Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Impossible to Secure Boot
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
blt
n00b
n00b


Joined: 21 Mar 2021
Posts: 11

PostPosted: Wed Mar 24, 2021 10:34 pm    Post subject: Impossible to Secure Boot Reply with quote

I tried to follow this guide to setup my brand new Gentoo install with Secure Boot as Sakaki is EOL (and anyways designed to be used with some homemade scripts to automatize almost everything), I am more on a learning approach as I am a new Gentoo user.

Everything is working correctly from the guide apart from the last piece when I enforce the check_signatures, my UEFI refuses to boot and I am stuck to UEFI boot list.

I am wondering if this if the issue is coming from the fact that the initrd is signed by gpg instead of sbsigntools (used to sign bootloader and kernel) as I don't see how my UEFI would use the Secure Boot keys to validate the initrd signed by GPG..

But maybe the issue is even earlier as it seems it is just when my UEFI tries to load GRUB, so I am wondering if Grub is even able to try to load the initrd so my assumption above may be discarded.

Any idea on where to start to troubleshoot this issue ? as I don't really know where to look for as my issue is so early into the boot process..

Many thanks
_________________
blt
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3875

PostPosted: Wed Mar 24, 2021 10:42 pm    Post subject: Reply with quote

For secure boot
you need
shim64.efi
Get it from
sys-boot/shim
Actually i just installed it and it provides these binaries
Code:

eqf sys-boot/shim
 * Searching for shim in sys-boot ...
 * Contents of sys-boot/shim-15.5-r1:
/usr
/usr/share
/usr/share/shim
/usr/share/shim/BOOTIA32.EFI
/usr/share/shim/BOOTX64.EFI
/usr/share/shim/mmia32.efi
/usr/share/shim/mmx64.efi


So
maybe copy
/usr/share/shim/BOOTX64.EFI ##and
/usr/share/shim/mmx64.efi
to
/boot/efi/EFI/gentoo/
and use
efibootmgr
to create an efi entry.
Code:

efibootmgr -c -d </dev/esp-disk> -p <esp-partition-number> -L "gentoo" -l "\EFI\gentoo\BOOTX64.EFI"

_________________
:)
Back to top
View user's profile Send private message
blt
n00b
n00b


Joined: 21 Mar 2021
Posts: 11

PostPosted: Wed Mar 24, 2021 11:04 pm    Post subject: Reply with quote

Thanks for your suggestion, I installed shim and tried to recreate grub.cfg but same issue and was about to ask you if I would need to add shim somewhere but I just saw your edits.

Will try your suggestion tomorrow morning and I let you know, thanks again
_________________
blt
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3875

PostPosted: Thu Mar 25, 2021 12:04 am    Post subject: Reply with quote

I used this to get all the necessary files
[url]
https://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/s/shim-x64-15-8.x86_64.rpm
[/url]
I extracted it.
Copied the shimx64.efi to /boot/efi/EFI/gentoo
Added a new efibootmgr entry and booted in.
It worked.
I dont know if I do foolish things but it seems to work.
Code:

efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0001,0002,0003,0004,0005,0006,0007,0008,0009
Boot0000* gen   HD(1,GPT,5f713193-1e02-42f6-8135-113b790a3cf9,0x800,0x64000)/File(\EFI\gen\shimx64.efi)


_________________
:)
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3998
Location: Bavaria

PostPosted: Thu Mar 25, 2021 10:50 am    Post subject: Reply with quote

Maybe this can help: https://forums.gentoo.org/viewtopic-t-1112966.html
Back to top
View user's profile Send private message
GDH-gentoo
Veteran
Veteran


Joined: 20 Jul 2019
Posts: 1507
Location: South America

PostPosted: Thu Mar 25, 2021 5:27 pm    Post subject: Reply with quote

I think that some clarification is in order.

The methods described in the document linked in the OP, in Sakaki's guide, and in pietinger's guide, involve replacing the UEFI firmware's platform key, key exchange key, and the keys in the database used for verifying signed binaries. This requires a cooperative (i.e. not crappy) firmware.

The UEFI shim is kind of a workaround, it operates in a different way. The keys used by the firmware are left alone, and a separate set of keys (the machine owner keys) are created and used to sign the binaries. This is only useful if the shim itself is signed (usually with a Microsoft-approved key). Gentoo's sys-boot/shim package appears to just download Fedora's RPM and extract some of its (already compiled) files. I believe that the signed shim in the RPM is the file named shimx64-fedora.efi, and that the file named shimx64.efi is unsigned. I expect the unsigned shim not to work when secure boot is enabled in the firmware, and if it isn't, then, well, one can just boot the bootloader or stub kernel and not bother with the shim. I see no point in installing and booting the unsigned shim if one is going to have secure boot turned off anyway.

In any case, I believe that the only binary that the UEFI firmware verifies (with the keys in the database) is just the one it hands control to: bootloader, stub kernel or shim. If the shim is used, it can then verify the bootloader or stub kernel using a machine owner key. If a bootloader is used, whether the kernel and initramfs are subsequently verified or not, and how, is bootloader-specific. The (optional) verification that GRUB can do is described in its manual (info grub).


Last edited by GDH-gentoo on Thu Mar 25, 2021 6:49 pm; edited 3 times in total
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3998
Location: Bavaria

PostPosted: Thu Mar 25, 2021 6:22 pm    Post subject: Reply with quote

GDH-gentoo wrote:
I think that some clarification is in order.


Great explanation. May I add one point:

In this documentation https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html the setting of new keys is done by "efi-updatevar". This doesnt work with some mainboards (like mine gigabyte) ... and more bad: You didnt see it; the mainboard just dont accept it without giving you an error !

In this case you MUST do it in UEFI-BIOS by yourself (as described in my guide; this should/must work with every mainboard).
Back to top
View user's profile Send private message
The Main Man
Veteran
Veteran


Joined: 27 Nov 2014
Posts: 1164
Location: /run/user/1000

PostPosted: Sun Oct 17, 2021 2:51 pm    Post subject: Reply with quote

How is the situation with secure boot this days ?
I'm thinking about switching to uefi and secure boot, and I probably will very soon, but I'm wondering how that really works with Gentoo.
Anyone here using it for a long time ?
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3998
Location: Bavaria

PostPosted: Sun Oct 17, 2021 4:58 pm    Post subject: Reply with quote

The Main Man wrote:
Anyone here using it for a long time ?

Yes. I am using it on my desktop and my notebook since last year. No problems so far. I wrote a guide for that (link is in my first post of this thread).
Back to top
View user's profile Send private message
The Main Man
Veteran
Veteran


Joined: 27 Nov 2014
Posts: 1164
Location: /run/user/1000

PostPosted: Mon Oct 25, 2021 11:19 am    Post subject: Reply with quote

Sorry for late reply, it seems complicated, I mean I don't mind complicated but sometimes I ask myself why bother, usually there's no answer to that question.
Anyway, I'm sure it works, but I'll pass, thanks for the guide though.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1591

PostPosted: Mon Oct 25, 2021 1:29 pm    Post subject: Reply with quote

I have worked through all these instructions. Shim does not work; signing grub does not work; signing initrd does not work either.

Only Sakaki's guide works and the gentoo's "signed kernel module support" works fine. (although the scripts don't work anymore).
Together with some kernel options (CONFIG_SECURITY_LOCKDOWN_LSM) I have:
signed kernel
signed modules
and a locked kernel
The whole security chain is in place.
I use this together with rEFInd and can access two gentoo installations, one Tumbleweed and 2 windows installations in secure boot.
Code:

Linux tux 5.14.14-gentoo-101-kspp-lock #1 SMP Wed Oct 20 23:05:48 CEST 2021 x86_64 AMD Ryzen 5 3600 6-Core Processor AuthenticAMD GNU/Linux
Secure boot enabled
Loaded X.509 cert 'Gentoo-Module-Signing-Key: 8745bfa72fa26b7f68b5165ab85f274cf2d026ab'
000869b0  03 12 d7 02 9d ed 1d bf  6f 77 5f 23 ca 91 85 23  |........ow_#...#|
000869c0  9b 41 9b 14 21 f1 de 33  94 62 c7 a8 19 be db c3  |.A..!..3.b......|
000869d0  12 aa 5a ed dd 30 37 b2  c1 33 ac 83 92 7d 0e 92  |..Z..07..3...}..|
000869e0  96 27 67 26 8e e1 5b 39  b1 7a 52 76 db 18 e5 f6  |.'g&..[9.zRv....|
000869f0  13 dd d9 25 24 75 08 cf  4d 84 2c 51 56 c8 5d 47  |...%$u..M.,QV.]G|
00086a00  ae 4d b4 5d 4d ae b4 6d  23 54 9d 7a 85 bd 5c fd  |.M.]M..m#T.z..\.|
00086a10  b8 48 c5 27 0a fb 1c 00  00 02 00 00 00 00 00 00  |.H.'............|
00086a20  00 02 9f 7e 4d 6f 64 75  6c 65 20 73 69 67 6e 61  |...~Module signa|
00086a30  74 75 72 65 20 61 70 70  65 6e 64 65 64 7e 0a     |ture appended~.|
Kernel is locked down from Kernel configuration; see man kernel_lockdown.7


https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot_under_OpenRC
https://wiki.gentoo.org/wiki/Signed_kernel_module_support
man kernel_lockdown.7 --> https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html

Ma
_________________
------------------------------------------------------------------
http://radio.garden/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum