| View previous topic :: View next topic |
| Author |
Message |
dasPaul
Apprentice
Joined: 14 Feb 2012
Posts: 243
Location: Dresden
|
 Posted: Fri Aug 27, 2021 8:10 am Post subject: Migrating Gentoo to secure boot because of Windows 11 [SOLV] |
 |
|
Hi there, I hope there is not already a thread on this topic.
As I am dual booting Gentoo and Windows10 via EFISTUB because its wonderfully simple I have some fear regarding the upcoming Windows11 update
which will enforce me to enable secure boot. I think secure boot itself is not bad and I considered more that once to enable it but I am totally confused about
the migration workflow of my current gentoo into secure boot.
I am not really sure how Windows11 will come to my PC. Install it completely new or as system upgrade. Nevertheless there will be the point where I have to switch
secure boot on in my bios, making my current gentoo kernel unbootable.
Are there any suggestions on the migration workflow?
Prepare Gentoo Secure Boot ---> enable Secure boot ---> upgrade Windows11 or
Delete everything ---> enable Secure Boot ---> install Windows11 ---> disable Secure Boot ---> install Gentoo & prepare Secure Boot ---> enable Secure Boot
Will EFISTUB still work or do I need a 3rd party loader a la refind
As there is already a Windows11 ISO available I consider to do a real test with a new small gentoo system.
_________________
-=human without Windows®=-
sorry for my bad english!
Last edited by dasPaul on Tue Aug 31, 2021 2:58 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3916
|
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 5094
Location: Bavaria
|
| Posted: Fri Aug 27, 2021 9:23 am Post subject: |
|
|
Hi dasPaul,
I am doing secure boot a gentoo stub-kernel (and wrote an installation guide for it in this forum in german section) - but without dual boot any other OS (like windows 11).
Maybe you know one problem with secure boot: You dont have the secure keys (saved in every UEFI-BIOS) from Microsoft to sign your own bootable executable (bootloader, bootmanager, stub-kernel). AFAIK there is only one signed linux-bootloader: SHIM (see more here: https://wiki.debian.org/SecureBoot ). I have never tested this.
Also I have never tested is a second solution: You create your own keys and sign YOUR bootable executable AND windows 11. This is described in: https://www.funtoo.org/Secure_Boot
| Quote: | [...]
If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:
root # cat old_KEK.esl >>KEK.esl
root # cat old_db.esl >>db.esl
[...] |
So I think you have to go this way:
| Quote: | | Delete everything ---> enable Secure Boot ---> install Windows11 ---> disable Secure Boot ---> install Gentoo & prepare Secure Boot ---> enable Secure Boot |
Sidenote to funtoo's way: They try to change the keys in UEFI with "efi-updatevar". I know there are some mainboards which dont accept this. More bad: You will get no error from efi-updatevar; the UEFI dont change anything and keeps the old keys. Therefore you have to change it in UEFI-BIOS-menu by yourself (I described this in my guide).
(I dont recommend sakaki's guide; it is too complicated) |
|
| Back to top |
|
|
dasPaul
Apprentice
Joined: 14 Feb 2012
Posts: 243
Location: Dresden
|
| Posted: Fri Aug 27, 2021 10:31 am Post subject: |
|
|
Alright, thank you. I think I go through all this next week when I don't have to do serious work on my desktop.
I'll replace my current disks with two spare ones because I KNOW I WILL manage to mess up my current OS setup 
... I'll report back.
_________________
-=human without Windows®=-
sorry for my bad english! |
|
| Back to top |
|
|
wless123
n00b
Joined: 27 Aug 2021
Posts: 40
|
| Posted: Fri Aug 27, 2021 7:40 pm Post subject: |
|
|
I'm using efistub with my own keys (from funtoo wiki) and it is working like a charm. Only issue i can remember was with efivars which had the immutable bit set.
There's an excellent website about secure boot and this issue: https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
There is no need to reinstall, you could just try:
1) create your own signing key and transfer it into uefi.
2) build your kernel and sign it with your key
3) reboot w/o secure boot to see if the kernel works
4) reboot with secure boot ... and pray 
To simplify the kernel build proccess i'm using my own script to build, sign and install the kernel automatically, so that i boots the next time i'll restart. |
|
| Back to top |
|
|
dasPaul
Apprentice
Joined: 14 Feb 2012
Posts: 243
Location: Dresden
|
| Posted: Sat Aug 28, 2021 7:17 am Post subject: |
|
|
That was easier than I thought, without installing any OS from scratch!  (but I tested both with current Windows11 beta build and my current Windows10)
I mainly followed wless123's link above.
My new motherboard came with a blank secure boot keys memory. Secure Boot was disabled.
Gentoo kernel is made as described in EFISTUB.
Windows10/11 was installed with secure boot disabled (from USB-Strick via Ventoy tool)
To let Windows(X) write its own keys into UEFI I just had to enable Secure Boot (Mode "Standart", not "Custom") and reboot into Windows.
Thats all I had to do regarding the Windows side.
- to get Gentoo secure I had to disable secure boot again,
- boot to gentoo, create the keyfiles as decribed in the link, copy them onto my EFI partition (*.cer *.crt *.esl) (or a seperate USB Stick with FAT partition)
- sign the kernel as described in the link and replace it with the unsigned
- reboot into UEFI and in Secure Boot enable Secure Boot again, Mode "Custom" to enable Key Management
- in Key Management APPEND keys to the existing, in the order : DB.cer, KEK.cer and PK.cer loaded from the EFI partition (or USB-Stick) (*)
- reboot and hopefully, happily enjoy a secure boot enabled EFISTUB dual boot system
(* I dont know exactly whats with that PK file. It made no difference if I omitted that file. Windows initially set that key. If I overwrite it with the one that
has been created in gentoo it made no difference, both OS'es boot fine in secure boot...)
Then I use a simple script that, after a kernel rebuild, signs and replaces the old one.
Ps. I now have my old Windows10 and Gentoo both booting in secure mode and I think I am ready if the upgrade to Windows11 comes this year and I can simply upgrade from my running Windows10 without any problems
_________________
-=human without Windows®=-
sorry for my bad english! |
|
| Back to top |
|
|
alicela1n
n00b
Joined: 26 Mar 2021
Posts: 14
|
| Posted: Sun Aug 29, 2021 6:55 am Post subject: |
|
|
Hi, if you are using systemd-boot (it's standalone and doesn't require systemd) you can use preloader, I have it a package in my overlay to install them to /usr/share/preloader-signed but you can also download the files yourself and put them in /boot. This is the quickest and easiest way I've found to get secure boot working, and I've been using it on my laptop for months.
Follow the instructions here, they work for Gentoo too, this is what I did for my laptop https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#PreLoader
preloader-signed is in my overlay here https://github.com/alicela1n/alicela1n-gentoo-overlay under sys-boot/preloader-signed.
_________________
emerchu -uDN world • gentoo girl |
|
| Back to top |
|
|
dasPaul
Apprentice
Joined: 14 Feb 2012
Posts: 243
Location: Dresden
|
| Posted: Tue Aug 31, 2021 2:57 pm Post subject: |
|
|
| alicela1n wrote: | | This is the quickest and easiest way I've found to get secure boot working |
Thank you, I am currently happy with my current setup and I would like to keep it as "raw" as possible 
_________________
-=human without Windows®=-
sorry for my bad english! |
|
| Back to top |
|
|
|
Installing Gentoo
