This is an old revision of the document!
UEFI Secure Boot
Why
- Currently the only protection against EvilMaid attacks.
- LUKS isnt that useful if someone modifies your initrd from an USB-Stick and saves your password for cryptsetup somewhere in /boot
How
There are multiple ways to get to a SecureBoot Linux. Starting from selfsigned EFI-Stub Kernels, booting directly from UEFI to a chain of UEFI → SHIM → GRUB2 → Linux
Current Plan
- UEFI
- Linux Kernel + dracut initrd
UEFI
- Current Hardware: Lenovo T470s
- Starting with SecureBoot disabled
- After the new bootloader and kernel load without checking their signatures, we will tackle that
- However: We will try to sign systemd-boot and the kernel starting from the beginning.
systemd-boot
- Installed with newer systemd
- on gentoo, the “gnuefi” useflag is needed that the systemd-boot stuff is added
Getting there
#installing systemd-boot bootctl --path=/boot/efi/ install #new efi-stub kernel cd /usr/src/linux; make menuconfig (set efi-stub to y) make -j6 && make modules_install cp ./arch/x86/boot/bzImage /boot/efi/kernel.efi dracut /boot/efi/initramfs.img --force --xz -H 4.14.0-rc7 --omit "i18n" --add-drivers i915 brot-thinkpad-t470s linux # cat /boot/efi/loader/loader.conf timeout 3 default gentoo brot-thinkpad-t470s linux # cat /boot/efi/loader/entries/gentoo.conf title Gentoo linux /kernel.efi initrd /initramfs.img options root=/dev/mapper/cryptroot ro rootflags=subvol=rootfs init=/lib/systemd/systemd rd.luks.allow-discards log_buf_len=4M
→ Funktioniert!
mkdir /root/efi-keys-try1 cd /root/efi-keys-try1 openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days 7300 -subj "/CN=Vorname Nachname/" openssl x509 -in PK.crt -out PK.cer -outform DER === Dependencies (on gentoo) === <code> emerge -av pesign efitools
Generating Keys
Helpful Information
Signing EFI Binaries
sbsign --key db.priv --cert db.pub --output signed_binary.efi binary.efi
Taken from: https://docs.slackware.com/howtos:security:enabling_secure_boot
sbsign --key test-key.rsa --cert test-cert.pem --output grubx64.efi /boot/efi/efi/ubuntu/grubx64.efi cp /boot/efi/efi/ubuntu/grubx64.efi{,.bak} cp grubx64.efi /boot/efi/efi/ubuntu/
Taken from https://wiki.ubuntu.com/UEFI/SecureBoot
Generating own Keys
openssl genrsa -out test-key.rsa 2048 openssl req -new -x509 -sha256 subj '/CN=test-key' -key test-key.rsa -out test-cert.pem openssl x509 -in test-cert.pem -inform PEM -out test-cert.der -outform DER
Taken from https://wiki.ubuntu.com/UEFI/SecureBoot
The easiest way is to use the x509 CA creation command openssl req -new -x509 -newkey rsa:2048 -keyout PK.key -out PK.crt -days <length > -subj “/CN=<my common name>/” Will create two files, PK.crt (which is the public certificate we’ll use as the UEFI key) and PK.key which is the private signing key (note: the UEFI spec mandates that all X509 keys be 2048 bit rsa keys). Fill in <days> with how long you want the certificate to be valid for and <my common name> with whatever information you want the common name to be (UEFI doesn’t use this, but it’s customary for every X509 certificate to have at least a common name). We’re still not quite done, because the keys must be in DER form. Conversion is done like this openssl x509 -in PK.crt -out PK.cer -outform DER Note that the .cer extension is what tells UEFI that the file contains an x509 key, so you must use it.
Taken from https://blog.hansenpartnership.com/uefi-secure-boot/
More links
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html#creatingkeys https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot#Testing_Secure_Boot_with_a_Signed_Kernel http://kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/ https://bentley.link/secureboot/