Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Secure booting EFI Kernel stub with LUKS encryption
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Sat Sep 09, 2023 5:53 am    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

Hi,

I've been poking around in various procedures so has how to activate secure boot on Gentoo Linux and finally I've decided to write a quick one after much testing.

Pre-requisities

- Assess your hardware and firmware : https://github.com/chipsec/chipsec
- check for bios update
- password protect BIOS setup and user mode
- do not leave laptop unattended

BIOS EFI KEYSTORE

Tuto https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html for Generation of keys certificates BIOS secure mode

Complete following steps from tuto, bother with grub if you use it.
The shim lock and lockdown grub features will end you up in restricted rescue mode shell when enabling secure mode in BIOS and using initrd. That is Dead end #1.
EFI grub entry can be disabled in BIOS when secure boot is enabled and serve as boot fallback option if secured mode stub kernel booting goes wild.

- Backup existing certificates from the EFI
- Write your own certificates
- Sign your own grub / kernel / initrd
- Entering setup mode (clearing keystore)
- Installing new keys into the keystore
- Add a password protection to GRUB

kernel and initrd

Configure and build stub kernel with genkernel, set suitable options in conf : LUKS=YES, LVM=YES, MICROCODE=all MICROCODE_INITRAMFS="yes" (early microcode loading for side channel mitigations)

Enforce kernel modules signing in kernel : https://wiki.gentoo.org/wiki/Signed_kernel_module_support

KERNEL Enable module signature verification

[*] Enable loadable module support --->
[*] Module signature verification
[*] Require modules to be validly signed
[*] Automatically sign all modules
Which hash algorithm should modules be signed with? (Sign modules with SHA-512) --->

Generate kernel and initrd

genkernel all


- Sign your kernel and initrd

KERNEL, INITRD and MODULES SIGNING

Mount boot partition
mount -o remount,rw /dev/sdaX /boot/

1- Kernel

localhost /boot # cp vmlinuz-6.1.XX-gentoo-x86_64 EFI/gentoo/bzimage.efi

user@localhost ~ $ cd /etc/efikeys/
localhost ~ # sbsign --key db.key --cert db.crt --output /boot/EFI/gentoo/bzimage.efi /boot/EFI/gentoo/bzimage.efi
localhost ~ # sbsign --key db.key --cert db.crt --output /boot/vmlinuz-6.1.46-gentoo-x86_64 /boot/vmlinuz-6.1.XX-gentoo-x86_64

user@localhost ~ $ sbverify --list /boot/EFI/gentoo/bzimage.efi
user@localhost ~ $ sbverify --list /boot/vmlinuz-6.1.XX-gentoo-x86_64

2- Initramfs

user@localhost ~ $ cp /boot/initramfs-6.1.46-gentoo-x86_64.img /etc/efikeys/
user@localhost ~ $ cd /etc/efikeys/
user@localhost ~ $ gpg --homedir /home/user/rsa_gpg_key --detach-sign /etc/efikeys/initramfs-6.1.XX-gentoo-x86_64.img
user@localhost ~ $ sudo cp /etc/efikeys/initramfs-6.1.XX-gentoo-x86_64.img.sig /boot/
user@localhost ~ $ sudo cp /etc/efikeys/initramfs-6.1.XX-gentoo-x86_64.img.sig /boot/EFI/gentoo

Prepare Bootloader ex :
localhost ~ # efibootmgr --create --part X --label "Gentoo_secboot" --loader '\EFI\gentoo\bzimage.efi -u 'dolvm crypt_root=/dev/sdaX real_root=/dev/mapper/vg0-root root=/dev/mapper/root root_trim=yes rootdelay=3 apparmor=1 security=apparmor initrd=\initramfs-6.1.XX-gentoo-x86_64.img'

reboot and enable secure mode in BIOS.

user@localhost ~ $ sudo dmesg | grep -i secure
[ 0.014027] Secure boot enabled


Optional

Virtual Box modules signing
localhost /boot # cd /lib/modules/6.X.XX-gentoo-x86_64/misc/
localhost /boot # /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 vboxdrv.ko
localhost /boot # /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 vboxnetadp.ko
localhost /boot # /usr/src/linux/scripts/sign-file sha512 /usr/src/linux/certs/signing_key.pem /usr/src/linux/certs/signing_key.x509 vboxnetflt.ko

Nividia kernel modules won't load unless signed :

Automatically signing kernel modules (Portage)

Add in /etc/portage/make.conf
USE="modules-sign"

localhost /boot # emerge --update --newuse --deep --quiet @world
localhost /boot # emerge --ask @module-rebuild

I am done playing tricks on people for now.
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Fri Apr 12, 2024 6:52 am    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

Uninstalled nvidia proprietary drivers and switched back to nouveau as nvidia was crashing kernet 6.6.21.

I can still use GRUB to boot when secure boot option is turned off in bios. Beware that grub-install --efi-directory=/boot/ removes boot loader entry.

localhost ~ # efibootmgr -u
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0001,0000
Boot0000* gentoo HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(\EFI\gentoo\grubx64.efi)
Boot0001* Gentoo_secboot HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(\EFI\gentoo\bzimage.efi)dolvm crypt_root=/dev/sda3 real_root=/dev/mapper/vg0-root root_trim=yes rootdelay=3 apparmor=1 security=apparmor mds=full,nosmt enable_mtrr_cleanup mtrr_spare_reg_nr=1 mtrr_gran_size=4M mtrr_chunk_size=32M initrd=\initramfs-6.6.21-gentoo-x86_64.img

Still tricky though !
Back to top
View user's profile Send private message
user
Apprentice
Apprentice


Joined: 08 Feb 2004
Posts: 211

PostPosted: Fri Apr 12, 2024 11:12 am    Post subject: Reply with quote

Which boot stage check your signature of external loaded initramfs?
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Fri Apr 12, 2024 2:09 pm    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

PreLoader works by calculating a hash of the follow-on binary and seeing if that hash is stored in a database held in NVRAM

That is to say at boot time, Kernel is signed with the same bios keys.
Back to top
View user's profile Send private message
GDH-gentoo
Veteran
Veteran


Joined: 20 Jul 2019
Posts: 1710
Location: South America

PostPosted: Fri Apr 12, 2024 3:21 pm    Post subject: Re: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

user wrote:
Which boot stage check your signature of external loaded initramfs?

As far as I know, if the firmware is instructed to boot a kernel EFI stub, as suggested by:

ozcircuit wrote:
Prepare Bootloader ex :
localhost ~ # efibootmgr --create --part X --label "Gentoo_secboot" --loader '\EFI\gentoo\bzimage.efi -u 'dolvm crypt_root=/dev/sdaX real_root=/dev/mapper/vg0-root root=/dev/mapper/root root_trim=yes rootdelay=3 apparmor=1 security=apparmor initrd=\initramfs-6.1.XX-gentoo-x86_64.img'

then nothing does. That's why some people might choose to embed the initramfs in the EFI stub, or use a UKI, so that the initramfs is also covered by the kernel's signature. UEFI firmware keys can only be used for signing UEFI PE32+ files, and an external initramfs isn't one. A kernel EFI stub or UKI is.

This step:

ozcircuit wrote:
2- Initramfs

user@localhost ~ $ cp /boot/initramfs-6.1.46-gentoo-x86_64.img /etc/efikeys/
user@localhost ~ $ cd /etc/efikeys/
user@localhost ~ $ gpg --homedir /home/user/rsa_gpg_key --detach-sign /etc/efikeys/initramfs-6.1.XX-gentoo-x86_64.img
user@localhost ~ $ sudo cp /etc/efikeys/initramfs-6.1.XX-gentoo-x86_64.img.sig /boot/
user@localhost ~ $ sudo cp /etc/efikeys/initramfs-6.1.XX-gentoo-x86_64.img.sig /boot/EFI/gentoo

describes the procedure for creating a GPG-style detached signature for the initramfs. A method that can be used for signing arbitrary files, but, as far as I know, is only supported if booting with GRUB, using an appropriate configuration in grub.cfg, and with the GPG public key embedded in GRUB's PE32+ executable. Which the OP fails to mention, and is very vaguely referred to in the linked document:

ozcircuit wrote:
Tuto https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html for Generation of keys certificates BIOS secure mode

(That's the "GRUB only load signed kernel" section)

ozcircuit wrote:
PreLoader works by calculating a hash of the follow-on binary and seeing if that hash is stored in a database held in NVRAM

Nothing in the procedure you described references PreLoader :?
_________________
NeddySeagoon wrote:
I'm not a witch, I'm a retired electronics engineer :)
Ionen wrote:
As a packager I just don't want things to get messier with weird build systems and multiple toolchains requirements though :)
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Fri Apr 12, 2024 5:16 pm    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

.... That's why some people might choose to embed the initramfs in the EFI stub, or use a UKI. so that the initramfs is also covered by the kernel's signature. UEFI firmware keys can only be used for signing UEFI PE32+ files, and an external initramfs isn't one. A kernel EFI stub or UKI is.

I am not a witch either, I haven't find the way so far to embed the initramfs in the EFI stub. so please indicate the procedure.

Thanks a lot
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 5126
Location: Bavaria

PostPosted: Fri Apr 12, 2024 5:31 pm    Post subject: Re: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

ozcircuit wrote:
I am not a witch either, I haven't find the way so far to embed the initramfs in the EFI stub. so please indicate the procedure.

Maybe this can help:
https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Initramfs_Overview#Special_Case:_Building_an_embedded_initramfs_with_a_CPIO_archive
Be aware: This works only with a manual configured and created kernel. If you are using a dist-kernel then I would suggest: https://wiki.gentoo.org/wiki/Installkernel
_________________
https://wiki.gentoo.org/wiki/User:Pietinger


Last edited by pietinger on Fri Apr 12, 2024 5:35 pm; edited 1 time in total
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Fri Apr 12, 2024 5:34 pm    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

I found it, https://wiki.gentoo.org/wiki/EFI_stub
Back to top
View user's profile Send private message
user
Apprentice
Apprentice


Joined: 08 Feb 2004
Posts: 211

PostPosted: Fri Apr 12, 2024 5:54 pm    Post subject: Reply with quote

Use unified kernel image for secure boot with custom cert.

Unified kernel image is a whole-in-one image/blob with EFI STUB header, kernel image and initramfs archive.
Whole image/blob can be signed so earlier boot loader stage can verify unified kernel image before give over control.

Embedded initramfs can be added by kernel config
Code:
CONFIG_INITRAMFS_SOURCE

also use
Code:
CONFIG_CMDLINE_OVERRIDE

to disable ability to run untrusted kernel options with signed/trusted unified kernel image

Next layer of attestation can be TOTP verification at initramfs stage run.
TOTP will calculated/sealed with TPM Platform Configuration Registers (PCRs)

Sure you must trust in good nature of TPM and secure boot anchor.
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Fri Apr 12, 2024 6:22 pm    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

I will go on with that one :idea:

great
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Sun Apr 14, 2024 11:36 am    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

user wrote:
Use unified kernel image for secure boot with custom cert.

Embedded initramfs can be added by kernel config
Code:
CONFIG_INITRAMFS_SOURCE

Simply appending the initramfs cpio file path would do the trick ?

user wrote:
Code:
CONFIG_CMDLINE_OVERRIDE

saying [Y] here prevents command line to be passed to the kernel for cryptsetup LuksOpen.

Back to the gpg initramfs detached sig method.

Genkernel or dracut ?
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Sun Apr 14, 2024 1:51 pm    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

Well yes, may be, will keep looking around ...
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Mon Apr 15, 2024 9:13 am    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

Finally using a GPG detached signature to sign the initramfs is useless. Siging kernel is enough. Tested both with 6.6.21 and 6.1.67

efibootmgr -u
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0002,0001,0000
Boot0000* gentoo HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(\EFI\gentoo\grubx64.efi)

Boot0001* Gentoo_secboot HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(\EFI\secured\bzimage.efi)dolvm crypt_root=/dev/sda3 real_root=/dev/mapper/vg0-root root_trim=yes rootdelay=3 apparmor=1 security=apparmor mds=full,nosmt enable_mtrr_cleanup mtrr_spare_reg_nr=1 mtrr_gran_size=4M mtrr_chunk_size=32M initrd=\initramfs-6.6.21-gentoo-x86_64.img

Boot0002* Gentoo_backup HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(\EFI\backup\bzimage.efi)dolvm crypt_root=/dev/sda3 real_root=/dev/mapper/vg0-root root_trim=yes rootdelay=3 apparmor=1 security=apparmor mds=full,nosmt enable_mtrr_cleanup mtrr_spare_reg_nr=1 mtrr_gran_size=4M mtrr_chunk_size=32M initrd=\initramfs-6.1.67-gentoo-x86_64.img

initram not embed in kernel.
Back to top
View user's profile Send private message
user
Apprentice
Apprentice


Joined: 08 Feb 2004
Posts: 211

PostPosted: Mon Apr 15, 2024 2:21 pm    Post subject: Re: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

ozcircuit wrote:
...
user wrote:
Code:
CONFIG_CMDLINE_OVERRIDE

saying [Y] here prevents command line to be passed to the kernel for cryptsetup LuksOpen.
...

Yes as describe "Built-in command line overrides boot loader arguments". So you have to set kernel based built-in command line with
Code:
CONFIG_CMDLINE

to prevent running untrusted cmdline (e.g. loading infected initramfs outside of UKI) with trusted and signed unified kernel image (UKI).
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Tue Apr 16, 2024 4:36 pm    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

Uki built with make menuconfig, make, make modules_install, make install.

cp /boot/vmlinuz-6.1.67-gentoo-x86_64 EFI/backup/bzimage.efi
sbsign --key db.key --cert db.crt --output /boot/EFI/backup/bzimage.efi /boot/EFI/backup/bzimage.efi

initrd won't boot ! generated with :

genkernel --kerneldir=/usr/src/linux-6.1.67-gentoo/ initramfs
cp ./boot/initramfs-6.1.67-gentoo-x86_64.img /usr/src/initramfs/initramfs.cpio

# Compress generated initramfs
COMPRESS_INITRD="no"

but wait genkernel.conf has :

# Build the generated initramfs into the kernel instead of
# keeping it as a separate file
#INTEGRATED_INITRAMFS="no"

worth another try :!:
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Tue Apr 16, 2024 8:05 pm    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

All done !

... but it has problems appending intel_microcode into the kernel for proper Spectre mitigations.

Not mounting the ESP so initrd can't be tempered will help until microcode issue is solved :?:
Back to top
View user's profile Send private message
ozcircuit
n00b
n00b


Joined: 03 Sep 2023
Posts: 34

PostPosted: Tue May 07, 2024 9:17 am    Post subject: Secure booting EFI Kernel stub with LUKS encryption Reply with quote

To myself

Problem solved with :

- emerging intel microcode and linux-firmware
emerge --ask sys-firmware/intel-microcode
emerge --ask sys-kernel/linux-firmware

- Identifying processor signature so it can be appended in kernel
ucode_tool -S
iucode_tool: system has processor(s) with signature 0x00040651

iucode_tool -L /lib/firmware/intel-ucode | grep 0x00040651 -B 1
microcode bundle 53: /lib/firmware/intel-ucode/06-45-01
053/001: sig 0x00040651, pf_mask 0x72, 2019-11-12, rev 0x0026, size 22528

genkernel options

# Add in early microcode support: this sets the kernel options for early microcode loading
# Possible values: empty/"no", "all", "intel", "amd"
MICROCODE="intel"

# Include early microcode in generated initramfs.
# Only needed if system cannot load multiple initramfs.
# NOTE: >=sys-boot/grub-2 will detect and auto-load {amd,intel}-uc.img file
# provided by sys-firmware/intel-microcode[initramfs] or
# sys-kernel/linux-firmware[initramfs].
MICROCODE_INITRAMFS="no"

# Build the generated initramfs into the kernel instead of
# keeping it as a separate file
INTEGRATED_INITRAMFS="YES"

# Compress generated initramfs
COMPRESS_INITRD="yes"

- upgrading to kernel 6.6.30 with following kernel options and building with genkernel all

# General setup
CONFIG_DEFAULT_INIT=""

# Processor type and features

CONFIG_MICROCODE=y

CONFIG_CMDLINE="root=PARTUUID=9b4d0a60-4e11-488c-90f0-549aa8b416c7 ro dolvm crypt_root=/dev/sda3 real_root=/dev/mapper/vg0-root root_trim=yes rootdelay=3 apparmor=1 security=apparmor mds=full,nosmt enable_mtrr_cleanup mtrr_spare_reg_nr=1 mtrr_gran_size=4M mtrr_chunk_size=32M"

CONFIG_CMDLINE_OVERRIDE=y

# Device Drivers

# Generic Driver Options

# Firmware loader
CONFIG_FW_LOADER=y

CONFIG_EXTRA_FIRMWARE="intel-ucode/06-45-01"
CONFIG_EXTRA_FIRMWARE_DIR="/lib/firmware

cd /etc/efikeys/
sudo sbsign --key db.key --cert db.crt --output /boot/vmlinuz-6.6.30-gentoo-x86_64 /boot/vmlinuz-6.6.30-gentoo-x86_64
Signing Unsigned original image

sudo cp vmlinuz-6.6.30-gentoo-x86_64 EFI/secured/bzimage.efi

reboot

dmesg
[ 0.000000] microcode: updated early: 0x17 -> 0x26, date = 2019-11-12
[ 0.000000] Linux version 6.6.30-gentoo-x86_64 (root@localhost) (x86_64-pc-linux-gnu-gcc (Gentoo Hardened 13.2.1_p20240210 p14) 13.2.1 20240210, GNU
ld (Gentoo 2.41 p5) 2.41.0) #3 SMP PREEMPT_DYNAMIC Tue May 7 10:19:12 CEST 2024
[ 0.000000] Command line:

[ 0.013784] Secure boot enabled


efibootmgr -u
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0001,0003,0000
Boot0000* gentoo HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(\EFI\gentoo\grubx64.efi)
Boot0001* embed-secboot HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(EFI\secured\bzimage.efi)
Boot0003* embed-secbackup HD(2,GPT,53c0b827-f593-44f9-9472-0ab6834432ee,0x1800,0x100000)/File(EFI\embed_backup\bzimage.efi)

Bios is patched, sys runs smoothly.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum