The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.
Difference between revisions of "Package:Shim"
(→key management: note and link tpm2) |
(adding more tools) |
||
Line 35: | Line 35: | ||
===key management=== | ===key management=== | ||
*efi tools allows manipulation of uefi secure boot platforms: | |||
{{console|body= | |||
###i## emerge efitools | |||
}} | |||
*sbsigntools is used to sign and verify files for secure boot: | |||
{{console|body= | |||
###i## emerge sbsigntools | |||
}} | |||
*mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft: | *mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft: | ||
{{console|body= | {{console|body= |
Revision as of 20:54, January 7, 2023
We have fedora's EFI secure boot shim. Documentation suggests loading the shim to unlock secure boot, and that the shim side loads grubx64.efi in the same directory.
sys-boot/shim
Homepage: https://apps.fedoraproject.org/packages/shim/ Description: Fedora's signed UEFI shim
root # emerge sys-boot/shim
these files are added to the system:
- /usr/share/shim/BOOTIA32.EFI
- /usr/share/shim/BOOTX64.EFI
- /usr/share/shim/mmia32.efi
- /usr/share/shim/mmx64.efi
root # mkdir /boot/EFI/FUNTOO root # cp /usr/share/shim/* /boot/EFI/FUNTOO/
uefi secure boot
first, sign your kernel & modules as seen here Signed_kernel_module_support
- press the f1 f2 f8 f9 f10 esc or delete to load bios.
- set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit.
- press the f1 f2 f8 f9 f10 esc or delete to load your boot selection menu.
- load EFI from file, point to /boot/EFI/FUNTOO/shim
- shim will greet you with access violation warnings.
- fiddle around to get mok manager to load up.
- select add key
- point to /boot/EFI/FUNTOO/grubx86.efi
- press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu.
- load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot.
key management
- efi tools allows manipulation of uefi secure boot platforms:
root # emerge efitools
- sbsigntools is used to sign and verify files for secure boot:
root # emerge sbsigntools
- mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft:
root # emerge sys-boot/mokutil
"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " - https://wiki.ubuntu.com/UEFI/SecureBoot
these might be needed to get shim running but doubtful. we should be well covered with mokutil.
root # emerge app-crypt/sbsigntools app-crypt/efitools
- TPM2 can be used in conjunction with secure boot key generation.
Links
- Secure_Boot has more information.
- https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot
- https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
fallback default efi partition
avoid this if possible
root # mkdir /boot/EFI/BOOT root # cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/