Note

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

User:Pnoecker/sbkeygen

From Funtoo
Jump to navigation Jump to search

Generating and Installing Secure Boot Certificates

Enter the firmware setup utility and put secure boot in setup mode.

Install efitools and sbsigntools:

root # emerge -av app-crypt/efitools app-crypt/sbsigntools

Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. We will use /etc/kernel as a nuke or backup directory.

   Note

If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.

Create the directory in which you will keep the keys:

root # mkdir -p 700 /etc/kernel/sbkeys
root # cd /etc/kernel/sbkeys
  • boot with secure boot disabled:
  • Save old secure boot certificates:
root # efi-readvar -v PK  -o old_PK.esl
# Variable PK, length 808
root # efi-readvar -v KEK -o old_KEK.esl
# Variable KEK, length 1560
root # efi-readvar -v db  -o old_db.esl
# Variable db, length 3143
root # efi-readvar -v dbx -o old_dbx.esl
# Variable dbx, length 11936

Generate new certificates valid for 10 years:

root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=PK/"  -keyout PK.key  -out PK.crt  -days 3650 -nodes -sha256
root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256
root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=db/"  -keyout db.key  -out db.crt  -days 3650 -nodes -sha256
  • Export to cer format for mokmanager:
root # openssl x509 -outform DER -in PK.crt -out PK.cer
root # openssl x509 -outform DER -in KEK.crt -out KEK.cer
root # openssl x509 -outform DER -in db.crt -out db.cer
  • Sign kernel and grub:
root # sbsign --key db.key --cert db.crt --output /boot/kernel-debian-sources-x86_64-5.18.16_p1 /boot/kernel-debian-sources-x86_64-5.18.16_p1
root # sbsign --key db.key --cert db.crt --output /ESP/EFI/BOOT/grubx64.efi /ESP/EFI/BOOT/grubx64.efi
  • Move KEK certificate next to grub in esp
root # cp /etc/kernel/sbkeys/db.cer /ESP/EFI/BOOT/db.cer

Prepare certificate lists:

root # cert-to-efi-sig-list PK.crt  PK.esl
root # cert-to-efi-sig-list KEK.crt KEK.esl
root # cert-to-efi-sig-list db.crt  db.esl

If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:

root # cat old_KEK.esl >>KEK.esl
root # cat old_db.esl  >>db.esl

Sign the certificate lists:

root # sign-efi-sig-list -k PK.key  -c PK.crt  PK  PK.esl      PK.auth
root # sign-efi-sig-list -k PK.key  -c PK.crt  KEK KEK.esl     KEK.auth
root # sign-efi-sig-list -k KEK.key -c KEK.crt db  db.esl      db.auth
root # sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth

Reboot, load bios, turn on secure boot, set to custom mode, load funtoo and prepare to insert new certificates:

Remount the efivars partition read-write:

root # mount -o remount,rw /sys/firmware/efi/efivars

Install the certificates into EFI:

root # efi-updatevar -f old_dbx.auth dbx 
root # efi-updatevar -f db.auth      db
root # efi-updatevar -f KEK.auth     KEK
root # efi-updatevar -f PK.auth      PK