注意:

The Funtoo Linux project has transitioned to "Hobby Mode" and this wiki is now read-only.

Difference between revisions of "User:Pnoecker/sbkeygen"

From Funtoo
Jump to navigation Jump to search
(move shim certificate next to grub.)
(db not kek)
Line 50: Line 50:
*Sign kernel and grub:
*Sign kernel and grub:
{{console|body=
{{console|body=
###i## sbsign --key KEK.key --cert KEK.crt --output /boot/kernel-debian-sources-x86_64-6.1.4_p1 /boot/kernel-debian-sources-x86_64-6.1.4_p1
###i## sbsign --key db.key --cert db.crt --output /boot/kernel-debian-sources-x86_64-5.18.16_p1 /boot/kernel-debian-sources-x86_64-5.18.16_p1
###i## sbsign --key KEK.key --cert KEK.crt --output esp/EFI/BOOT/grubx64.efi esp/EFI/BOOT/grubx64.efi
###i## sbsign --key db.key --cert db.crt --output /ESP/EFI/BOOT/grubx64.efi /ESP/EFI/BOOT/grubx64.efi
}}
}}



Revision as of 16:40, January 31, 2023

Generating and Installing Secure Boot Certificates

Enter the firmware setup utility and put secure boot in setup mode.

Install efitools and sbsigntools:

root # emerge -av app-crypt/efitools app-crypt/sbsigntools

Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive. We will use /etc/kernel as a nuke or backup directory.

   Note

If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.

Create the directory in which you will keep the keys:

root # mkdir -p 700 /etc/kernel/sbkeys
root # cd /etc/kernel/sbkeys
  • boot with secure boot disabled:
  • Save old secure boot certificates:
root # efi-readvar -v PK  -o old_PK.esl
# Variable PK, length 808
root # efi-readvar -v KEK -o old_KEK.esl
# Variable KEK, length 1560
root # efi-readvar -v db  -o old_db.esl
# Variable db, length 3143
root # efi-readvar -v dbx -o old_dbx.esl
# Variable dbx, length 11936

Generate new certificates valid for 10 years:

root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=PK/"  -keyout PK.key  -out PK.crt  -days 3650 -nodes -sha256
root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256
root # openssl req -new -x509 -newkey rsa:4096 -subj "/CN=db/"  -keyout db.key  -out db.crt  -days 3650 -nodes -sha256
  • Export to cer format for mokmanager:
root # openssl x509 -outform DER -in PK.crt -out PK.cer
root # openssl x509 -outform DER -in KEK.crt -out KEK.cer
root # openssl x509 -outform DER -in db.crt -out db.cer
  • Sign kernel and grub:
root # sbsign --key db.key --cert db.crt --output /boot/kernel-debian-sources-x86_64-5.18.16_p1 /boot/kernel-debian-sources-x86_64-5.18.16_p1
root # sbsign --key db.key --cert db.crt --output /ESP/EFI/BOOT/grubx64.efi /ESP/EFI/BOOT/grubx64.efi
  • Move KEK certificate next to grub in esp
root # mv /etc/kernel/sbkeys/KEK.cer /esp/EFI/BOOT/KEK.cer

Prepare certificate lists:

root # cert-to-efi-sig-list PK.crt  PK.esl
root # cert-to-efi-sig-list KEK.crt KEK.esl
root # cert-to-efi-sig-list db.crt  db.esl

If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:

root # cat old_KEK.esl >>KEK.esl
root # cat old_db.esl  >>db.esl

Sign the certificate lists:

root # sign-efi-sig-list -k PK.key  -c PK.crt  PK  PK.esl      PK.auth
root # sign-efi-sig-list -k PK.key  -c PK.crt  KEK KEK.esl     KEK.auth
root # sign-efi-sig-list -k KEK.key -c KEK.crt db  db.esl      db.auth
root # sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth

Reboot, load bios, turn on secure boot, set to custom mode, load funtoo and prepare to insert new certificates:

Remount the efivars partition read-write:

root # mount -o remount,rw /sys/firmware/efi/efivars

Install the certificates into EFI:

root # efi-updatevar -f old_dbx.auth dbx 
root # efi-updatevar -f db.auth      db
root # efi-updatevar -f KEK.auth     KEK
root # efi-updatevar -f PK.auth      PK