Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
GRUB cannot boot with secure boot [SOLVED]
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 55

PostPosted: Fri Dec 20, 2024 8:21 pm    Post subject: Reply with quote

FlyingBullets wrote:
AH I GOT IT!
Code:
dmesg | grep -i secure
[    0.002375] [       T0] Secure boot enabled


What you have to do is sign the kernel with the UEFI db key AND the GRUB key! More importantly, it needs to be signed with the db key first because it embeds the signature in the kernel, THEN signed with the GRUB key to make the detached signature.

So, in order to use secure boot with GRUB and custom UEFI keys:
1) Make the PK, KEK, and db private keys for the UEFI.
2) Install the 'auth' files generated from the UEFI private keys into the actual UEFI.
3) Make the GRUB key pair with GPG.
4) Extract the public key from the GRUB GPG key pair into some file "grub_public_key".
5) Make the GRUB executable with grub-install with the following options:
* --disable-shim-lock (we are not using shim)
* --pubkey=/path/to/grub_public_key (embeds the public key into the GRUB executable to check the signatures of signed files in /boot)
* --modules="XXX" (XXX is a list of the required modules needed for signature verification; in this case, it's "pgp", "gcry_sha256", and "gcry_rsa")
6) Sign all EFI files that will be used in the boot chain with the UEFI db key with sbsign; this includes the GRUB executable and any kernels.
7) Sign all
* kernels
* inramfses
* microcode
* GRUB modules, configs, environment blocks, etc
with the GRUB GPG key to create a detached signature for all of them.

I will add detailed instructions to the "Secure Boot" wiki page soon.

Thanks everyone who helped solve this issue, especially you GDH-gentoo!


Thanks for looking into this, if you make a page do you think you can make a subpage for this GRUB stuff?

It may be worth considering a UKI so fewer files need to be signed.
_________________
µgRD dev
Wiki writer
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 20

PostPosted: Fri Dec 20, 2024 9:25 pm    Post subject: Reply with quote

zen_desu wrote:
Thanks for looking into this, if you make a page do you think you can make a subpage for this GRUB stuff?

I first want to make a script that automates the entire process so I can verify that everything is correct. I'm not sure how this information should be formatted in the "Secure Boot" wiki page (Should it be in the "Signing" section or should it get its own section?), I have to take another look. Once it's done, I can make a reference to it in the "GRUB" wiki page.

zen_desu wrote:
It may be worth considering a UKI so fewer files need to be signed.

True, and I could make an additional note about it, but it also requires more dependencies due to the additional "uki" USE flag. I have sys-kernel/installkernel installed with USE="dracut grub" -- it does everything I need it to: compile and update the kernel, initramfs, and GRUB config. All I have to do is make a ~5 line script that signs the files in /boot.
Back to top
View user's profile Send private message
zen_desu
n00b
n00b


Joined: 25 Oct 2024
Posts: 55

PostPosted: Fri Dec 20, 2024 9:33 pm    Post subject: Reply with quote

FlyingBullets wrote:
zen_desu wrote:
Thanks for looking into this, if you make a page do you think you can make a subpage for this GRUB stuff?

I first want to make a script that automates the entire process so I can verify that everything is correct. I'm not sure how this information should be formatted in the "Secure Boot" wiki page (Should it be in the "Signing" section or should it get its own section?), I have to take another look. Once it's done, I can make a reference to it in the "GRUB" wiki page.



I mean you could make a subpage like "Secure Boot/GRUB", because most of that process is unique to GRUB afaik. That and I agree it would be very hard to fit this info on the "main" page while having it still be clear for efi stub setups.

It could possibly even be "GRUB/Secure boot", as it seems most of this stuff is just extra considerations for GRUB, and doesn't apply for other setups.

FlyingBullets wrote:
zen_desu wrote:
It may be worth considering a UKI so fewer files need to be signed.

True, and I could make an additional note about it, but it also requires more dependencies due to the additional "uki" USE flag. I have sys-kernel/installkernel installed with USE="dracut grub" -- it does everything I need it to: compile and update the kernel, initramfs, and GRUB config. All I have to do is make a ~5 line script that signs the files in /boot.


I wonder if it would be possible to make a USE flag on GRUB which installs a hook that does this for you, that may not be the right place.

UKI does add more deps, but it can greatly simplify the signing process.
_________________
µgRD dev
Wiki writer


Last edited by zen_desu on Fri Dec 20, 2024 10:32 pm; edited 1 time in total
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1339
Location: Richmond Hill, Canada

PostPosted: Fri Dec 20, 2024 9:46 pm    Post subject: Reply with quote

May I suggest while you prepare making document for this secure boot, you can differentiate "uki" and "efistub kernel"

I found many confusing procedure/descriptions talk about secure boot with clearly mixing two so it lead to very difficult to understand the procedure and much frustration.
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 20

PostPosted: Fri Dec 20, 2024 9:57 pm    Post subject: Reply with quote

zen_desu wrote:
I mean you could make a subpage like "Secure Boot/GRUB"

I think this is the way to go, otherwise the "Secure Boot" page would be a kilometer long.

zen_desu wrote:
I wonder if it would be possible to make a USE flag on GRUB which installs a hook that does this for you, that may not be the right place.

sys-boot/grub has a "secureboot" USE flag that states it signs the EFI executable, but in my testing, it doesn't even do that! This might be something worth reporting unless I'm using it wrong. I don't know how though, the description of the USE flag implies that grub-install will automatically sign the EFI... but it doesn't.

In /etc/portage/make.conf, there are the variables:
Code:
SECUREBOOT_SIGN_KEY="..."
SECUREBOOT_SIGN_CERT="..."

that get used to sign things with the UEFI db key.

The developers could update the "secureboot" USE flag so that it:
1) fixes the signing of the GRUB EFI executable (/efi/EFI/BOOT/BOOTX64.EFI in my case).
2) has GRUB make use of another variable in make.conf, say,
Code:
GRUB_SIGN_KEY="..."

to sign all the needed files in /boot.
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 20

PostPosted: Fri Dec 20, 2024 10:12 pm    Post subject: Reply with quote

pingtoo wrote:
May I suggest while you prepare making document for this secure boot, you can differentiate "uki" and "efistub kernel"

Yes, I will make a subpage "Secure Boot/GRUB" that will also explain "UKI" and "efistub" kernels; they should work with GRUB because GRUB is simply loading a kernel that you select. So if you're using a UKI or an efistub right now, you will be able to utilize GRUB to be able to select a specific one at boot time.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1339
Location: Richmond Hill, Canada

PostPosted: Fri Dec 20, 2024 10:20 pm    Post subject: Reply with quote

FlyingBullets wrote:
pingtoo wrote:
May I suggest while you prepare making document for this secure boot, you can differentiate "uki" and "efistub kernel"

Yes, I will make a subpage "Secure Boot/GRUB" that will also explain "UKI" and "efistub" kernels; they should work with GRUB because GRUB is simply loading a kernel that you select. So if you're using a UKI or an efistub right now, you will be able to utilize GRUB to be able to select a specific one at boot time.


For your information. Actually GRUB by default cannot work UKI/efistub. Because they have PE header.

For GRUB to work you will need to use chainloader in GRUB.
Back to top
View user's profile Send private message
Nowa
Developer
Developer


Joined: 25 Jun 2014
Posts: 458
Location: Nijmegen

PostPosted: Fri Dec 20, 2024 10:29 pm    Post subject: Reply with quote

Quote:

The developers could update the "secureboot" USE flag so that it:
1) fixes the signing of the GRUB EFI executable (/efi/EFI/BOOT/BOOTX64.EFI in my case).
2) has GRUB make use of another variable in make.conf, say,
Code:
GRUB_SIGN_KEY="..."

to sign all the needed files in /boot.


The secureboot flag does do this, it is just that grub-install does not use this signed EFI file that portage builds. As I said in my previous reply you have to copy this file and *not* use grub-install. If you do use grub-install then you are on your own to sign it and ensure the required modules are included, it is highly impractical to modify/patch the behaviour of grub-install downstream as you suggest. Because contrary to what the name suggests, grub-install does not just install grub, it builds the grub EFI executable, and hence this is all entirely outside of the control of portage.

To sign your kernels in /boot you use the same SECUREBOOT_ variables and the secureboot flag but for the kernel packages, all this gpg signing is not required, the kernels will pass verification if they are signed with the same key as the bootloader. GRUBs gpg capabilities are something entirely independent from secureboot. Gpg signatures is not something we can practically support automating via portage, and it is not necessary since openssl signing is already in place via the securboot use flag.

If you do not want to use portages signing facilities for whatever reason you can alternatively use the sbctl package which provides installkernel hooks to sign the installed kernels in the installation stage (instead of in the building phase as portage would do). Again this would be using openssl and not gpg in the background.
_________________
OS: Gentoo 6.10.12-gentoo-dist, ~amd64, 23.0/desktop/plasma/systemd
MB: MSI Z370-A PRO
CPU: Intel Core i9-9900KS
GPU: Intel Arc A770 16GB & Intel UHD Graphics 630
SSD: Samsung 970 EVO Plus 2 TB
RAM: Crucial Ballistix 32GB DDR4-2400


Last edited by Nowa on Fri Dec 20, 2024 10:31 pm; edited 1 time in total
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 20

PostPosted: Fri Dec 20, 2024 10:30 pm    Post subject: Reply with quote

pingtoo wrote:
For GRUB to work you will need to use chainloader in GRUB.

Ah yes, that's right.
Back to top
View user's profile Send private message
FlyingBullets
n00b
n00b


Joined: 19 Mar 2024
Posts: 20

PostPosted: Fri Dec 20, 2024 11:07 pm    Post subject: Reply with quote

Nowa wrote:
The secureboot flag does do this, it is just that grub-install does not use this signed EFI file that portage builds. As I said in my previous reply you have to copy this file and *not* use grub-install. If you do use grub-install then you are on your own to sign it and ensure the required modules are included, it is highly impractical to modify/patch the behaviour of grub-install downstream as you suggest. Because contrary to what the name suggests, grub-install does not just install grub, it builds the grub EFI executable, and hence this is all entirely outside of the control of portage.

To sign your kernels in /boot you use the same SECUREBOOT_ variables and the secureboot flag but for the kernel packages, all this gpg signing is not required, the kernels will pass verification if they are signed with the same key as the bootloader. GRUBs gpg capabilities are something entirely independent from secureboot. Gpg signatures is not something we can practically support automating via portage, and it is not necessary since openssl signing is already in place via the securboot use flag.

If you do not want to use portages signing facilities for whatever reason you can alternatively use the sbctl package which provides installkernel hooks to sign the installed kernels in the installation stage (instead of in the building phase as portage would do). Again this would be using openssl and not gpg in the background.

I think the reason why those other options didn't work for me is that I wanted to use my own keys, so any solution involving shim wouldn't work (I have no idea). I tried the signed EFI file /usr/lib/grub/grub*.signed, but it didn't work. When I tried to use sbctl, it wasn't able to enroll keys in the UEFI even after I put it in "Setup" mode.

Maybe they didn't work because I have an external initramfs and microcode.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum