Changes

Jump to: navigation, search

Linux: Secure Boot

2,004 bytes added, 14:35, 20 September 2018
su -
apt update
apt install -y openssl gnupg gpg sbsigntool uuid-runtimetree
# Package efitools must to be compiled and installed manually because Debian repository contains old 1.4.2 version:
apt build-dep -y efitools
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$CN db, O=$O/" -keyout db.key -out db.crt -days 7300 -nodes -sha256
 
* Convert open part of the keys to the ESL format understood for UEFI
UUID=$(uuidgen --random)
cert-to-efi-sig-list -g $UUID db.crt db.esl
 
* Sign ESL files
sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth
 
* At this stage your are ready to sign GRUB EFI binary and add it to the list of binaries allowed by Secure Boot
* Create initial GRUB configuration script grub.init.cfg
EFI_UUID=$(lsblk -f | grep -i efi | grep -E -o "[A-Z0-9]{4}-[A-Z0-9]{4}")
GRUB_PASSWORD="Your GRUB password"
GRUB_PASSWORD_HASH=$(echo -e "$GRUB_PASSWORD\n$GRUB_PASSWORD" | grub-mkpasswd-pbkdf2 | grep -o "grub.*")
EFI_UUID=$(lsblk -f | grep -i efi | grep -E -o "[A-Z0-9]{4}-[A-Z0-9]{4}")
 
cat > grub.init.cfg << EOF
set check_signatures=enforce
reboot
EOF
### as result grub.init.cfg will be created
Subkey-Type: ELG-E
Subkey-Length: 1024
Name-Real: Denis Turischev Your Name-Comment: Compulab LTD Name-Email: denisyour.turischevname@compulab.coaddress.ilcom
Expire-Date: 0
Passphrase: "$GPG_PASSWORD"
# Do a commit here, so that we can later print "done" :-)
%commit
%echo done
EOF
gpg --batch --gen-key gpg.batch.file 2>&1 | tee gpg.log
GPG_KEY=$(cat gpg.log | grep -o "gpg: key [0-9A-Z]* marked as ultimately trusted" | awk '{ print $3 }')
echo GPG_KEY=$GPG_KEY
gpg --export $GPG_KEY > gpg.key
* Sing grub.init.cfg with your GPG key
export GPG_TTY=# you will be required to enter value of $(tty)GPG_PASSWORD manually # https://github.com/keybase/keybase-issues/issues/2798 # gpg: signing failed: Inappropriate ioctl for device #2798 echo -e "$GPG_PASSWORD" | gpg --yes --default-key $GPG_KEY --detach-sign grub.init.cfg
### as result grub.init.cfg.sig will be created
search search_fs_file search_fs_uuid search_label sleep tar terminal verify video_fb"
grub-mkstandalone -d /usr/lib/grub/x86_64-efi -O x86_64-efi --modules "$MODULES" --pubkey gpg.key --output grubx64.efi boot/grub/grub.cfg=grub.init.cfg boot/grub/grub.cfg.sig=grub.init.cfg.sig -v
### as result grubx64.efi will be created
* Sign grubx64.efi with your db key
sbsign --key db.key --cert db.crt grubx64.efi
### as result grubx64.efi.signed will be created, it will be your bootloader
== Prepare signed grub.cfg kernel and initrd on the EFI partition ==
* Mount your EFI partition to /boot/efiif not mounted yet [ "$(mount | grep /boot/efi)" ] || mount /dev/disk/by-uuid/$EFI_UUID /boot/efi
* Create grub.cfg on the EFI partition
KERNEL_VERSION=$(uname -r)
}
EOF
### as result grub.cfg will be created, please review it
cp /boot/vmlinuz-$KERNEL_VERSION /boot/efi/
cp /boot/initrd.img-$KERNEL_VERSION /boot/efi/
* Sign grub.cfg, kernel and initrd with your GPG key
gpg --default-key "$GPG_KEY" --detach-sign /boot/efi/vmlinuz-$KERNEL_VERSION
gpg --default-key "$GPG_KEY" --detach-sign /boot/efi/initrd.img-$KERNEL_VERSION
### as result signatures of these files will be created
== Final steps ==
* Replace your existent bootloader with signed one
# find your existent bootloader and make a copy of your existent bootloaderit sudo cp BOOTLOADER=$(find /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/bootx64-name "*x64.efi") echo $BOOTLOADER cp $BOOTLOADER $BOOTLOADER".orig"
# place grubx64.efi.signed you've created before as default bootloader
sudo cp grubx64.efi.signed /boot/efi/EFI/boot/bootx64.efi$BOOTLOADER
== Testing ==
* At this stage you should see the following in your /boot/efi
tree /boot/efi/
 
# You should see the following:
/boot/efi/
├── EFI
│   └── debian
│   ├── grubx64.efi
│   └── grubx64.efi.orig
├── grub.cfg
├── grub.cfg.sig
├── initrd.img-4.13.0-1-amd64
├── initrd.img-4.13.0-1-amd64.sig
├── vmlinuz-4.13.0-1-amd64
└── vmlinuz-4.13.0-1-amd64.sig
2 directories, 8 files
 
* Reboot once to see if chain from bootloader to the OS works correctly
reboot
 
* Login as super-user again
su -
 
== Enable Secure Boot ==
* Install keys into EFI (PK last as it will enable Custom Mode locking out further unsigned changes):
sudo efi-updatevar -f db.auth db sudo efi-updatevar -f KEK.auth KEK sudo efi-updatevar -f PK.auth PK * The EFI variables may be immutable (i-flag in lsattr output) in recent kernels (e.g. 4.5.4). Use chattr -i to make them mutable again if you can’t update the variables with the commands above: chattr -i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}-* * Review installed certificates efi-readvar   # You should see the following: Variable PK, length 874 PK: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name PK, O=Your Organisation Name Issuer: CN=Your Name PK, O=Your Organisation Name Variable KEK, length 874 KEK: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name KEK, O=Your Organisation Name Issuer: CN=Your Name KEK, O=Your Organisation Name Variable db, length 874 db: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name db, O=Your Organisation Name Issuer: CN=Your Name db, O=Your Organisation Name Variable dbx has no entries Variable MokList has no entries * From now on only EFI binaries signed with any db key can be loaded reboot<br>
== See also ==* From now on only EFI binaries Original article: [https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed -linux-and-initrd Secure Boot with any db key can be loadedGRUB 2 and signed Linux images and initrds]<br>
* Reboot[[category:software]][[category:Application notes]][[category:fitlet2]]
Yaniv
9
edits
Retrieved from "https://fit-pc.com/wiki/index.php?title=Special:MobileDiff/5759...6266"