Difference between revisions of "Package:Shim"
Jump to navigation
Jump to search
m (→Uncooperative: emerge the mokutil package oops) |
(testing mokutil import, documenting command to be tested) |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
Homepage: https://apps.fedoraproject.org/packages/shim/ | Homepage: https://apps.fedoraproject.org/packages/shim/ | ||
Description: Fedora's signed UEFI shim | Description: Fedora's signed UEFI shim | ||
shim requires grub be installed with a sbat file. | |||
https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html | |||
https://github.com/rhboot/shim/blob/main/SBAT.md | |||
{{console|body= | {{console|body= | ||
| Line 22: | Line 26: | ||
===uefi secure boot=== | ===uefi secure boot=== | ||
first, sign your kernel & modules as seen here [[Signed_kernel_module_support]] | |||
*press the f1 f2 f8 f9 f10 esc or delete to load bios. | *press the f1 f2 f8 f9 f10 esc or delete to load bios. | ||
*set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit. | *set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit. | ||
| Line 32: | Line 37: | ||
*press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu. | *press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu. | ||
*load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot. | *load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot. | ||
===key management=== | |||
*efi tools allows manipulation of uefi secure boot platforms: | |||
{{console|body= | |||
###i## emerge efitools | |||
}} | |||
*sbsigntools is used to sign and verify files for secure boot: | |||
{{console|body= | |||
###i## emerge sbsigntools | |||
}} | |||
*mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft: | |||
{{console|body= | |||
###i## emerge sys-boot/mokutil | |||
}} | |||
"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " | |||
- https://wiki.ubuntu.com/UEFI/SecureBoot | |||
these might be needed to get shim running but doubtful. we should be well covered with mokutil. | |||
{{console|body= | |||
###i## emerge app-crypt/sbsigntools app-crypt/efitools | |||
}} | |||
*[[TPM2]] can be used in conjunction with secure boot key generation. | |||
==Links== | |||
* [[Secure_Boot]] has more information. | |||
* https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot | |||
* https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/ | |||
===fallback default efi partition=== | ===fallback default efi partition=== | ||
| Line 40: | Line 77: | ||
}} | }} | ||
== | ==enroll key using mokutil== | ||
* | *maybe this? | ||
{{console|body= | {{console|body= | ||
###i## | ###i## mokutil --import /etc/kernel/certs/linux/signing_key.der | ||
}} | }} | ||
mokutil is probably used to automatically enroll keys and possibly hashes in other distributions in their install automations. | |||
Latest revision as of 17:40, February 8, 2023
We have fedora's EFI secure boot shim. Documentation suggests loading the shim to unlock secure boot, and that the shim side loads grubx64.efi in the same directory.
sys-boot/shim
Homepage: https://apps.fedoraproject.org/packages/shim/ Description: Fedora's signed UEFI shim
shim requires grub be installed with a sbat file. https://www.gnu.org/software/grub/manual/grub/html_node/Secure-Boot-Advanced-Targeting.html https://github.com/rhboot/shim/blob/main/SBAT.md
root # emerge sys-boot/shim
these files are added to the system:
- /usr/share/shim/BOOTIA32.EFI
- /usr/share/shim/BOOTX64.EFI
- /usr/share/shim/mmia32.efi
- /usr/share/shim/mmx64.efi
root # mkdir /boot/EFI/FUNTOO root # cp /usr/share/shim/* /boot/EFI/FUNTOO/
uefi secure boot
first, sign your kernel & modules as seen here Signed_kernel_module_support
- press the f1 f2 f8 f9 f10 esc or delete to load bios.
- set bios to load uefi usb devices first, disable secure boot, and enable legacy mode. save settings and exit.
- press the f1 f2 f8 f9 f10 esc or delete to load your boot selection menu.
- load EFI from file, point to /boot/EFI/FUNTOO/shim
- shim will greet you with access violation warnings.
- fiddle around to get mok manager to load up.
- select add key
- point to /boot/EFI/FUNTOO/grubx86.efi
- press the f1 f2 f8 f9 f10 esc or delete key to load your boot selection menu.
- load EFI from file, and again point to /boot/EFI/FUNTOO/shim which will now load funtoo under secure boot.
key management
- efi tools allows manipulation of uefi secure boot platforms:
root # emerge efitools
- sbsigntools is used to sign and verify files for secure boot:
root # emerge sbsigntools
- mokutil loads the arbitrary machine owner key management console and allows us to load keys that are not signed by microsoft:
root # emerge sys-boot/mokutil
"users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. " - https://wiki.ubuntu.com/UEFI/SecureBoot
these might be needed to get shim running but doubtful. we should be well covered with mokutil.
root # emerge app-crypt/sbsigntools app-crypt/efitools
- TPM2 can be used in conjunction with secure boot key generation.
Links
- Secure_Boot has more information.
- https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot
- https://blog.uncooperative.org/blog/2014/02/06/the-efi-system-partition/
fallback default efi partition
Warning
avoid this if possible
root # mkdir /boot/EFI/BOOT root # cp /boot/EFI/FUNTOO/* /boot/EFI/BOOT/
enroll key using mokutil
- maybe this?
root # mokutil --import /etc/kernel/certs/linux/signing_key.der
mokutil is probably used to automatically enroll keys and possibly hashes in other distributions in their install automations.