search

jakeday / linux-surface

Linux Kernel for Surface Devices
2.6k stars 243 forks source link

Secureboot - image already signed #622

Closed PandorasFox closed 4 years ago

PandorasFox commented 4 years ago

tl;dr the linux-surface kefnel in the arch repo is signed and that causes problems.

Apparently, the first signature needs to be my enrolled key, since otherwise booting the image fails. I'm currently using rEFInd with the shim loader & managed keys.

Doing # sbattach --remove /boot/vmlinuz-linux-surface.signed and then rebooting worked. When reinstalling the linux-surface package, I see Image was already signed; adding additional signature during my signing hook.

I'm unsure about the semantics of distributing (self-)signed kernels.

qzed commented 4 years ago

Yeah, so we've decided to sign the releases to make the process a bit easier for users who don't know much about secure-boot and simplify the update process for them. It's basically for convenience. You can still use your own key, but you either need to remove the existing signature (as you've already figured out) or add the certificate used for signing to the managed keys (if you're using one of my releases, that would be https://github.com/qzed/linux-surface/blob/master/keys/MOK.cer). Unfortunately I've never found a clear source on that, but if an image is signed with multiple keys, all keys seem to be required.

PandorasFox commented 4 years ago

Ah, it requiring keys for all the signatures makes sense in hindsight. Thanks!

ghost commented 4 years ago

Yeah, so we've decided to sign the releases to make the process a bit easier for users who don't know much about secure-boot and simplify the update process for them. It's basically for convenience. You can still use your own key, but you either need to remove the existing signature (as you've already figured out) or add the certificate used for signing to the managed keys (if you're using one of my releases, that would be https://github.com/qzed/linux-surface/blob/master/keys/MOK.cer). Unfortunately I've never found a clear source on that, but if an image is signed with multiple keys, all keys seem to be required.

is this supposed to already work out of the box? i followed the instructions here: https://github.com/qzed/linux-surface but then ran into the not signed issue in grub (#623). does the mok.cer you linked need to be installed manually for it to run, or is that supposed to be handled by the script? (i'm offering to add it to the install instructions for others who run into the same issue, but for now i am stuck at the error and not sure how to proceed unfortunately)

qzed commented 4 years ago

You need to either manually enroll theMOK.cer (see https://github.com/qzed/linux-surface/wiki/Secure-Boot#manually-enrolling-a-public-key) or we also have helper packages that do that for you (see https://github.com/qzed/linux-surface/wiki/Secure-Boot#using-the-provided-secure-boot-certificate).

qzed commented 4 years ago

@richardk80 If you don't want Secure Boot, sure.

qzed commented 4 years ago

@richardk80 Sure, this issue won't happen when Secure Boot is disabled. The issue will only trigger when you're actively trying to set up Secure Boot, so I assume that @PandorasFox wanted to set up Secure Boot. In that case "just disable it" is not an appropriate answer. But again, If you don't want/care about Secure Boot, that's also a valid option.

PandorasFox commented 4 years ago

Yeah, I wanted to re-enable secureboot since the SL3-A has a really ugly red banner at boot when secureboot is off (that, frankly, is just too bright).

I have an eventual goal to also use lockdown & generally verify the entire bootchain of my laptop just because I should be able to. I haven't found a great solution to preventing modifications to my initrd's, though, but that's entirely outside the scope of this :)