Re: [ISSUE] [CLOSED] EFI Secure Boot Build Support

[github-actions[bot] <github-actions[bot]@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 2569 bytes --]

Closed issue by andkem on void-packages repository

https://github.com/void-linux/void-packages/issues/12495

Description:
Secure boot using EFI means that the motherboard's firmware verifies
the binaries it loads to prevent unauthorised binaries from being used
tot boot the system. Secure boot using EFI isn't too tricky to set up,
but there are a few ways one can go about doing it.

For an overview of the process of using secure boot via EFI, I can
recommend the following two pages that I find highly informative:

Managing EFI Boot Loaders for Linux: Dealing with Secure Boot
https://www.rodsbooks.com/efi-bootloaders/secureboot.html

Secure Boot with GRUB 2 and signed Linux
https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd

The first link gives an overview of how the process generally works
and talks about the use of shim loaders, while the second link shows
how to use an EFI signed Grub to load a GPG signed Linux.

Personally, I use the second approach. I have replaced the keys in my
motherboard with my own and have signed a Grub binary using adapted
versions of the scripts in the second link. I then use GPG to sign the
kernel and initramfs.

It shouldn't be too much work setting up kernel hooks that perform the
signing. The issue might be deciding if a single model should be
supported or whether different options should be provided via
configurability.

I personally, manually perform these steps:
1. Generating and store EFI keys in motherboard
1.1 Generate EFI keys, using keygen.sh in the linked tar ball
1.2 Store keys in motherboard by loading them in the EFI GUI
2. Creating a signed Grub 
2.1 Create a password to put into grub-initial.cfg using gpasswd.
2.2 Generate a stand-alone Grub with my GPG public key compiled in and sign it using EFI keys. This is done with generate-grub.sh in the linked tarball.
3. Sign my existing kernels, initramfs and Grub boot menu config in /boot using sign.sh in the linked tarball.
4. Enable secure boot

(All scripts are slightly adapted from the previous two links.)

When updating the kernel I manually rerun step 3.

To minimise work to get a working example, one could maybe start by supporting the model described above and then add additional support later if it is deemed necessary. Myself, I haven't tried using the shim loader nor the EFI stub. If Void wishes to pre-sign binaries, I guess the shim route would be the one to go.

The signing scripts I use: https://www.lysator.liu.se/~kempe/secure-boot.tar.gz