Secure Boot and keeping logs

[WhiteDogBe]

Hello,

Really love this project, exactly what one expects when you go looking for a tool like this. I've been playing around with it a bit and hit two bumps at the moments:

• The USB key does not boot when Secure Boot is enabled. I think there are already systems out there which don't have Legacy Mode anymore and/or only support Secure Boot. I'm aware that Secure Boot is... complicated. But I was wondering if this is a limitation of buildroot which you are using and if there are any plans to support this in this future?
• Would it be possible to keep the logs permanently on the USB key? I'm aware that you provide instructions but I think it would be a good addition to have this by default somehow on the image you provide (or a more simple way to get the files off).

Keep safe and thanks for your time!

[PartialVolume]

Thanks, much appreciated.

Regarding secure boot, it looks like a whole load of work to produce a secure boot version. However I don't know enough about secure boot to know for sure. Most people would disable secure boot and/or enable legacy mode on the bios to use ShredOS. I believe some distributions may support secure boot? But I don't think buildroot does. Never say never but at the moment it's not in any of my plans. (Of course if there's anybody that knows all about secure boot signing with buildroot and is prepared to do the work it would likely get added)

In regards to the permanent keeping of the logs. Now that is a feature I want to add. Persistent storage. Not sure exactly when yet as I'm trying to get the 0.29 version of nwipe ready for official release and there's a few fixes I need to make to that first.

[PartialVolume]

Working with UEFI secure boot systems as long as secure boot is disabled in the systems UEFI setup (aka bios) screen.

[ell-ectric]

Apologies for the bump, but I saw that shim is included in /boot now. Are you planning on supporting secure boot in future versions of shredos? I'm trying to sign the boot firmware so I can use this on secure boot machines in bulk, but preloader doesn't seem to support signing firmware ahead of time. If you have some support for shim planned, then that would be great; I'd offer to help, but I'm not quite sure how to yet.

[PartialVolume]

Yes, although I've not spent any time looking at what issues need to be overcome in order to implement it. At the moment I'm focused on other parts of ShredOS but if anybody wants to open up a discussion and maybe even do a PR I'd be happy check it out and commit it. Even posting good links to tutorials on the subject would be useful and might change my priorities.

[PartialVolume]

As a reminder to myself & others: I'm going to place a few links here so I can study this when I have some time: https://wiki.debian.org/SecureBoot/Testing

[ell-ectric]

Rod Smith's website has a lot of great information: http://www.rodsbooks.com/efi-bootloaders/index.html Though I don't believe it has been updated for shim's new SBAT requirement. It's a great resource otherwise. There's some information about SBAT files and how to generate them in shim's repository: https://github.com/rhboot/shim/blob/main/SBAT.md

[PartialVolume]

• Would it be possible to keep the logs permanently on the USB key? I'm aware that you provide instructions but I think it would be a good addition to have this by default somehow on the image you provide (or a more simple way to get the files off).

Currently adding this option to ShredOS, nwipe log files will be automatically copied over to the first FAT32 partition found (which should usually be the ShredOS USB stick. If no FAT32 partition found, such as the case might be if booting ShredOS via the network then the message "No FAT32 formatted drive found, unable to archive nwipe log file" will be displayed on exit from nwipe. The FAT32 formatted drive does not have to be a ShredOS drive, so if you are booting from the network just plug any old FAT32 formatted drive into the computer and ShredOS will copy the nwipe log files over to it on completion of the wipe. For reference the drive needs to be identified as FAT32 when using fdisk. I can open this up to other formats if necessary but a ShredOS thumb drive is identified as FAT32 by fdisk so thats what I've used for the time being.

[PartialVolume]

• Would it be possible to keep the logs permanently on the USB key? I'm aware that you provide instructions but I think it would be a good addition to have this by default somehow on the image you provide (or a more simple way to get the files off).

Archiving of the logs to USB has been commited by #121

[PartialVolume]

In the next release, the PDF reports for each drive will also be sent across to the USB stick at the end of the wipes, along with the log file.

[PartialVolume]

PDFs are also now saved to the USB flash drive commit