glim icon indicating copy to clipboard operation
glim copied to clipboard

Published 20 hours ago verified publisher icon thias

How/what to sign so that secure boot can be enabled

Open rickhg12hs opened this issue 5 years ago • 5 comments

Do you have a recommended procedure for signing GLIM's bits so that secure boot can stay enabled on systems that I control?

rickhg12hs avatar Mar 02 '19 00:03 rickhg12hs

I honestly have no idea. A quick search seems to indicate that it might not be that easy, or even possible at all.

https://askubuntu.com/questions/642653/loopback-module-for-grub-with-secure-boot

If you do find a way, please share! :-)

thias avatar Mar 06 '19 12:03 thias

See https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk

Basically, to boot a Linux kernel with Secure Boot enabled with unpached GRUB2 using linux command you don't need to do additional steps. You only need to add GRUB2 certificate into Secure Boot db and boot it. GRUB2 versions with Secure Boot hardening patches (which are found in Ubuntu and Fedora/CentOS at least) need additional steps/patches, as they either replace linux with linuxefi or boot Linux kernel using UEFI LoadImage and StartImage functions.

ValdikSS avatar Mar 09 '19 09:03 ValdikSS

I've already enrolled a key in the MOK to sign kernel modules I've compiled for Fedora. Am I an easy step away from being able to securely boot from the USB drive?

rickhg12hs avatar Mar 10 '19 15:03 rickhg12hs

It depends on what you want to achieve. If you only want to boot Fedora from HDD or ISO on your current PC with enrolled key, you can probably use signed shim (from shim package) and grub2 (from grub2-efi-x64 package) from Fedora. This bundle does not require key enrolling at all, but it would boot only Fedora.

If you want to boot other Linux distros, you'd better use Super UEFIinSecureBoot Disk. Another option is to use unpached GRUB2 (not from Fedora or Ubuntu) with signed shim <= 0.4, it will boot any Linux distribution after GRUB2 hash or key enrolling using MokManager.

If you don't want to use Microsoft certificate, if you want to take ownership of UEFI platform and enroll your own keys, you can sign your own shim and grub.

ValdikSS avatar Mar 10 '19 18:03 ValdikSS

There's a way. You have to create grub as an image using grub-mkstandalone . In this way there would be just one binary that will be loaded by, for instance, rEFInd and this image should be signed by end user or the hash of the image should be added to the shim's MOK database. Also you can use shim signed by Microsoft. Look at how ubuntu live is booted. It has EFI/BOOT/grubx64.efi and EFI/BOOT/BOOTx64.EFI and one is signed by Canonical and the other by MS. If you have Canonical's cert in firmware's database, you can use the first option to boot. If you only have MS cert, you can boot using the fallback option. Some similar solution would be nice to have.

morfikov avatar Mar 19 '20 19:03 morfikov