注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "User:Pnoecker/sbgrub"

From Funtoo
Jump to navigation Jump to search
(→‎Installing GRUB: load pub key to grub directory)
(→‎Installing GRUB: add amd microcode to be signed)
 
(2 intermediate revisions by the same user not shown)
Line 12: Line 12:
Create the initial GRUB config file which will be embedded into the GRUB image:
Create the initial GRUB config file which will be embedded into the GRUB image:


{{file|name=grub-initial.cfg|desc=Initial GRUB config|body=
{{file|name=/etc/kernel/grub-initial.cfg|desc=Initial GRUB config|body=
set superusers="root"
set superusers="root"
export superusers
export superusers
Line 43: Line 43:


{{console|body=
{{console|body=
###i## grub-mkimage -O x86_64-efi -p "ROOTDISK/grub" -c /path/to/grub-initial.cfg -k /path/to/grub.pub -o "/boot/efi/EFI/BOOT/grubx64.efi" configfile loadenv part_gpt ext2 linux gcry_rsa gcry_sha256 password_pbkdf2 all_video gfxterm videoinfo search minicmd test echo reboot sleep
###i## grub-mkimage -O x86_64-efi -p "ROOTDISK/grub" -c /etc/kernel/grub-initial.cfg -k /boot/grub/grub.pub -o "/boot/efi/EFI/BOOT/grubx64.efi" configfile loadenv part_gpt ext2 linux gcry_rsa gcry_sha256 password_pbkdf2 all_video gfxterm videoinfo search minicmd test echo reboot sleep
###i## sbsign --key /path/to/db.key --cert /path/to/db.crt -o "/boot/efi/EFI/BOOT/grubx64.efi" "/boot/efi/EFI/Funtoo Linux [GRUB]/grubx64.efi"
###i## sbsign --key /etc/kernel/sbkeys/db.key --cert /etc/kernel/sbkeys//db.crt -o "/boot/efi/EFI/BOOT/grubx64.efi" "/boot/efi/EFI/Funtoo Linux [GRUB]/grubx64.efi"
}}
}}


=== Sign Stuff ===
Sign some kernel and initramfs images:
Sign some kernel and initramfs images:


Line 52: Line 53:
###i## gpg --homedir=/etc/kernel/gpg -b /boot/kernel-rescue
###i## gpg --homedir=/etc/kernel/gpg -b /boot/kernel-rescue
###i## gpg --homedir=/etc/kernel/gpg -b /boot/early_ucode.cpio
###i## gpg --homedir=/etc/kernel/gpg -b /boot/early_ucode.cpio
###i## gpg --homedir=/etc/kernel/gpg -b /boot/kernel-genkernel-x86_64-4.20.0-gentoo
###i## gpg --homedir=/etc/kernel/gpg -b /boot/amd-uc.img
###i## gpg --homedir=/etc/kernel/gpg -b /boot/initramfs-genkernel-x86_64-4.20.0-gentoo
###i## gpg --homedir=/etc/kernel/gpg -b /boot/initramfs-debian-sources*
###i## gpg --homedir=/etc/kernel/gpg -b /boot/kernel-debian-sources*
}}
}}


Line 63: Line 65:
* Skip kernels ending with {{c|.sig}}.
* Skip kernels ending with {{c|.sig}}.
* Allow booting configured kernels without authentication.
* Allow booting configured kernels without authentication.
{{warning|This relies on the code not yet in boot-update; see [https://bugs.funtoo.org/browse/FL-6103 FL-6103] and [https://bugs.funtoo.org/browse/FL-6104 FL-6104].}}


{{file|name=/etc/boot.conf|desc=Boot config fragments|body=
{{file|name=/etc/boot.conf|desc=Boot config fragments|body=

Latest revision as of 16:20, January 20, 2023

Installing GRUB

Generate a PGP key pair and export the public key:

root # mkdir -m 700 /etc/kernel/gpg
root # gpg --homedir=/etc/kernel/gpg --quick-generate-key grub2 default default never
root # mount /boot
root # gpg --homedir=/etc/kernel/gpg --export grub2 >/boot/grub/grub.pub

Create the initial GRUB config file which will be embedded into the GRUB image:

   /etc/kernel/grub-initial.cfg - Initial GRUB config
set superusers="root"
export superusers
password_pbkdf2 root grub.pbkdf2.sha512.10000.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

set root=ROOTDISK
search --no-floppy --fs-uuid --set FSUUID
configfile /grub/grub.cfg

echo grub.cfg did not boot the system but returned to initial.cfg.
echo Exiting in 10 seconds.
sleep 10
exit

You will have to edit the config file in three places:

  1. Use grub-mkpasswd-pbkdf2 to generate a password hash to replace the zeroes.
  2. Replace ROOTDISK with the value of the root variable from /boot/grub/grub.cfg.
  3. Replace FSUUID with the filesystem UUID from a search line in /boot/grub/grub.cfg.

Mount /boot and /boot/efi:

root # mount /boot
root # mount /boot/efi

Make a standalone GRUB image. Replace ROOTDISK below with the same value as above.

root # grub-mkimage -O x86_64-efi -p "ROOTDISK/grub" -c /etc/kernel/grub-initial.cfg -k /boot/grub/grub.pub -o "/boot/efi/EFI/BOOT/grubx64.efi" configfile loadenv part_gpt ext2 linux gcry_rsa gcry_sha256 password_pbkdf2 all_video gfxterm videoinfo search minicmd test echo reboot sleep
root # sbsign --key /etc/kernel/sbkeys/db.key --cert /etc/kernel/sbkeys//db.crt -o "/boot/efi/EFI/BOOT/grubx64.efi" "/boot/efi/EFI/Funtoo Linux [GRUB]/grubx64.efi"

Sign Stuff

Sign some kernel and initramfs images:

root # gpg --homedir=/etc/kernel/gpg -b /boot/kernel-rescue
root # gpg --homedir=/etc/kernel/gpg -b /boot/early_ucode.cpio
root # gpg --homedir=/etc/kernel/gpg -b /boot/amd-uc.img
root # gpg --homedir=/etc/kernel/gpg -b /boot/initramfs-debian-sources*
root # gpg --homedir=/etc/kernel/gpg -b /boot/kernel-debian-sources*

You may leave some the kernels or initrd images unsigned for testing.

Edit /etc/boot.conf:

  • Add the rescue kernel (optionally).
  • Only kernel-genkernel-* in the "Funtoo Linux genkernel" group.
  • Skip kernels ending with .sig.
  • Allow booting configured kernels without authentication.
   /etc/boot.conf - Boot config fragments
"Funtoo Linux rescue" {
        menuflags --unrestricted
        kernel kernel-rescue
}

"Funtoo Linux genkernel" {
        menuflags --unrestricted
        kernel kernel-genkernel[-v] -*.sig
        initrd initramfs-genkernel[-v]
#       params += ...
# ... the rest of the section remains unchanged
}

Generate and sign grub.cfg, and sign the font used by GRUB:

root # boot-update
root # gpg --homedir=/etc/kernel/gpg -b /boot/grub/grub.cfg
root # gpg --homedir=/etc/kernel/gpg -b /boot/grub/fonts/unicode.pf2

You should already have the Funtoo Linux [GRUB] EFI boot entry. If you're not certain, check it with:

root # efibootmgr

If no such entry is found, add it. Replace EFIBOOTDEVICE below with the device mounted on /boot/efi.

root # efibootmgr -c -l '\EFI\BOOT\grubx64.efi' -d /dev/EFIBOOTDEVICE

Look for the number of the entry and where it appears in the boot order. If it's not the first, you may want to change the boot order. Copy the BootOrder line from the efibootmgr output and rearrange the numbers to your liking:

root # efibootmgr -o 0001,0002,0000,0018,0019,001A,001B,001C,001D,001E,001F,0024

Shutdown, enter the firmware setup, enable secure boot and make sure that everything works. Particularly:

  • You can boot the system without entering a password.
  • You can not boot unsigned EFI images.
  • You can not boot unsigned kernels or load unsigned initramfs images.
  • If you try to edit kernel parameters or drop to the GRUB command line, you get a password prompt.