Document Resource: Secureboot

[ghost]

I was interested in secureboot on void. One of the users on the Void Matrix group posted about it and shared how he set it up here. Not sure if pastebin autodeletes stuff so I will paste it below in full: I will make a doc PR for this after I finish relearning git so this is notes for myself or if someone else want to PR it as well.

# Secureboot guide for linux:
# Im using void but this should work on most distros. You will just have to replace stuff like xbps-install with apt for example.
0.1. Enter Root
sudo su
1. Install efitools sbsigntool
sudo xbps-install efitools efitools-efi
2.Create a GUID for owner identification
uuidgen --random > GUID.txt
3. Platform key
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Platform Key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
3.1 Sign an empty file to allow removing Platform Key when in "User Mode"
sign-efi-sig-list -g "$(< GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth
4. Key Exchange Key
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Key Exchange Key/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
5. Signature Database key
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=my Signature Database key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
6. Signing Bootloader and Kernel. (I use grub)
sbsign --key db.key --cert db.crt --output /boot/vmlinuz(enter version here) /boot/vmlinuz(enter version here)
sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/BOOTX64.EFI
7. Enroll your keys
cp /root/*.cer /root/*.esl /root/*.auth /boot/efi/

Follow this guide: https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot#Method_3:_Inserting_Keys_via_Keytool

Keys should be added in this order: db => KEK => PK

8. Enable SecureBoot and Enjoy!

[anon-lestat]

glad to see a guide i quickly wrote is of help :D

[ghost]

@anon-lestat glad someone got something going on it. The arch linux guide on secureboot was way over my head.

[anon-lestat]

A little fix:

sudo xbps-install efitools efitools-efi sbsigntool

[sgn]

For the <enter version here>, you can replace with -${uname -r}. Disclaimer: I don't use this method. Disclaimer 2: feel free to report problem with sbsigntool, I'll fix them asap.

[ericonr]

I don't think this fits in void-docs at all, sorry. Key creation and enrollment are messy and there are a bunch of guides out there already. The only part that's void specific is the sbsigntool hook, which I tried to document in #507 . Could also mention that dracut supports signing.

I stopped using either, though, and have been happy with https://github.com/Foxboron/sbctl .

@sgn regarding using uname, that doesn't work great after you update a kernel :p

[sgn]

@ericonr Heh, let's just assume that I won't update kernel :-p (I knew I was wrong)

Joking aside, dracut without any argument will update the initramfs for running kernel. I would love to see if we can have a better hook for sbsigntool, the original was written by me, and it's, admittedly, badly written. It's re-formatted from my personal hook, after all.

[ghost]

@ericonr , should I close the issue then?

[ericonr]

There are things that can be covered, as I mentioned. I'm not against having some Secure Boot information, I just don't want us to host yet another guide on setting it up.

[ghost]

@ericonr should the guides just be linked to then?