booster icon indicating copy to clipboard operation
booster copied to clipboard
verified publisher icon anatol

Add support for secure boot

Open anatol opened this issue 4 years ago • 5 comments

Add a way to generate booster-based unified images that get signed with a key. Such final images could be used for machines configured with secure boot.

For the reference here is secure boot implementation from mkinitcpio project: https://github.com/archlinux/mkinitcpio/commit/f40bb42577284083adaf1edca2f05300badb78b2

anatol avatar Oct 12 '21 15:10 anatol

It turned out to be pretty easy to do this with sbupdate; it takes care of generating the EFI Unified Kernel Image, with firmware included, and then signing it using sbsign.

This sbupdate.conf takes initrd images in /boot made with mkinitcpio as well as booster for both linux and linux-zen kernels, and puts everything in /efi:

KEY_DIR=/etc/efi-keys
ESP_DIR=/efi
OUT_DIR=
SPLASH=/dev/null
BACKUP=5
CMDLINE_DEFAULT='root=/dev/mapper/crypt_root resume=/dev/mapper/crypt_swap rw'

CONFIGS=(['linux']='archlinux archlinux-fallback archlinux-booster'
         ['linux-zen']='archlinux-zen archlinux-zen-fallback archlinux-zen-booster')

INITRD=(['archlinux']='/boot/initramfs-linux.img'
        ['archlinux-fallback']='/boot/initramfs-linux-fallback.img'
        ['archlinux-booster']='/boot/booster-linux.img'
        ['archlinux-zen']='/boot/initramfs-linux-zen.img'
        ['archlinux-zen-fallback']='/boot/initramfs-linux-zen-fallback.img'
        ['archlinux-zen-booster']='/boot/booster-linux-zen.img')

CMDLINE=(['archlinux-booster']='root=/dev/disk/by-label/luks_root resume=/dev/disk/by-label/luks_swap rw'
         ['archlinux-zen-booster']='root=/dev/disk/by-label/luks_root resume=/dev/disk/by-label/luks_swap rw')

EXTRA_SIGN=('/efi/shellx64-signed.efi')

j0057 avatar Oct 13 '21 19:10 j0057

These are great news @j0057. I like the way this EFI generation decoupled from initramfs generation. Does sbupdate hook take care of ordering i.e. it waits for booster-initrmafs.img generated first and only then EFI binary is built/signed?

Are there any sbupdate equivalents at Arch community repo? If not should sbupdate be moved to [community] so people would be able to use it with less efforts?

anatol avatar Oct 13 '21 19:10 anatol

I think pacman hooks are run alphabetically, so 90-booster-install.hook and 90-mkinitcpio-install.hook run before 95-sbupdate.hook. All of these trigger when /usr/lib/*/vmlinuz is installed or upgraded.

There is foxboron/sbctl which is already in [community], that also does key management tasks, sbupdate just assumes you generated and enrolled the keys some other way. The hook file is installed as 99-sbctl.hook.

j0057 avatar Oct 13 '21 21:10 j0057

Has sbctl been successfully used with booster and grub?

dkwo avatar Oct 15 '21 08:10 dkwo

Ok, perhaps it is simpler to just drop grub here..

dkwo avatar Oct 15 '21 08:10 dkwo

I'm against this in favor letting external tools do it instead as currently, sbctl and systemd-ukify are able to create unified kernel images.

For instance, we could just have a shell script similar to regenerate_images that generates the bundle/UKI.

c3Ls1US avatar Sep 21 '23 17:09 c3Ls1US

unified kernel image is considered second class citizen in sbctl. imho it'd be useful if booster could create a unified image, then one can use sbctl or similar to sign it.

dkwo avatar Sep 21 '23 17:09 dkwo