Changes

Linux: Secure Boot

1,037 bytes added, 07:57, 6 June 2018
/* Testing */
tree /boot/efi/
 
# You should see the following:
/boot/efi/
├── EFI
├── vmlinuz-4.13.0-1-amd64
└── vmlinuz-4.13.0-1-amd64.sig
2 directories, 8 files
2 directories, 8 files
* Reboot once to see if chain from bootloader to the OS works correctly
reboot
 
* Login as super-user again
su -
== Enable Secure Boot ==
* Install keys into EFI (PK last as it will enable Custom Mode locking out further unsigned changes):
efi-updatevar -f db.auth db
efi-updatevar -f KEK.auth KEK
efi-updatevar -f PK.auth PK
 
* Review installed certificates
efi-readvar
# You should see the following:
Variable PK, length 874
PK: List 0, type X509
Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111
Subject:
CN=Your Name PK, O=Your Organisation Name
Issuer:
CN=Your Name PK, O=Your Organisation Name
Variable KEK, length 874
KEK: List 0, type X509
Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111
Subject:
CN=Your Name KEK, O=Your Organisation Name
Issuer:
CN=Your Name KEK, O=Your Organisation Name
Variable db, length 874
db: List 0, type X509
Signature 0, size 846, owner 101f003f-a976-4802-bc12-bbb2238fe111
Subject:
CN=Your Name db, O=Your Organisation Name
Issuer:
CN=Your Name db, O=Your Organisation Name
Variable dbx has no entries
Variable MokList has no entries
* From now on only EFI binaries signed with any db key can be loaded
* Reboot
425
edits