The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Package:Shim"
(testing mokutil import, documenting command to be tested) |
|||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
We have fedora's EFI secure boot shim. Documentation suggests loading the shim to unlock secure boot, and that the shim side loads grubx64.efi in the same directory. | |||
sys-boot/shim | sys-boot/shim | ||
Homepage: https://apps.fedoraproject.org/packages/shim/ | Homepage: https://apps.fedoraproject.org/packages/shim/ | ||
Description: Fedora's signed UEFI shim | Description: Fedora's signed UEFI shim | ||
shim requires grub be installed with a sbat file. | |||
https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html | |||
https://github.com/rhboot/shim/blob/main/SBAT.md | |||
{{console|body= | {{console|body= | ||
Line 12: | Line 14: | ||
these files are added to the system: | these files are added to the system: | ||
*/usr/share/shim/BOOTIA32.EFI | |||
*/usr/share/shim/BOOTX64.EFI | |||
*/usr/share/shim/mmia32.efi | |||
*/usr/share/shim/mmx64.efi | |||
{{console|body= | |||
###i## mkdir /boot/EFI/FUNTOO | |||
###i## cp /usr/share/shim/* /boot/EFI/FUNTOO/ | |||
}} | |||
===uefi secure boot=== | |||
first, sign your kernel & modules as seen here [[Signed_kernel_module_support]] | |||
*press the f1 f2 f8 f9 f10 esc or delete to load bios. | |||
*set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit. | |||
*press the f1 f2 f8 f9 f10 esc or delete to load your boot selection menu. | |||
*load EFI from file, point to /boot/EFI/FUNTOO/shim | |||
*shim will greet you with access violation warnings. | |||
*fiddle around to get mok manager to load up. | |||
*select add key | |||
*point to /boot/EFI/FUNTOO/grubx86.efi | |||
*press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu. | |||
*load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot. | |||
===key management=== | |||
*efi tools allows manipulation of uefi secure boot platforms: | |||
{{console|body= | |||
###i## emerge efitools | |||
}} | |||
*sbsigntools is used to sign and verify files for secure boot: | |||
{{console|body= | |||
###i## emerge sbsigntools | |||
}} | |||
*mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft: | |||
{{console|body= | |||
###i## emerge sys-boot/mokutil | |||
}} | |||
/ | "users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " | ||
- https://wiki.ubuntu.com/UEFI/SecureBoot | |||
/ | these might be needed to get shim running but doubtful. we should be well covered with mokutil. | ||
{{console|body= | |||
###i## emerge app-crypt/sbsigntools app-crypt/efitools | |||
}} | |||
*[[TPM2]] can be used in conjunction with secure boot key generation. | |||
==Links== | |||
* [[Secure_Boot]] has more information. | |||
* https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot | |||
* https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/ | |||
===fallback default efi partition=== | |||
{{warning|avoid this if possible}} | |||
{{console|body= | {{console|body= | ||
###i## mkdir /boot/EFI/BOOT | ###i## mkdir /boot/EFI/BOOT | ||
###i## cp / | ###i## cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/ | ||
}} | }} | ||
==enroll key using mokutil== | |||
*maybe this? | |||
{{console|body= | |||
###i## mokutil --import /etc/kernel/certs/linux/signing_key.der | |||
}} | |||
mokutil is probably used to automatically enroll keys and possibly hashes in other distributions in their install automations. |
Latest revision as of 17:40, February 8, 2023
We have fedora's EFI secure boot shim. Documentation suggests loading the shim to unlock secure boot, and that the shim side loads grubx64.efi in the same directory.
sys-boot/shim
Homepage: https://apps.fedoraproject.org/packages/shim/ Description: Fedora's signed UEFI shim
shim requires grub be installed with a sbat file. https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html https://github.com/rhboot/shim/blob/main/SBAT.md
root # emerge sys-boot/shim
these files are added to the system:
- /usr/share/shim/BOOTIA32.EFI
- /usr/share/shim/BOOTX64.EFI
- /usr/share/shim/mmia32.efi
- /usr/share/shim/mmx64.efi
root # mkdir /boot/EFI/FUNTOO root # cp /usr/share/shim/* /boot/EFI/FUNTOO/
uefi secure boot
first, sign your kernel & modules as seen here Signed_kernel_module_support
- press the f1 f2 f8 f9 f10 esc or delete to load bios.
- set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit.
- press the f1 f2 f8 f9 f10 esc or delete to load your boot selection menu.
- load EFI from file, point to /boot/EFI/FUNTOO/shim
- shim will greet you with access violation warnings.
- fiddle around to get mok manager to load up.
- select add key
- point to /boot/EFI/FUNTOO/grubx86.efi
- press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu.
- load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot.
key management
- efi tools allows manipulation of uefi secure boot platforms:
root # emerge efitools
- sbsigntools is used to sign and verify files for secure boot:
root # emerge sbsigntools
- mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft:
root # emerge sys-boot/mokutil
"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " - https://wiki.ubuntu.com/UEFI/SecureBoot
these might be needed to get shim running but doubtful. we should be well covered with mokutil.
root # emerge app-crypt/sbsigntools app-crypt/efitools
- TPM2 can be used in conjunction with secure boot key generation.
Links
- Secure_Boot has more information.
- https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot
- https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
fallback default efi partition
avoid this if possible
root # mkdir /boot/EFI/BOOT root # cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/
enroll key using mokutil
- maybe this?
root # mokutil --import /etc/kernel/certs/linux/signing_key.der
mokutil is probably used to automatically enroll keys and possibly hashes in other distributions in their install automations.