Note
The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "User:Pnoecker/sbkeygen"
Jump to navigation
Jump to search
(sb keygen with a set directory) |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 8: | Line 8: | ||
###i## emerge -av app-crypt/efitools app-crypt/sbsigntools}} | ###i## emerge -av app-crypt/efitools app-crypt/sbsigntools}} | ||
Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. | Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. We will use /etc/kernel as a nuke or backup directory. | ||
{{note|If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.}} | {{note|If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.}} | ||
| Line 19: | Line 19: | ||
}} | }} | ||
Save old secure boot certificates: | *boot with secure boot disabled: | ||
*Save old secure boot certificates: | |||
{{console|body= | {{console|body= | ||
###i## efi-readvar -v PK -o old_PK.esl | ###i## efi-readvar -v PK -o old_PK.esl | ||
\# Variable PK, length 808 | |||
###i## efi-readvar -v KEK -o old_KEK.esl | ###i## efi-readvar -v KEK -o old_KEK.esl | ||
\# Variable KEK, length 1560 | |||
###i## efi-readvar -v db -o old_db.esl | ###i## efi-readvar -v db -o old_db.esl | ||
\# Variable db, length 3143 | |||
###i## efi-readvar -v dbx -o old_dbx.esl | ###i## efi-readvar -v dbx -o old_dbx.esl | ||
\# Variable dbx, length 11936 | |||
}} | }} | ||
Generate new certificates valid for | Generate new certificates valid for 10 years: | ||
{{console|body= | {{console|body= | ||
###i## openssl req -new -x509 -newkey rsa: | ###i## openssl req -new -x509 -newkey rsa:4096 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 | ||
###i## openssl req -new -x509 -newkey rsa: | ###i## openssl req -new -x509 -newkey rsa:4096 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 | ||
###i## openssl req -new -x509 -newkey rsa: | ###i## openssl req -new -x509 -newkey rsa:4096 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 | ||
}} | |||
*Export to cer format for mokmanager: | |||
{{console|body= | |||
###i## openssl x509 -outform DER -in PK.crt -out PK.cer | |||
###i## openssl x509 -outform DER -in KEK.crt -out KEK.cer | |||
###i## openssl x509 -outform DER -in db.crt -out db.cer | |||
}} | |||
*Sign kernel and grub: | |||
{{console|body= | |||
###i## sbsign --key db.key --cert db.crt --output /boot/kernel-debian-sources-x86_64-5.18.16_p1 /boot/kernel-debian-sources-x86_64-5.18.16_p1 | |||
###i## sbsign --key db.key --cert db.crt --output /ESP/EFI/BOOT/grubx64.efi /ESP/EFI/BOOT/grubx64.efi | |||
}} | |||
*Move KEK certificate next to grub in esp | |||
{{console|body= | |||
###i## cp /etc/kernel/sbkeys/db.cer /ESP/EFI/BOOT/db.cer | |||
}} | }} | ||
| Line 59: | Line 82: | ||
###i## sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth | ###i## sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth | ||
}} | }} | ||
Reboot, load bios, turn on secure boot, set to custom mode, load funtoo and prepare to insert new certificates: | |||
Remount the {{c|efivars}} partition read-write: | Remount the {{c|efivars}} partition read-write: | ||
Latest revision as of 16:41, January 31, 2023
Generating and Installing Secure Boot Certificates
Enter the firmware setup utility and put secure boot in setup mode.
Install efitools and sbsigntools:
root # emerge -av app-crypt/efitools app-crypt/sbsigntools
Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. We will use /etc/kernel as a nuke or backup directory.
Note
If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.
Create the directory in which you will keep the keys:
root # mkdir -p 700 /etc/kernel/sbkeys root # cd /etc/kernel/sbkeys
- boot with secure boot disabled:
- Save old secure boot certificates:
root # efi-readvar -v PK -o old_PK.esl # Variable PK, length 808 root # efi-readvar -v KEK -o old_KEK.esl # Variable KEK, length 1560 root # efi-readvar -v db -o old_db.esl # Variable db, length 3143 root # efi-readvar -v dbx -o old_dbx.esl # Variable dbx, length 11936
Generate new certificates valid for 10 years:
root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256
- Export to cer format for mokmanager:
root # openssl x509 -outform DER -in PK.crt -out PK.cer root # openssl x509 -outform DER -in KEK.crt -out KEK.cer root # openssl x509 -outform DER -in db.crt -out db.cer
- Sign kernel and grub:
root # sbsign --key db.key --cert db.crt --output /boot/kernel-debian-sources-x86_64-5.18.16_p1 /boot/kernel-debian-sources-x86_64-5.18.16_p1 root # sbsign --key db.key --cert db.crt --output /ESP/EFI/BOOT/grubx64.efi /ESP/EFI/BOOT/grubx64.efi
- Move KEK certificate next to grub in esp
root # cp /etc/kernel/sbkeys/db.cer /ESP/EFI/BOOT/db.cer
Prepare certificate lists:
root # cert-to-efi-sig-list PK.crt PK.esl root # cert-to-efi-sig-list KEK.crt KEK.esl root # cert-to-efi-sig-list db.crt db.esl
If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:
root # cat old_KEK.esl >>KEK.esl root # cat old_db.esl >>db.esl
Sign the certificate lists:
root # sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth root # sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth
Reboot, load bios, turn on secure boot, set to custom mode, load funtoo and prepare to insert new certificates:
Remount the efivars partition read-write:
root # mount -o remount,rw /sys/firmware/efi/efivars
Install the certificates into EFI:
root # efi-updatevar -f old_dbx.auth dbx root # efi-updatevar -f db.auth db root # efi-updatevar -f KEK.auth KEK root # efi-updatevar -f PK.auth PK