diff options
| author | Дамјан Георгиевски | 2017-05-21 12:42:24 +0200 |
|---|---|---|
| committer | Дамјан Георгиевски | 2017-05-21 12:43:31 +0200 |
| commit | dda800933ed3a48f9951f88589e5d073346c2706 (patch) | |
| tree | 58bb13ae8513757b16f9ade7d6f3e20b09acc6de | |
| parent | c9c5660a6b396ca85290d9716a127086746dcdd0 (diff) | |
| download | aur-dda800933ed3a48f9951f88589e5d073346c2706.tar.gz | |
bump to 1.1 - new features
| -rw-r--r-- | .SRCINFO | 4 | ||||
| -rw-r--r-- | PKGBUILD | 4 | ||||
| -rw-r--r-- | README.md | 52 | ||||
| -rw-r--r-- | secure-boot | 36 |
4 files changed, 63 insertions, 33 deletions
@@ -1,7 +1,7 @@ pkgbase = secure-boot pkgdesc = secure-boot tool - pkgver = 1.0 - pkgrel = 2 + pkgver = 1.1 + pkgrel = 1 url = https://github.com/gdamjan/secure-boot arch = any license = GPL @@ -1,7 +1,7 @@ # Maintainer: Damjan Georgievski <gdamjan@gmail.com> pkgname=secure-boot -pkgver=1.0 -pkgrel=2 +pkgver=1.1 +pkgrel=1 epoch= pkgdesc="secure-boot tool" arch=(any) diff --git a/README.md b/README.md index d5209a36b575..b2ca9b4864a3 100644 --- a/README.md +++ b/README.md @@ -1,49 +1,72 @@ # UEFI SecureBoot on ArchLinux + ## Rationale -I want full control what boots the computer to avoid the so called [_evil maid_ attack](https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html). That requires setting SecureBoot with only my own keys. SecureBoot protects the computer from tampering with the installed OS and boot while it's left powered off outside our view. +I want full control at what boots the computer to avoid the so called [_evil maid attack_](https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html). That requires setting SecureBoot with only my own keys. SecureBoot protects the computer from tampering with the installed OS and boot files, while it's left powered off outside our view. It's not a substitute for disk encryption though, it's an addition to it. + ## Quick Start * `secure-boot keys` will create the keys in `/etc/secure-boot/` - make sure no-one can access them! The `*.auth` files **must be enrolled** in the UEFI firmware the first time. Unfortunately this procedure -depends on the hardware i.e. the BIOS/UEFI (see below for my T450s). +depends on the hardware i.e. the BIOS/UEFI (see below for a Thinkpad). * `secure-boot update` will update the EFI executable in `/boot/Efi/Secure/combined-boot-signed.efi` * `secure-boot install` will run update and add an entry to the EFI boot list for the newly created image -`secure-boot.hook` is installed as a pacman hook that runs `secure-boot update` when `linux` package is updated. +`secure-boot.hook` is installed as a pacman hook that runs `secure-boot update` when `linux` package is updated. You can +use that file as a template for other kernels too (this procedure should converge to systemds kernel-install). + -## Options +## Configuration -* `secure-boot SUFFIX=-lts update` will sign and setup the -lts kernel (also -git, -zen, etc) - but make sure to setup +Options can be put in `/etc/secure-boot/config.mk` (in makefile format). See the top lines of [secure-boot](secure-boot) for the +possible options. You can also specify them on the command line: + +* `secure-boot SUFFIX=linux-lts update` will sign and setup the -lts kernel (also -git, -zen, etc) - but make sure to setup the pacman hook for those too. * by default the script expects a cpu microcode archive exists at `/boot/intel-ucode.img`, and packs it to the common initramfs. Use `secure-boot UCODE= update` to disable it. + ## Intro To simplify, I boot Linux directly from UEFI (no intermediate bootloaders). -Now UEFI can only boot a single efi executable, but to boot Linux you also need one or more initramfs (including intel micro-code) and a command line[1]. So all of these things have to be combined with `objcopy`. The combined file is then signed. +UEFI can only boot a single efi executable, but to boot Linux you also need one or more initramfs (including intel micro-code) and a command line[1]. +So all of these things have to be combined with `objcopy`. The combined file is then signed. Alternatively I'd need to use grub2 or some other bootloader that knows about SecureBoot - that kind of scares me since it increases the attack surface. -[1] command line: the boot command line maybe could be avoided with [auto-discovery](http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/). AFAIK Arch is not fully ready for that yet. +[1] command line: the boot command line maybe could be avoided with [auto-discovery](http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/). +AFAIK Arch is not fully ready for that yet. Three keys/certificates are needed for UEFI SecureBoot (PK, KEK, DB). They are created with openssl. -MAKE SURE YOU KEEP YOU .key files and access to UEFI secure!!! - -**Note:** the below script doesn't do anything when executed. Needs to be copy pasted for now. +MAKE SURE YOU KEEP your keys **SECURE**! Also put a BIOS password! **ASSUMPTIONS:** `/boot/` is the ESP (EFI System Partition) **Required packages**: efibootmgr and from AUR: sbsigntools and efitools. pesign was recommended in some docs, didn't work at all for me when signing files. -## KVM + +## Thinkpad + +Thinkpads (T450s, X1 Carbon) don't have key management in the firmware (the _bios_), so a third-party one needs to be used. +`efitools` has `KeyTool.efi`, so I copied it and the `*.auth` files in `/boot/keys` and set it up to boot on next-boot with efibootmgr. + +Make sure to clear the built-in keys first, otherwise you can't setup your own. In some firmwares there's a separate option for that, +or it does it when you select *Enter Setup mode* option. Save and reset, and now KeyTool.efi will be able to *replace* the PK, KEK and db +certificates. I didn't just *add* the certificate because I wanted only my own keys there. If that is ok, reboot and **enable SecureBoot**. + +On the next reboot KeyTool.efi can't run since it's not signed, so the boot will continue to my own combined and signed Linux image. + +Don't forget to upgrade the firmware before starting. Bugs are often fixed and not even documented. + + +## Testing in KVM You need an OVMF (the opensource UEFI firmware) binary. Since the one in Arch repos **doesn't** support SecureBoot, and the one in AUR doesn't compile (yet), I took a prebuilt one from a [Fedora repository](https://www.kraxel.org/repos/jenkins/edk2/), and unpacked it with bsdtar. Download the edk2.git-ovmf-x64*rpm file and get the `OVMF-pure-efi.fd` file from it (or alternatively OVMF_CODE-pure-efi.fd and OVMF_VARS-pure-efi.fd). @@ -55,13 +78,6 @@ qemu-system-x86_64 -enable-kvm -bios OVMF-pure-efi.fd -hda vfat:/usr/share/efito or just install some Linux from .iso. Don't forget, UEFI requires GPT. -## Laptop - -My Thinkpad T450s doesn't have key management in the firmware (the _bios_), so a third-party one needs to be used. `efitools` has `KeyTool.efi`, so I copied it and the *.auth files in `/boot/keys` and set it up to boot on next-boot with efibootmgr. In the firmware first choose the *Enter Setup mode* option, that will clear keys, and allow you to replace them. Save and reset, and now KeyTool.efi will be able to *replace* the db, KEK and PK certificates (in that order). I didn't just *add* the certificate because I wanted only my own keys there. If that is ok, reboot and enable SecureBoot. - -On the next reboot KeyTool.efi can't run since it's not signed, so the boot will continue to my own combined and signed Linux image. - -Don't forget to upgrade the firmware before starting. Bugs are often fixed and not even not documented. ### References diff --git a/secure-boot b/secure-boot index 91b1c15d63ed..eda18bde0a6d 100644 --- a/secure-boot +++ b/secure-boot @@ -1,17 +1,31 @@ #! /usr/bin/make -f -BOOTDIR := /boot/Efi/Secure -KEYSDIR := /etc/secure-boot -SIGNER := ArchSecureBoot +# configuration: -SUFFIX := -KERNEL := /boot/vmlinuz-linux${SUFFIX} -INITRAMFS := /boot/initramfs-linux${SUFFIX}.img +ESP := /boot +EFIDIR := /EFI/Secure +EFIBOOTDEVICE := + +SIGNER := ArchSecureBoot +SUFFIX := linux +KERNEL := /boot/vmlinuz-${SUFFIX} +INITRAMFS := /boot/initramfs-${SUFFIX}.img EFISTUB := /usr/lib/systemd/boot/efi/linuxx64.efi.stub UCODE := /boot/intel-ucode.img CMDLINE := /etc/kernel/cmdline +DESTFILE := secure-boot-${SUFFIX}.efi +EFIBOOTMGR := efibootmgr + +-include /etc/secure-boot/config.mk + +KEYSDIR := /etc/secure-boot +BOOTDIR := $(ESP)$(EFIDIR) +EFIDIRFAT := $(subst /,\,$(EFIDIR)) +BUILDDIR := $(shell mktemp -d /tmp/secure-boot.XXXXXX) -BUILDDIR := $(shell mktemp -d) +ifdef EFIBOOTDEVICE +EFIBOOTMGR += -d $(EFIBOOTDEVICE) +endif default: @echo Make targets: keys, install, update @@ -19,11 +33,11 @@ default: clean: rm -rf $(BUILDDIR) -update: $(BOOTDIR)/combined-boot-signed${SUFFIX}.efi +update: $(BOOTDIR)/${DESTFILE} install: update - efibootmgr -c -l '\Efi\Secure\combined-boot-signed${SUFFIX}.efi' -L 'SecureBoot linux${SUFFIX}' + $(EFIBOOTMGR) -c -l '${EFIDIRFAT}\${DESTFILE}' -L 'SecureBoot ${SUFFIX}' -$(BOOTDIR)/combined-boot-signed${SUFFIX}.efi: $(BUILDDIR)/combined-boot-signed.efi +$(BOOTDIR)/${DESTFILE}: $(BUILDDIR)/combined-boot-signed.efi @mkdir -p $(BOOTDIR) cp $< $@ @@ -32,7 +46,7 @@ $(BUILDDIR)/cmdline.txt: @mkdir -p $(BUILDDIR) [ -f ${CMDLINE} ] && \ cp ${CMDLINE} $@ || \ - cp /proc/cmdline $@ + echo -n `</proc/cmdline` > $@ $(BUILDDIR)/initramfs.img: $(UCODE) $(INITRAMFS) @mkdir -p $(BUILDDIR) |