Difference between revisions of "Package:Shim"

From Funtoo
Jump to navigation Jump to search
(Created page with "{{note|under construction, feel free to contribute.}} we have fedora's EFI secure boot shim. sys-boot/shim Homepage: https://apps.fedoraproject.org/packages/...")
 
(testing mokutil import, documenting command to be tested)
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{note|under construction, feel free to contribute.}}
We have fedora's EFI secure boot shim.  Documentation suggests loading the shim to unlock secure boot, and that the shim side loads grubx64.efi in the same directory.
 
we have fedora's EFI secure boot shim.


sys-boot/shim
sys-boot/shim
     Homepage:            https://apps.fedoraproject.org/packages/shim/
     Homepage:            https://apps.fedoraproject.org/packages/shim/
     Description:        Fedora's signed UEFI shim
     Description:        Fedora's signed UEFI shim
shim requires grub be installed with a sbat file.
https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html
https://github.com/rhboot/shim/blob/main/SBAT.md


{{console|body=
{{console|body=
Line 11: Line 13:
}}
}}


these files are added to the system.
these files are added to the system:
/usr/share/shim
*/usr/share/shim/BOOTIA32.EFI
/usr/share/shim/BOOTIA32.EFI
*/usr/share/shim/BOOTX64.EFI
/usr/share/shim/BOOTX64.EFI
*/usr/share/shim/mmia32.efi
/usr/share/shim/mmia32.efi
*/usr/share/shim/mmx64.efi
/usr/share/shim/mmx64.efi
 
 
{{console|body=
###i## mkdir /boot/EFI/FUNTOO
###i## cp /usr/share/shim/* /boot/EFI/FUNTOO/
}}
 
===uefi secure boot===
first, sign your kernel & modules as seen here [[Signed_kernel_module_support]]
*press the f1 f2 f8 f9 f10 esc or delete to load bios.
*set bios to load uefi usb devices first, disable secure boot, and enable legacy mode.  save settings and exit.
*press the f1 f2 f8 f9 f10 esc or delete to load your boot selection menu.
*load EFI from file, point to /boot/EFI/FUNTOO/shim
*shim will greet you with access violation warnings.
*fiddle around to get mok manager to load up.
*select add key
*point to /boot/EFI/FUNTOO/grubx86.efi
*press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu.
*load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot.
 
===key management===
*efi tools allows manipulation of uefi secure boot platforms:
{{console|body=
###i## emerge efitools
}}
 
*sbsigntools is used to sign and verify files for secure boot:
{{console|body=
###i## emerge sbsigntools
}}
 
*mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft:
{{console|body=
###i## emerge sys-boot/mokutil
}}
 
"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. "
- https://wiki.ubuntu.com/UEFI/SecureBoot
 
 
these might be needed to get shim running but doubtful. we should be well covered with mokutil.
{{console|body=
###i## emerge app-crypt/sbsigntools app-crypt/efitools
}}
 
*[[TPM2]] can be used in conjunction with secure boot key generation.
 
==Links==
* [[Secure_Boot]] has more information.
* https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot
* https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
 
===fallback default efi partition===
{{warning|avoid this if possible}}
{{console|body=
###i## mkdir /boot/EFI/BOOT
###i## cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/
}}
 
==enroll key using mokutil==
*maybe this?
{{console|body=
###i## mokutil --import /etc/kernel/certs/linux/signing_key.der
}}
 
mokutil is probably used to automatically enroll keys and possibly hashes in other distributions in their install automations.

Latest revision as of 17:40, February 8, 2023

We have fedora's EFI secure boot shim. Documentation suggests loading the shim to unlock secure boot, and that the shim side loads grubx64.efi in the same directory.

sys-boot/shim

    Homepage:            https://apps.fedoraproject.org/packages/shim/
    Description:         Fedora's signed UEFI shim

shim requires grub be installed with a sbat file. https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html https://github.com/rhboot/shim/blob/main/SBAT.md

root # emerge sys-boot/shim

these files are added to the system:

  • /usr/share/shim/BOOTIA32.EFI
  • /usr/share/shim/BOOTX64.EFI
  • /usr/share/shim/mmia32.efi
  • /usr/share/shim/mmx64.efi


root # mkdir /boot/EFI/FUNTOO
root # cp /usr/share/shim/* /boot/EFI/FUNTOO/

uefi secure boot

first, sign your kernel & modules as seen here Signed_kernel_module_support

  • press the f1 f2 f8 f9 f10 esc or delete to load bios.
  • set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit.
  • press the f1 f2 f8 f9 f10 esc or delete to load your boot selection menu.
  • load EFI from file, point to /boot/EFI/FUNTOO/shim
  • shim will greet you with access violation warnings.
  • fiddle around to get mok manager to load up.
  • select add key
  • point to /boot/EFI/FUNTOO/grubx86.efi
  • press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu.
  • load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot.

key management

  • efi tools allows manipulation of uefi secure boot platforms:
root # emerge efitools
  • sbsigntools is used to sign and verify files for secure boot:
root # emerge sbsigntools
  • mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft:
root # emerge sys-boot/mokutil

"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " - https://wiki.ubuntu.com/UEFI/SecureBoot


these might be needed to get shim running but doubtful. we should be well covered with mokutil.

root # emerge app-crypt/sbsigntools app-crypt/efitools
  • TPM2 can be used in conjunction with secure boot key generation.

Links

fallback default efi partition

   Warning

avoid this if possible

root # mkdir /boot/EFI/BOOT
root # cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/

enroll key using mokutil

  • maybe this?
root # mokutil --import /etc/kernel/certs/linux/signing_key.der

mokutil is probably used to automatically enroll keys and possibly hashes in other distributions in their install automations.