User:Pnoecker/sbgrub

Installing GRUB

Generate a PGP key pair and export the public key:

root # mkdir -m 700 /etc/kernel/gpg
root # gpg --homedir=/etc/kernel/gpg --quick-generate-key grub2 default default never
root # mount /boot
root # gpg --homedir=/etc/kernel/gpg --export grub2 >/boot/grub/grub.pub

Create the initial GRUB config file which will be embedded into the GRUB image:

set superusers="root"
export superusers
password_pbkdf2 root grub.pbkdf2.sha512.10000.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

set root=ROOTDISK
search --no-floppy --fs-uuid --set FSUUID
configfile /grub/grub.cfg

echo grub.cfg did not boot the system but returned to initial.cfg.
echo Exiting in 10 seconds.
sleep 10
exit

You will have to edit the config file in three places:

1. Use grub-mkpasswd-pbkdf2 to generate a password hash to replace the zeroes.
2. Replace ROOTDISK with the value of the root variable from /boot/grub/grub.cfg.
3. Replace FSUUID with the filesystem UUID from a search line in /boot/grub/grub.cfg.

Mount /boot and /boot/efi:

root # mount /boot
root # mount /boot/efi

Make a standalone GRUB image. Replace ROOTDISK below with the same value as above.

root # grub-mkimage -O x86_64-efi -p "ROOTDISK/grub" -c /etc/kernel/grub-initial.cfg -k /boot/grub/grub.pub -o "/boot/efi/EFI/BOOT/grubx64.efi" configfile loadenv part_gpt ext2 linux gcry_rsa gcry_sha256 password_pbkdf2 all_video gfxterm videoinfo search minicmd test echo reboot sleep
root # sbsign --key /etc/kernel/sbkeys/db.key --cert /etc/kernel/sbkeys//db.crt -o "/boot/efi/EFI/BOOT/grubx64.efi" "/boot/efi/EFI/Funtoo Linux [GRUB]/grubx64.efi"

Sign Stuff

Sign some kernel and initramfs images:

root # gpg --homedir=/etc/kernel/gpg -b /boot/kernel-rescue
root # gpg --homedir=/etc/kernel/gpg -b /boot/early_ucode.cpio
root # gpg --homedir=/etc/kernel/gpg -b /boot/amd-uc.img
root # gpg --homedir=/etc/kernel/gpg -b /boot/initramfs-debian-sources*
root # gpg --homedir=/etc/kernel/gpg -b /boot/kernel-debian-sources*

You may leave some the kernels or initrd images unsigned for testing.

Edit /etc/boot.conf:

• Add the rescue kernel (optionally).
• Only kernel-genkernel-* in the "Funtoo Linux genkernel" group.
• Skip kernels ending with .sig.
• Allow booting configured kernels without authentication.

"Funtoo Linux rescue" {
        menuflags --unrestricted
        kernel kernel-rescue
}

"Funtoo Linux genkernel" {
        menuflags --unrestricted
        kernel kernel-genkernel[-v] -*.sig
        initrd initramfs-genkernel[-v]
#       params += ...
# ... the rest of the section remains unchanged
}

Generate and sign grub.cfg, and sign the font used by GRUB:

root # boot-update
root # gpg --homedir=/etc/kernel/gpg -b /boot/grub/grub.cfg
root # gpg --homedir=/etc/kernel/gpg -b /boot/grub/fonts/unicode.pf2

You should already have the Funtoo Linux [GRUB] EFI boot entry. If you're not certain, check it with:

root # efibootmgr

If no such entry is found, add it. Replace EFIBOOTDEVICE below with the device mounted on /boot/efi.

root # efibootmgr -c -l '\EFI\BOOT\grubx64.efi' -d /dev/EFIBOOTDEVICE

Look for the number of the entry and where it appears in the boot order. If it's not the first, you may want to change the boot order. Copy the BootOrder line from the efibootmgr output and rearrange the numbers to your liking:

root # efibootmgr -o 0001,0002,0000,0018,0019,001A,001B,001C,001D,001E,001F,0024

Shutdown, enter the firmware setup, enable secure boot and make sure that everything works. Particularly:

• You can boot the system without entering a password.
• You can not boot unsigned EFI images.
• You can not boot unsigned kernels or load unsigned initramfs images.
• If you try to edit kernel parameters or drop to the GRUB command line, you get a password prompt.