Changes

Jump to: navigation, search

Linux: Secure Boot

513 bytes added, 07:46, 6 June 2018
/* Final steps */
### as result signatures of these files will be created
== Final steps ==
* Replace your existent bootloader with signed one
# find your existent bootloader and make a copy of your existent bootloaderit sudo cp BOOTLOADER=$(find /boot/efi/EFI/boot/bootx64.efi /boot/efi/EFI/boot/bootx64-name "*x64.efi") echo $BOOTLOADER cp $BOOTLOADER $BOOTLOADER".orig"
# place grubx64.efi.signed you've created before as default bootloader
sudo cp grubx64.efi.signed /boot/efi/EFI/boot/bootx64.efi$BOOTLOADER
== Testing ==* Install keys into At this stage you should see the following in your /boot/efi tree /boot/efi/ /boot/efi/ ├── EFI (PK last as it will enable Custom Mode locking out further unsigned changes): sudo │   └── debian │   ├── grubx64.efi │   └── grubx64.efi.orig ├── grub.cfg ├── grub.cfg.sig ├── initrd.img-updatevar -f db4.auth db13.0-1-amd64 sudo efi├── initrd.img-updatevar 4.13.0-f KEK1-amd64.auth KEKsig sudo efi├── vmlinuz-4.13.0-1-amd64 └── vmlinuz-4.13.0-updatevar 1-f PKamd64.auth PKsig
2 directories, 8 files
 
* Reboot once to see if chain from bootloader to the OS works correctly
reboot
* Install keys into EFI (PK last as it will enable Custom Mode locking out further unsigned changes):
efi-updatevar -f db.auth db
efi-updatevar -f KEK.auth KEK
efi-updatevar -f PK.auth PK
* From now on only EFI binaries signed with any db key can be loaded
* Reboot
314
edits