Changes

Jump to: navigation, search

Linux: Secure Boot

2,067 bytes added, 14:35, 20 September 2018
### as result signatures of these files will be created
== Final steps ==
* Replace your existent bootloader with signed one
# find your existent bootloader and make a copy of your existent bootloaderit sudo cp BOOTLOADER=$(find /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/bootx64-name "*x64.efi") echo $BOOTLOADER cp $BOOTLOADER $BOOTLOADER".orig"
# place grubx64.efi.signed you've created before as default bootloader
sudo cp grubx64.efi.signed /boot/efi/EFI/boot/bootx64.efi$BOOTLOADER
== Testing ==
* At this stage you should see the following in your /boot/efi
tree /boot/efi/
 
# You should see the following:
/boot/efi/
├── EFI
│   └── debian
│   ├── grubx64.efi
│   └── grubx64.efi.orig
├── grub.cfg
├── grub.cfg.sig
├── initrd.img-4.13.0-1-amd64
├── initrd.img-4.13.0-1-amd64.sig
├── vmlinuz-4.13.0-1-amd64
└── vmlinuz-4.13.0-1-amd64.sig
2 directories, 8 files
 
* Reboot once to see if chain from bootloader to the OS works correctly
reboot
 
* Login as super-user again
su -
 
== Enable Secure Boot ==
* Install keys into EFI (PK last as it will enable Custom Mode locking out further unsigned changes):
sudo efi-updatevar -f db.auth db sudo efi-updatevar -f KEK.auth KEK sudo efi-updatevar -f PK.auth PK * The EFI variables may be immutable (i-flag in lsattr output) in recent kernels (e.g. 4.5.4). Use chattr -i to make them mutable again if you can’t update the variables with the commands above: chattr -i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}-* * Review installed certificates efi-readvar   # You should see the following: Variable PK, length 874 PK: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name PK, O=Your Organisation Name Issuer: CN=Your Name PK, O=Your Organisation Name Variable KEK, length 874 KEK: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name KEK, O=Your Organisation Name Issuer: CN=Your Name KEK, O=Your Organisation Name Variable db, length 874 db: List 0, type X509 Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111 Subject: CN=Your Name db, O=Your Organisation Name Issuer: CN=Your Name db, O=Your Organisation Name Variable dbx has no entries Variable MokList has no entries * From now on only EFI binaries signed with any db key can be loaded reboot<br>
== See also ==* From now on only EFI binaries Original article: [https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed -linux-and-initrd Secure Boot with any db key can be loadedGRUB 2 and signed Linux images and initrds]<br>
* Reboot[[category:software]][[category:Application notes]][[category:fitlet2]]
Yaniv
9
edits
Retrieved from "https://fit-pc.com/wiki/index.php?title=Special:MobileDiff/5764...6266"