The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "User:Pnoecker/sbkeygen"
(double strength, DER) |
(move shim certificate next to grub.) |
||
Line 39: | Line 39: | ||
###i## openssl req -new -x509 -newkey rsa:4096 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 | ###i## openssl req -new -x509 -newkey rsa:4096 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 | ||
###i## openssl req -new -x509 -newkey rsa:4096 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 | ###i## openssl req -new -x509 -newkey rsa:4096 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 | ||
}} | |||
*Export to cer format for mokmanager: | |||
{{console|body= | |||
###i## openssl x509 -outform DER -in PK.crt -out PK.cer | |||
###i## openssl x509 -outform DER -in KEK.crt -out KEK.cer | |||
###i## openssl x509 -outform DER -in db.crt -out db.cer | |||
}} | |||
*Sign kernel and grub: | |||
{{console|body= | |||
###i## sbsign --key KEK.key --cert KEK.crt --output /boot/kernel-debian-sources-x86_64-6.1.4_p1 /boot/kernel-debian-sources-x86_64-6.1.4_p1 | |||
###i## sbsign --key KEK.key --cert KEK.crt --output esp/EFI/BOOT/grubx64.efi esp/EFI/BOOT/grubx64.efi | |||
}} | |||
*Move KEK certificate next to grub in esp | |||
{{console|body= | |||
###i## mv /etc/kernel/sbkeys/KEK.cer /esp/EFI/BOOT/KEK.cer | |||
}} | }} | ||
Line 47: | Line 65: | ||
###i## cert-to-efi-sig-list KEK.crt KEK.esl | ###i## cert-to-efi-sig-list KEK.crt KEK.esl | ||
###i## cert-to-efi-sig-list db.crt db.esl | ###i## cert-to-efi-sig-list db.crt db.esl | ||
}} | }} | ||
Revision as of 15:02, January 31, 2023
Generating and Installing Secure Boot Certificates
Enter the firmware setup utility and put secure boot in setup mode.
Install efitools
and sbsigntools
:
root # emerge -av app-crypt/efitools app-crypt/sbsigntools
Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. We will use /etc/kernel as a nuke or backup directory.
If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.
Create the directory in which you will keep the keys:
root # mkdir -p 700 /etc/kernel/sbkeys root # cd /etc/kernel/sbkeys
- boot with secure boot disabled:
- Save old secure boot certificates:
root # efi-readvar -v PK -o old_PK.esl # Variable PK, length 808 root # efi-readvar -v KEK -o old_KEK.esl # Variable KEK, length 1560 root # efi-readvar -v db -o old_db.esl # Variable db, length 3143 root # efi-readvar -v dbx -o old_dbx.esl # Variable dbx, length 11936
Generate new certificates valid for 10 years:
root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256
- Export to cer format for mokmanager:
root # openssl x509 -outform DER -in PK.crt -out PK.cer root # openssl x509 -outform DER -in KEK.crt -out KEK.cer root # openssl x509 -outform DER -in db.crt -out db.cer
- Sign kernel and grub:
root # sbsign --key KEK.key --cert KEK.crt --output /boot/kernel-debian-sources-x86_64-6.1.4_p1 /boot/kernel-debian-sources-x86_64-6.1.4_p1 root # sbsign --key KEK.key --cert KEK.crt --output esp/EFI/BOOT/grubx64.efi esp/EFI/BOOT/grubx64.efi
- Move KEK certificate next to grub in esp
root # mv /etc/kernel/sbkeys/KEK.cer /esp/EFI/BOOT/KEK.cer
Prepare certificate lists:
root # cert-to-efi-sig-list PK.crt PK.esl root # cert-to-efi-sig-list KEK.crt KEK.esl root # cert-to-efi-sig-list db.crt db.esl
If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:
root # cat old_KEK.esl >>KEK.esl root # cat old_db.esl >>db.esl
Sign the certificate lists:
root # sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth root # sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth
Reboot, load bios, turn on secure boot, set to custom mode, load funtoo and prepare to insert new certificates:
Remount the efivars
partition read-write:
root # mount -o remount,rw /sys/firmware/efi/efivars
Install the certificates into EFI:
root # efi-updatevar -f old_dbx.auth dbx root # efi-updatevar -f db.auth db root # efi-updatevar -f KEK.auth KEK root # efi-updatevar -f PK.auth PK