| Line 8: | Line 8: | ||
** shim - https://github.com/mjg59/shim/releases/download/0.8/shim-0.8.tar.bz2 | ** shim - https://github.com/mjg59/shim/releases/download/0.8/shim-0.8.tar.bz2 | ||
** grub2 - upstream from gnu.org or your distro, plus these patches if your distro doesn't have them: | ** grub2 - upstream from gnu.org or your distro, plus these patches if your distro doesn't have them: | ||
*** [https://github.com/vathpela/grub2-fedora/commit/70e7bfb2caa9d0f52187b4f6e84762c6459c5903 | *** [https://github.com/vathpela/grub2-fedora/commit/70e7bfb2caa9d0f52187b4f6e84762c6459c5903 70e7bfb], [https://github.com/vathpela/grub2-fedora/commit/acc83cfa76a6457be73b1e748a80deb3967e2364 acc83cf], [https://github.com/vathpela/grub2-fedora/commit/fe7b32ab9e58470fdf930d8efc7c9ebcd69e6ef3 fe7b32a] | ||
** the linux kernel from whatever distro you're using. | ** the linux kernel from whatever distro you're using. | ||
** pesign - https://github.com/vathpela/pesign/releases/download/0.110/pesign-0.110.tar.bz2 | ** pesign - https://github.com/vathpela/pesign/releases/download/0.110/pesign-0.110.tar.bz2 | ||
Revision as of 19:38, 4 November 2014
Self Signing For Secure Boot
Here's how to do your own signing for use with Secure Boot!
Stuff you need
- software that needs to be signed
- shim - https://github.com/mjg59/shim/releases/download/0.8/shim-0.8.tar.bz2
- grub2 - upstream from gnu.org or your distro, plus these patches if your distro doesn't have them:
- the linux kernel from whatever distro you're using.
- pesign - https://github.com/vathpela/pesign/releases/download/0.110/pesign-0.110.tar.bz2
Steps
Create signing keys
This is pretty easy on a modern Linux distro when you've got pesign installed, though it is recommended to use a hardware security mechanism like a smart card or USB FIPS 140 Level 2 conforming device to generate and store the cryptographic keys. There's a short tutorial on that <a href="https://fedoraproject.org/wiki/User:Pjones/SecureBootSmartCardDeployment">here</a>, though for these purposes you don't really need a CA key. Assuming you've got the device itself set up and its modules added to the nss db in /etc/pki/pesign, and it is represented with a token in your pesign nss database named "fred", you need to create the keypaid and certificates:
efikeygen -t fred -S -n jrh-signer -c "CN=J.Random Hacker's Code Signing Authority and Amalgamated Distillates, Inc." -u "https://example.com/jrh-signer-info"
Build shim with your key built in to it
At the least, you need some things from shim signed, and you need to build it with your keys built in. Basically this:
jrh-machine:~/shim-0.8$ certutil -d /etc/pki/pesign -h fred -L -n jrh-signer -r > jrh-signer.cer jrh-machine:~/shim-0.8$ make 'DEFAULT_LOADER=\\\\grubx64.efi' VENDOR_CERT_FILE=jrh-signer.cer shim.efi MokManager.efi fallback.efi jrh-machine:~/shim-0.8$ pesign -t fred -c jrh-signer -s -i shim.efi -o shim-signed.efi jrh-machine:~/shim-0.8$ pesign -t fred -c jrh-signer -s -i fallback.efi -o fallback-signed.efi jrh-machine:~/shim-0.8$ pesign -t fred -c jrh-signer -s -i MokManager.efi -o MokManager-signed.efi
Assuming the EFI system partition is mounted on /boot/efi/, you'll also need to copy the files into place. Don't just change -o above to point there; you may hit <a href="https://github.com/vathpela/fuzzy-lana">this problem</a> and find yourself having a very confusing week.
mkdir -p /boot/efi/EFI/jrh/ /boot/efi/EFI/BOOT cp shim-signed.efi /boot/efi/EFI/jrh/shim.efi cp MokManager-signed.efi /boot/efi/EFI/jrh/MokManager.efi cp shim-signed.efi /boot/efi/EFI/BOOTX64.EFI cp fallback.efi /boot/efi/EFI/BOOT/fallback.efi
You'll also want to make a BOOT.CSV for fallback to find in EFI\jrh\ ; it's a UCS-2 LE file, so do something like:
echo -n "shim.efi,JRH-OS,,This is the boot entry for JRH-OS" | ( printf "\xff\xfe" ; sed 's/./&\x00/g') > /boot/efi/EFI/jrh/BOOT.CSV
...