The officially official Devuan Forum!

You are not logged in.

#1 2019-05-17 01:24:37

aut0exec
Member
Registered: 2018-11-21
Posts: 45  

Secure Boot

Greetings! I've been spending a decent amount of time looking into EFI-Stub loading and Secure boot. I'm hoping to find someone who may be able to help at this point as I'm not sure where to proceed. Full disclosure this whole project is currently just an academic endeavor! If I can get this working, I plan to document the process as much of the current documentation seems to assume everyone wants to use Shim and leave the MS certs on their box (seems like this would defeat the whole purpose of custom keys though, correct?).

I've managed to compile a kernel with EFI-Stub and get it to boot without Grub (quite awesome functionality, imo). Now I'm wanting to setup my own Secure Boot keys so that my system will only boot my signed kernel. This seemed like a pretty easy feat until starting down the road... At the moment, I'm able to generate and sign my own PK, KEK, and db. sbsign signs my kernel and sbverify states that it has a valid signature matching my db cert. I can then use KeyTool to 'install' the keys (db, KEK, PK - in that order) on the system without errors. Upon enabling secure boot in EFI, the system reboots to a blank screen and then ultimately errors out with 6 red LED flashes of the power light (according to HP this means no graphics).

The hardware is an HP Z420 workstation on the newest UEFI release with a Quadro K2000 GPU. I'm thinking it has something to do with OROMs but I'm not entirely sure. Was hoping that if I exported the original HP certs and concatenated/signed them with my custom ones I'd be good to go but apparently that's not the case.

The system will boot with the factory certs enabled and Shim available though. So it seems like something in the boot process might require MS' cert and it wouldn't surprise me if the nVidia card was the culprit. Long story short, has anyone been able to successfully purge MS certs and boot entirely from their own self signed certs?

If the commands run are needed, please let me know but I've been using the following resources primarily (obviously not following the gentoo/arch and shim/grub specific parts):

https://wiki.gentoo.org/wiki/Sakaki%27s … ecure_Boot
https://www.rodsbooks.com/efi-bootloade … ng-sb.html
https://wiki.archlinux.org/index.php/Secure_Boot

Offline

#2 2019-05-17 07:52:59

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 290  
Website

Re: Secure Boot

Just FYI:

aut0exec wrote:

I've managed to compile a kernel with EFI-Stub

The stock Devuan kernels already have CONFIG_EFI_STUB enabled and the beowulf kernel images are signed with Microsoft's key.

In respect of your problem, have you enabled custom Secure Boot keys in your firmware ("BIOS") options?

The Debian wiki has a Secure Boot guide that may help:

https://wiki.debian.org/SecureBoot

FWIW the Debian buster RC1 installer fully supports Secure Boot albeit with Microsoft's keys.


Fabricando fit faber

Offline

#3 2019-05-17 14:55:16

aut0exec
Member
Registered: 2018-11-21
Posts: 45  

Re: Secure Boot

Thanks HoS. Was aware of the CONFIG_EFI_STUB in Devuan/Debian kernels. Should have mentioned that this kernel is attempting to be small, specific, and without the need for an initramfs (again for 'fun', haha).

Secure boot Custom keys have been enabled on the firmware. That's what causes the machine to go into the flashing red light of death. It won't do that until I put the custom keys onto the system and enable secure boot in firmware.

Been looking into it more today and have been wondering if the kernel's modules aren't being signed during the build process? I am new to that whole process though. Have been reading about CONFIG_MODULE_SIG_* parameters today but I'm confusing myself I think.

Can I pass my db priv key and db crt to the kernel build process to have the kernel automatically sign itself and associated modules during the make process? The kernel docs seems to suggest so: https://www.kernel.org/doc/html/v4.19/a … gning.html but I'm not sure where to put the pem/crt files that I've already generated so the kernel build process uses them.

I suppose the other option is to just manually sign all of the modules after the kernel build process with the proper kmodsign command?

Sorry for all the questions but I do appreciate your help!

Offline

#4 2019-05-18 16:29:47

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 290  
Website

Re: Secure Boot

aut0exec wrote:

have been wondering if the kernel's modules aren't being signed during the build process?

I'm not sure tbh, I'm happy using the stock Debian signed kernel in buster and I never managed to get custom keys working with my last UEFI laptop.

If you think the modules are the problem then try configuring the kernel without any modules at all (ie, with all the options built-in).


Fabricando fit faber

Offline

#5 2019-05-19 23:07:39

aut0exec
Member
Registered: 2018-11-21
Posts: 45  

Re: Secure Boot

Head_on_a_Stick wrote:

If you think the modules are the problem then try configuring the kernel without any modules at all (ie, with all the options built-in).

Should've reported back on Friday. I did just this and still ran into the same issue. Without any sort of display, I can't see anything during system boot up with SB enabled and custom certs... So no idea how to troubleshoot this (thought maybe serial console but system doesn't have one of those either, figures...). Thought about a USB to serial adapter but not sure if it would work before Linux take over though. Any ideas?

I'm going to sacrifice my trusty Toshiba testing laptop to the Secure Boot deity and see if the nvidia card is the issues in the Z420 tower. This Toshiba appears to have integrated everything so I'm hoping that there won't be any crazy OROM's to deal with. I'll report back with the results.

Offline

#6 2019-05-21 00:00:58

aut0exec
Member
Registered: 2018-11-21
Posts: 45  

Re: Secure Boot

Well good news the Toshiba worked! Was able to EFI-stub load without an initramfs and secure boot enabled. I'm hoping to repeat the steps on the HP workstation and see if I can get different results. Was shocked at how much simpler the Toshiba was than HP. Was able to do everything except toggle Secure Boot on in the Bios from within the CLI.

Offline

#7 2019-07-23 20:44:00

czeekaj
Member
Registered: 2019-06-12
Posts: 16  

Re: Secure Boot

Any one with experience setting up their secure boot?

I have secure boot enabled on two systems. However, when I check the status it's either on setup mode or bios says it is off.
The laptop I have custom keys setup and loaded into the bios. However, I turn on secure boot in bios. It boots to grub. I check setting in the bios again and it's on. But, I can boot to usb and it mentions secure boot being off. The bios setting is set to on however, now with custom keys.

Acting as if it was off. When it's on with default keys. It stays on, and wont but into grub.

Not sure if I set it up properly having trouble finding a guide that has worked yet. Any one figure out how to set up custom keys on Devuan? I know every bios is a bit different but I may have missed a step. I get an error running on of the last commands on gentoo guide.
No efivarfs filesystem is mounted.

It's odd behaviour but with the proper packages, and grub installed.

grub-install --uefi-secure-boot --bootloader-id=debian 

I can boot with secure boot on. However, boot behavior seems identical and status seems to be off. Even though it's on in the bios.

Last edited by czeekaj (2019-07-23 20:44:44)

Offline

Board footer