View previous topic :: View next topic |
Author |
Message |
blt n00b


Joined: 21 Mar 2021 Posts: 11
|
Posted: Wed Mar 24, 2021 10:34 pm Post subject: Impossible to Secure Boot |
|
|
I tried to follow this guide to setup my brand new Gentoo install with Secure Boot as Sakaki is EOL (and anyways designed to be used with some homemade scripts to automatize almost everything), I am more on a learning approach as I am a new Gentoo user.
Everything is working correctly from the guide apart from the last piece when I enforce the check_signatures, my UEFI refuses to boot and I am stuck to UEFI boot list.
I am wondering if this if the issue is coming from the fact that the initrd is signed by gpg instead of sbsigntools (used to sign bootloader and kernel) as I don't see how my UEFI would use the Secure Boot keys to validate the initrd signed by GPG..
But maybe the issue is even earlier as it seems it is just when my UEFI tries to load GRUB, so I am wondering if Grub is even able to try to load the initrd so my assumption above may be discarded.
Any idea on where to start to troubleshoot this issue ? as I don't really know where to look for as my issue is so early into the boot process..
Many thanks _________________ blt |
|
Back to top |
|
 |
alamahant Advocate

Joined: 23 Mar 2019 Posts: 3958
|
Posted: Wed Mar 24, 2021 10:42 pm Post subject: |
|
|
For secure boot
you need
shim64.efi
Get it from
sys-boot/shim
Actually i just installed it and it provides these binaries
Code: |
eqf sys-boot/shim
* Searching for shim in sys-boot ...
* Contents of sys-boot/shim-15.5-r1:
/usr
/usr/share
/usr/share/shim
/usr/share/shim/BOOTIA32.EFI
/usr/share/shim/BOOTX64.EFI
/usr/share/shim/mmia32.efi
/usr/share/shim/mmx64.efi
|
So
maybe copy
/usr/share/shim/BOOTX64.EFI ##and
/usr/share/shim/mmx64.efi
to
/boot/efi/EFI/gentoo/
and use
efibootmgr
to create an efi entry.
Code: |
efibootmgr -c -d </dev/esp-disk> -p <esp-partition-number> -L "gentoo" -l "\EFI\gentoo\BOOTX64.EFI"
|
_________________
 |
|
Back to top |
|
 |
blt n00b


Joined: 21 Mar 2021 Posts: 11
|
Posted: Wed Mar 24, 2021 11:04 pm Post subject: |
|
|
Thanks for your suggestion, I installed shim and tried to recreate grub.cfg but same issue and was about to ask you if I would need to add shim somewhere but I just saw your edits.
Will try your suggestion tomorrow morning and I let you know, thanks again _________________ blt |
|
Back to top |
|
 |
alamahant Advocate

Joined: 23 Mar 2019 Posts: 3958
|
Posted: Thu Mar 25, 2021 12:04 am Post subject: |
|
|
I used this to get all the necessary files
[url]
https://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/s/shim-x64-15-8.x86_64.rpm
[/url]
I extracted it.
Copied the shimx64.efi to /boot/efi/EFI/gentoo
Added a new efibootmgr entry and booted in.
It worked.
I dont know if I do foolish things but it seems to work.
Code: |
efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0001,0002,0003,0004,0005,0006,0007,0008,0009
Boot0000* gen HD(1,GPT,5f713193-1e02-42f6-8135-113b790a3cf9,0x800,0x64000)/File(\EFI\gen\shimx64.efi)
|
_________________
 |
|
Back to top |
|
 |
pietinger Moderator

Joined: 17 Oct 2006 Posts: 5491 Location: Bavaria
|
|
Back to top |
|
 |
GDH-gentoo Veteran


Joined: 20 Jul 2019 Posts: 1832 Location: South America
|
Posted: Thu Mar 25, 2021 5:27 pm Post subject: |
|
|
I think that some clarification is in order.
The methods described in the document linked in the OP, in Sakaki's guide, and in pietinger's guide, involve replacing the UEFI firmware's platform key, key exchange key, and the keys in the database used for verifying signed binaries. This requires a cooperative (i.e. not crappy) firmware.
The UEFI shim is kind of a workaround, it operates in a different way. The keys used by the firmware are left alone, and a separate set of keys (the machine owner keys) are created and used to sign the binaries. This is only useful if the shim itself is signed (usually with a Microsoft-approved key). Gentoo's sys-boot/shim package appears to just download Fedora's RPM and extract some of its (already compiled) files. I believe that the signed shim in the RPM is the file named shimx64-fedora.efi, and that the file named shimx64.efi is unsigned. I expect the unsigned shim not to work when secure boot is enabled in the firmware, and if it isn't, then, well, one can just boot the bootloader or stub kernel and not bother with the shim. I see no point in installing and booting the unsigned shim if one is going to have secure boot turned off anyway.
In any case, I believe that the only binary that the UEFI firmware verifies (with the keys in the database) is just the one it hands control to: bootloader, stub kernel or shim. If the shim is used, it can then verify the bootloader or stub kernel using a machine owner key. If a bootloader is used, whether the kernel and initramfs are subsequently verified or not, and how, is bootloader-specific. The (optional) verification that GRUB can do is described in its manual (info grub).
Last edited by GDH-gentoo on Thu Mar 25, 2021 6:49 pm; edited 3 times in total |
|
Back to top |
|
 |
pietinger Moderator

Joined: 17 Oct 2006 Posts: 5491 Location: Bavaria
|
Posted: Thu Mar 25, 2021 6:22 pm Post subject: |
|
|
GDH-gentoo wrote: | I think that some clarification is in order. |
Great explanation. May I add one point:
In this documentation https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html the setting of new keys is done by "efi-updatevar". This doesnt work with some mainboards (like mine gigabyte) ... and more bad: You didnt see it; the mainboard just dont accept it without giving you an error !
In this case you MUST do it in UEFI-BIOS by yourself (as described in my guide; this should/must work with every mainboard). |
|
Back to top |
|
 |
The Main Man Veteran

Joined: 27 Nov 2014 Posts: 1173 Location: /run/user/1000
|
Posted: Sun Oct 17, 2021 2:51 pm Post subject: |
|
|
How is the situation with secure boot this days ?
I'm thinking about switching to uefi and secure boot, and I probably will very soon, but I'm wondering how that really works with Gentoo.
Anyone here using it for a long time ? |
|
Back to top |
|
 |
pietinger Moderator

Joined: 17 Oct 2006 Posts: 5491 Location: Bavaria
|
Posted: Sun Oct 17, 2021 4:58 pm Post subject: |
|
|
The Main Man wrote: | Anyone here using it for a long time ? |
Yes. I am using it on my desktop and my notebook since last year. No problems so far. I wrote a guide for that (link is in my first post of this thread). |
|
Back to top |
|
 |
The Main Man Veteran

Joined: 27 Nov 2014 Posts: 1173 Location: /run/user/1000
|
Posted: Mon Oct 25, 2021 11:19 am Post subject: |
|
|
Sorry for late reply, it seems complicated, I mean I don't mind complicated but sometimes I ask myself why bother, usually there's no answer to that question.
Anyway, I'm sure it works, but I'll pass, thanks for the guide though. |
|
Back to top |
|
 |
Marlo Veteran

Joined: 26 Jul 2003 Posts: 1591
|
Posted: Mon Oct 25, 2021 1:29 pm Post subject: |
|
|
I have worked through all these instructions. Shim does not work; signing grub does not work; signing initrd does not work either.
Only Sakaki's guide works and the gentoo's "signed kernel module support" works fine. (although the scripts don't work anymore).
Together with some kernel options (CONFIG_SECURITY_LOCKDOWN_LSM) I have:
signed kernel
signed modules
and a locked kernel
The whole security chain is in place.
I use this together with rEFInd and can access two gentoo installations, one Tumbleweed and 2 windows installations in secure boot.
Code: |
Linux tux 5.14.14-gentoo-101-kspp-lock #1 SMP Wed Oct 20 23:05:48 CEST 2021 x86_64 AMD Ryzen 5 3600 6-Core Processor AuthenticAMD GNU/Linux
Secure boot enabled
Loaded X.509 cert 'Gentoo-Module-Signing-Key: 8745bfa72fa26b7f68b5165ab85f274cf2d026ab'
000869b0 03 12 d7 02 9d ed 1d bf 6f 77 5f 23 ca 91 85 23 |........ow_#...#|
000869c0 9b 41 9b 14 21 f1 de 33 94 62 c7 a8 19 be db c3 |.A..!..3.b......|
000869d0 12 aa 5a ed dd 30 37 b2 c1 33 ac 83 92 7d 0e 92 |..Z..07..3...}..|
000869e0 96 27 67 26 8e e1 5b 39 b1 7a 52 76 db 18 e5 f6 |.'g&..[9.zRv....|
000869f0 13 dd d9 25 24 75 08 cf 4d 84 2c 51 56 c8 5d 47 |...%$u..M.,QV.]G|
00086a00 ae 4d b4 5d 4d ae b4 6d 23 54 9d 7a 85 bd 5c fd |.M.]M..m#T.z..\.|
00086a10 b8 48 c5 27 0a fb 1c 00 00 02 00 00 00 00 00 00 |.H.'............|
00086a20 00 02 9f 7e 4d 6f 64 75 6c 65 20 73 69 67 6e 61 |...~Module signa|
00086a30 74 75 72 65 20 61 70 70 65 6e 64 65 64 7e 0a |ture appended~.|
Kernel is locked down from Kernel configuration; see man kernel_lockdown.7
|
https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot_under_OpenRC
https://wiki.gentoo.org/wiki/Signed_kernel_module_support
man kernel_lockdown.7 --> https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html
Ma _________________ ------------------------------------------------------------------
http://radio.garden/ |
|
Back to top |
|
 |
|