoo
linux          /kernel.efi
initrd         /initramfs.img
options        root=/dev/mapper/cryptroot ro rootflags=subvol=rootfs init=/lib/systemd/systemd rd.luks.allow-discards log_buf_len=4M

→ Funktioniert!

mkdir /root/efi-keys-try1
cd /root/efi-keys-try1
openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days 7300 -subj "/CN=Vorname Nachname/"
openssl x509 -in PK.crt -out PK.cer -outform DER


=== Dependencies (on gentoo) ===
<code>
emerge -av pesign efitools

Generating Keys

Signing EFI Binaries

sbsign --key db.priv --cert db.pub --output signed_binary.efi binary.efi

Taken from: https://docs.slackware.com/howtos:security:enabling_secure_boot

sbsign --key test-key.rsa --cert test-cert.pem --output grubx64.efi /boot/efi/efi/ubuntu/grubx64.efi
cp /boot/efi/efi/ubuntu/grubx64.efi{,.bak}
cp grubx64.efi /boot/efi/efi/ubuntu/

Taken from https://wiki.ubuntu.com/UEFI/SecureBoot

Generating own Keys

openssl genrsa -out test-key.rsa 2048
openssl req -new -x509 -sha256 subj '/CN=test-key' -key test-key.rsa -out test-cert.pem
openssl x509 -in test-cert.pem -inform PEM -out test-cert.der -outform DER

Taken from https://wiki.ubuntu.com/UEFI/SecureBoot

The easiest way is to use the x509 CA creation command

openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days <length
> -subj “/CN=<my common name>/”

Will create two files, PK.crt (which is the public certificate we’ll use as the UEFI key) and PK.key which is the private signing key (note: the UEFI spec mandates that all X509 keys be 2048 bit rsa keys).  Fill in <days> with how long you want the certificate to be valid for and <my common name> with whatever information you want the common name to be (UEFI doesn’t use this, but it’s customary for every X509 certificate to have at least a common name).  We’re still not quite done, because the keys must be in DER form.  Conversion is done like this

openssl x509 -in PK.crt -out PK.cer -outform DER

Note that the .cer extension is what tells UEFI that the file contains an x509 key, so you must use it.

Taken from https://blog.hansenpartnership.com/uefi-secure-boot/

  • uefi_secure_boot.1509745470.txt.gz
  • Last modified: 2017/11/03 21:44
  • by brot