Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Migrating Gentoo to secure boot because of Windows 11 [SOLV]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
dasPaul
Apprentice
Apprentice


Joined: 14 Feb 2012
Posts: 243
Location: Dresden

PostPosted: Fri Aug 27, 2021 8:10 am    Post subject: Migrating Gentoo to secure boot because of Windows 11 [SOLV] Reply with quote

Hi there, I hope there is not already a thread on this topic.

As I am dual booting Gentoo and Windows10 via EFISTUB because its wonderfully simple I have some fear regarding the upcoming Windows11 update
which will enforce me to enable secure boot. I think secure boot itself is not bad and I considered more that once to enable it but I am totally confused about
the migration workflow of my current gentoo into secure boot.

I am not really sure how Windows11 will come to my PC. Install it completely new or as system upgrade. Nevertheless there will be the point where I have to switch
secure boot on in my bios, making my current gentoo kernel unbootable.

Are there any suggestions on the migration workflow?

Prepare Gentoo Secure Boot ---> enable Secure boot ---> upgrade Windows11 or
Delete everything ---> enable Secure Boot ---> install Windows11 ---> disable Secure Boot ---> install Gentoo & prepare Secure Boot ---> enable Secure Boot
Will EFISTUB still work or do I need a 3rd party loader a la refind
:?:

As there is already a Windows11 ISO available I consider to do a real test with a new small gentoo system.
_________________
-=human without Windows®=-
sorry for my bad english!


Last edited by dasPaul on Tue Aug 31, 2021 2:58 pm; edited 1 time in total
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3916

PostPosted: Fri Aug 27, 2021 9:17 am    Post subject: Reply with quote

I hope it can be as simple as using shim64.efi.
from
Code:

sys-boot/shim

I also hope you dont need grub.
I would though use grub.
If not possible you are in for a long long config.
https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot
_________________
:)
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5104
Location: Bavaria

PostPosted: Fri Aug 27, 2021 9:23 am    Post subject: Reply with quote

Hi dasPaul,

I am doing secure boot a gentoo stub-kernel (and wrote an installation guide for it in this forum in german section) - but without dual boot any other OS (like windows 11).

Maybe you know one problem with secure boot: You dont have the secure keys (saved in every UEFI-BIOS) from Microsoft to sign your own bootable executable (bootloader, bootmanager, stub-kernel). AFAIK there is only one signed linux-bootloader: SHIM (see more here: https://wiki.debian.org/SecureBoot ). I have never tested this.

Also I have never tested is a second solution: You create your own keys and sign YOUR bootable executable AND windows 11. This is described in: https://www.funtoo.org/Secure_Boot
Quote:
[...]
If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:
root # cat old_KEK.esl >>KEK.esl
root # cat old_db.esl >>db.esl
[...]


So I think you have to go this way:
Quote:
Delete everything ---> enable Secure Boot ---> install Windows11 ---> disable Secure Boot ---> install Gentoo & prepare Secure Boot ---> enable Secure Boot



Sidenote to funtoo's way: They try to change the keys in UEFI with "efi-updatevar". I know there are some mainboards which dont accept this. More bad: You will get no error from efi-updatevar; the UEFI dont change anything and keeps the old keys. Therefore you have to change it in UEFI-BIOS-menu by yourself (I described this in my guide).


(I dont recommend sakaki's guide; it is too complicated)
Back to top
View user's profile Send private message
dasPaul
Apprentice
Apprentice


Joined: 14 Feb 2012
Posts: 243
Location: Dresden

PostPosted: Fri Aug 27, 2021 10:31 am    Post subject: Reply with quote

Alright, thank you. I think I go through all this next week when I don't have to do serious work on my desktop.
I'll replace my current disks with two spare ones because I KNOW I WILL manage to mess up my current OS setup :lol:
... I'll report back.
_________________
-=human without Windows®=-
sorry for my bad english!
Back to top
View user's profile Send private message
wless123
n00b
n00b


Joined: 27 Aug 2021
Posts: 40

PostPosted: Fri Aug 27, 2021 7:40 pm    Post subject: Reply with quote

I'm using efistub with my own keys (from funtoo wiki) and it is working like a charm. Only issue i can remember was with efivars which had the immutable bit set.

There's an excellent website about secure boot and this issue: https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html

There is no need to reinstall, you could just try:

1) create your own signing key and transfer it into uefi.
2) build your kernel and sign it with your key
3) reboot w/o secure boot to see if the kernel works
4) reboot with secure boot ... and pray ;)

To simplify the kernel build proccess i'm using my own script to build, sign and install the kernel automatically, so that i boots the next time i'll restart.
Back to top
View user's profile Send private message
dasPaul
Apprentice
Apprentice


Joined: 14 Feb 2012
Posts: 243
Location: Dresden

PostPosted: Sat Aug 28, 2021 7:17 am    Post subject: Reply with quote

wless123 wrote:
There's an excellent website about secure boot and this issue: https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html


That was easier than I thought, without installing any OS from scratch! :D (but I tested both with current Windows11 beta build and my current Windows10)

I mainly followed wless123's link above.

My new motherboard came with a blank secure boot keys memory. Secure Boot was disabled.
Gentoo kernel is made as described in EFISTUB.
Windows10/11 was installed with secure boot disabled (from USB-Strick via Ventoy tool)

To let Windows(X) write its own keys into UEFI I just had to enable Secure Boot (Mode "Standart", not "Custom") and reboot into Windows.
Thats all I had to do regarding the Windows side.

- to get Gentoo secure I had to disable secure boot again,
- boot to gentoo, create the keyfiles as decribed in the link, copy them onto my EFI partition (*.cer *.crt *.esl) (or a seperate USB Stick with FAT partition)
- sign the kernel as described in the link and replace it with the unsigned
- reboot into UEFI and in Secure Boot enable Secure Boot again, Mode "Custom" to enable Key Management
- in Key Management APPEND keys to the existing, in the order : DB.cer, KEK.cer and PK.cer loaded from the EFI partition (or USB-Stick) (*)
- reboot and hopefully, happily enjoy a secure boot enabled EFISTUB dual boot system

(* I dont know exactly whats with that PK file. It made no difference if I omitted that file. Windows initially set that key. If I overwrite it with the one that
has been created in gentoo it made no difference, both OS'es boot fine in secure boot...)

Then I use a simple script that, after a kernel rebuild, signs and replaces the old one.

Ps. I now have my old Windows10 and Gentoo both booting in secure mode and I think I am ready if the upgrade to Windows11 comes this year and I can simply upgrade from my running Windows10 without any problems
_________________
-=human without Windows®=-
sorry for my bad english!
Back to top
View user's profile Send private message
alicela1n
n00b
n00b


Joined: 26 Mar 2021
Posts: 14

PostPosted: Sun Aug 29, 2021 6:55 am    Post subject: Reply with quote

Hi, if you are using systemd-boot (it's standalone and doesn't require systemd) you can use preloader, I have it a package in my overlay to install them to /usr/share/preloader-signed but you can also download the files yourself and put them in /boot. This is the quickest and easiest way I've found to get secure boot working, and I've been using it on my laptop for months.

Follow the instructions here, they work for Gentoo too, this is what I did for my laptop https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#PreLoader

preloader-signed is in my overlay here https://github.com/alicela1n/alicela1n-gentoo-overlay under sys-boot/preloader-signed.
_________________
emerchu -uDN world • gentoo girl
Back to top
View user's profile Send private message
dasPaul
Apprentice
Apprentice


Joined: 14 Feb 2012
Posts: 243
Location: Dresden

PostPosted: Tue Aug 31, 2021 2:57 pm    Post subject: Reply with quote

alicela1n wrote:
This is the quickest and easiest way I've found to get secure boot working


Thank you, I am currently happy with my current setup and I would like to keep it as "raw" as possible :)
_________________
-=human without Windows®=-
sorry for my bad english!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum