Closed PandorasFox closed 4 years ago
Yeah, so we've decided to sign the releases to make the process a bit easier for users who don't know much about secure-boot and simplify the update process for them. It's basically for convenience. You can still use your own key, but you either need to remove the existing signature (as you've already figured out) or add the certificate used for signing to the managed keys (if you're using one of my releases, that would be https://github.com/qzed/linux-surface/blob/master/keys/MOK.cer). Unfortunately I've never found a clear source on that, but if an image is signed with multiple keys, all keys seem to be required.
Ah, it requiring keys for all the signatures makes sense in hindsight. Thanks!
Yeah, so we've decided to sign the releases to make the process a bit easier for users who don't know much about secure-boot and simplify the update process for them. It's basically for convenience. You can still use your own key, but you either need to remove the existing signature (as you've already figured out) or add the certificate used for signing to the managed keys (if you're using one of my releases, that would be https://github.com/qzed/linux-surface/blob/master/keys/MOK.cer). Unfortunately I've never found a clear source on that, but if an image is signed with multiple keys, all keys seem to be required.
is this supposed to already work out of the box? i followed the instructions here: https://github.com/qzed/linux-surface but then ran into the not signed issue in grub (#623). does the mok.cer you linked need to be installed manually for it to run, or is that supposed to be handled by the script? (i'm offering to add it to the install instructions for others who run into the same issue, but for now i am stuck at the error and not sure how to proceed unfortunately)
You need to either manually enroll theMOK.cer
(see https://github.com/qzed/linux-surface/wiki/Secure-Boot#manually-enrolling-a-public-key) or we also have helper packages that do that for you (see https://github.com/qzed/linux-surface/wiki/Secure-Boot#using-the-provided-secure-boot-certificate).
@richardk80 If you don't want Secure Boot, sure.
@richardk80 Sure, this issue won't happen when Secure Boot is disabled. The issue will only trigger when you're actively trying to set up Secure Boot, so I assume that @PandorasFox wanted to set up Secure Boot. In that case "just disable it" is not an appropriate answer. But again, If you don't want/care about Secure Boot, that's also a valid option.
Yeah, I wanted to re-enable secureboot since the SL3-A has a really ugly red banner at boot when secureboot is off (that, frankly, is just too bright).
I have an eventual goal to also use lockdown & generally verify the entire bootchain of my laptop just because I should be able to. I haven't found a great solution to preventing modifications to my initrd's, though, but that's entirely outside the scope of this :)
tl;dr the linux-surface kefnel in the arch repo is signed and that causes problems.
Apparently, the first signature needs to be my enrolled key, since otherwise booting the image fails. I'm currently using rEFInd with the shim loader & managed keys.
Doing
# sbattach --remove /boot/vmlinuz-linux-surface.signed
and then rebooting worked. When reinstalling the linux-surface package, I seeImage was already signed; adding additional signature
during my signing hook.I'm unsure about the semantics of distributing (self-)signed kernels.