From Fedora Project Wiki
Line 15: Line 15:
 
= Create signing keys =
 
= Create signing keys =
  
This is pretty easy on a modern Linux distro when you've got pesign installed, though it is recommended to use a hardware security mechanism like a smart card or USB FIPS 140 Level 2 conforming device to generate and store the cryptographic keys.  There's a short tutorial on that <a href="https://fedoraproject.org/wiki/User:Pjones/SecureBootSmartCardDeployment">here</a>, though for these purposes you don't really need a CA key.  Assuming you've got the device itself set up and its modules added to the nss db in /etc/pki/pesign, and it is represented with a token in your pesign nss database named "fred", you need to create the keypaid and certificates:
+
This is pretty easy on a modern Linux distro when you've got pesign installed, though it is recommended to use a hardware security mechanism like a smart card or USB FIPS 140 Level 2 conforming device to generate and store the cryptographic keys.  There's a short tutorial on that over at [[User:Pjones/SecureBootSmartCardDeployment]], though for these purposes you don't really need a separate CA key; a single self-signed key should do.  Assuming you've got the device itself set up and its modules added to the nss db in /etc/pki/pesign, and it presents a token in your pesign nss database named "fred", you need to create the key pair and certificates:
 
<pre>efikeygen -t fred -S -n jrh-signer -c "CN=J.Random Hacker's Code Signing Authority and Amalgamated Distillates, Inc." -u "https://example.com/jrh-signer-info"</pre>
 
<pre>efikeygen -t fred -S -n jrh-signer -c "CN=J.Random Hacker's Code Signing Authority and Amalgamated Distillates, Inc." -u "https://example.com/jrh-signer-info"</pre>
  

Revision as of 19:40, 4 November 2014

Self Signing For Secure Boot

Here's how to do your own signing for use with Secure Boot!

Stuff you need

Steps

Create signing keys

This is pretty easy on a modern Linux distro when you've got pesign installed, though it is recommended to use a hardware security mechanism like a smart card or USB FIPS 140 Level 2 conforming device to generate and store the cryptographic keys. There's a short tutorial on that over at User:Pjones/SecureBootSmartCardDeployment, though for these purposes you don't really need a separate CA key; a single self-signed key should do. Assuming you've got the device itself set up and its modules added to the nss db in /etc/pki/pesign, and it presents a token in your pesign nss database named "fred", you need to create the key pair and certificates:

efikeygen -t fred -S -n jrh-signer -c "CN=J.Random Hacker's Code Signing Authority and Amalgamated Distillates, Inc." -u "https://example.com/jrh-signer-info"

Build shim with your key built in to it

At the least, you need some things from shim signed, and you need to build it with your keys built in. Basically this:

jrh-machine:~/shim-0.8$ certutil -d /etc/pki/pesign -h fred -L -n jrh-signer -r > jrh-signer.cer
jrh-machine:~/shim-0.8$ make 'DEFAULT_LOADER=\\\\grubx64.efi' VENDOR_CERT_FILE=jrh-signer.cer shim.efi MokManager.efi fallback.efi
jrh-machine:~/shim-0.8$ pesign -t fred -c jrh-signer -s -i shim.efi -o shim-signed.efi
jrh-machine:~/shim-0.8$ pesign -t fred -c jrh-signer -s -i fallback.efi -o fallback-signed.efi
jrh-machine:~/shim-0.8$ pesign -t fred -c jrh-signer -s -i MokManager.efi -o MokManager-signed.efi

Assuming the EFI system partition is mounted on /boot/efi/, you'll also need to copy the files into place. Don't just change -o above to point there; you may hit <a href="https://github.com/vathpela/fuzzy-lana">this problem</a> and find yourself having a very confusing week.

mkdir -p /boot/efi/EFI/jrh/ /boot/efi/EFI/BOOT
cp shim-signed.efi /boot/efi/EFI/jrh/shim.efi
cp MokManager-signed.efi /boot/efi/EFI/jrh/MokManager.efi
cp shim-signed.efi /boot/efi/EFI/BOOTX64.EFI
cp fallback.efi /boot/efi/EFI/BOOT/fallback.efi

You'll also want to make a BOOT.CSV for fallback to find in EFI\jrh\ ; it's a UCS-2 LE file, so do something like:

echo -n "shim.efi,JRH-OS,,This is the boot entry for JRH-OS" | ( printf "\xff\xfe" ; sed 's/./&\x00/g') > /boot/efi/EFI/jrh/BOOT.CSV



...