The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "User:Pnoecker/sbkeygen"
(→Generating and Installing Secure Boot Certificates: 10 years not 30 lol) |
(add key length example comments. state secure boot disabled mode to pull up the old keys to back them up.) |
||
Line 8: | Line 8: | ||
###i## emerge -av app-crypt/efitools app-crypt/sbsigntools}} | ###i## emerge -av app-crypt/efitools app-crypt/sbsigntools}} | ||
Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. | Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. We will use /etc/kernel as a nuke or backup directory. | ||
{{note|If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.}} | {{note|If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.}} | ||
Line 19: | Line 19: | ||
}} | }} | ||
Save old secure boot certificates: | *boot with secure boot disabled: | ||
*Save old secure boot certificates: | |||
{{console|body= | {{console|body= | ||
###i## efi-readvar -v PK -o old_PK.esl | ###i## efi-readvar -v PK -o old_PK.esl | ||
\# Variable PK, length 808 | |||
###i## efi-readvar -v KEK -o old_KEK.esl | ###i## efi-readvar -v KEK -o old_KEK.esl | ||
\# Variable KEK, length 1560 | |||
###i## efi-readvar -v db -o old_db.esl | ###i## efi-readvar -v db -o old_db.esl | ||
\# Variable db, length 3143 | |||
###i## efi-readvar -v dbx -o old_dbx.esl | ###i## efi-readvar -v dbx -o old_dbx.esl | ||
\# Variable dbx, length 11936 | |||
}} | }} | ||
Revision as of 14:53, January 29, 2023
Generating and Installing Secure Boot Certificates
Enter the firmware setup utility and put secure boot in setup mode.
Install efitools
and sbsigntools
:
root # emerge -av app-crypt/efitools app-crypt/sbsigntools
Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. We will use /etc/kernel as a nuke or backup directory.
If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.
Create the directory in which you will keep the keys:
root # mkdir -p 700 /etc/kernel/sbkeys root # cd /etc/kernel/sbkeys
- boot with secure boot disabled:
- Save old secure boot certificates:
root # efi-readvar -v PK -o old_PK.esl # Variable PK, length 808 root # efi-readvar -v KEK -o old_KEK.esl # Variable KEK, length 1560 root # efi-readvar -v db -o old_db.esl # Variable db, length 3143 root # efi-readvar -v dbx -o old_dbx.esl # Variable dbx, length 11936
Generate new certificates valid for 10 years:
root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256
Prepare certificate lists:
root # cert-to-efi-sig-list PK.crt PK.esl root # cert-to-efi-sig-list KEK.crt KEK.esl root # cert-to-efi-sig-list db.crt db.esl
If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:
root # cat old_KEK.esl >>KEK.esl root # cat old_db.esl >>db.esl
Sign the certificate lists:
root # sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth root # sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth
Remount the efivars
partition read-write:
root # mount -o remount,rw /sys/firmware/efi/efivars
Install the certificates into EFI:
root # efi-updatevar -f old_dbx.auth dbx root # efi-updatevar -f db.auth db root # efi-updatevar -f KEK.auth KEK root # efi-updatevar -f PK.auth PK