LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 07-11-2019, 06:18 PM   #1
adinsx3
LQ Newbie
 
Registered: Jul 2019
Posts: 3

Rep: Reputation: Disabled
Question Can't get Secureboot to work despite signed kernel


So I've set up my (Debian sid) Linux kernel as an EFI stub, along with the necessary UEFI entry (followed the guide here). It works fine, unless I turn on secureboot. I've signed the kernel with my own keys (Using a mix of the guides here and here), and I've added my keys to my UEFI along with removing Microsoft's. Just wondering if I missed something. Below I've included my BIOS information, along with some terminal output which certainly seems to indicate I did everything correctly. Maybe this is a UEFI bug? They seem common enough.

Code:
BIOS Information
        Vendor: LENOVO
        Version: ABCN96WW
        Release Date: 09/22/2015
        Address: 0xE0000
        Runtime Size: 128 kB
        ROM Size: 6144 kB
        Characteristics:
                PCI is supported
                BIOS is upgradeable
                BIOS shadowing is allowed
                Boot from CD is supported
                Selectable boot is supported
                EDD is supported
                Japanese floppy for NEC 9800 1.2 MB is supported (int 13h)
                Japanese floppy for Toshiba 1.2 MB is supported (int 13h)
                5.25"/360 kB floppy services are supported (int 13h)
                5.25"/1.2 MB floppy services are supported (int 13h)
                3.5"/720 kB floppy services are supported (int 13h)
                3.5"/2.88 MB floppy services are supported (int 13h)
                8042 keyboard services are supported (int 9h)
                CGA/mono video services are supported (int 10h)
                ACPI is supported
                USB legacy is supported
                BIOS boot specification is supported
                Targeted content distribution is supported
                UEFI is supported
        BIOS Revision: 1.96
        Firmware Revision: 1.96
Output of efi-readvar:

Code:
Variable PK, length 849
PK: List 0, type X509
    Signature 0, size 821, owner 8b4bc6d4-a390-11e9-a099-97a728904c8b
        Subject:
            CN=adinsx's platform key
        Issuer:
            CN=adinsx's platform key
Variable KEK, length 857
KEK: List 0, type X509
    Signature 0, size 829, owner a277cf42-a390-11e9-84fd-c30d3bdc4d9b
        Subject:
            CN=adinsx's key-exchange-key
        Issuer:
            CN=adinsx's key-exchange-key
Variable db, length 861
db: List 0, type X509
    Signature 0, size 833, owner b0f8b57c-a390-11e9-8623-1fe3bc909aa3
        Subject:
            CN=adinsx's kernel-signing key
        Issuer:
            CN=adinsx's kernel-signing key
Variable dbx, length 76
dbx: List 0, type SHA256
    Signature 0, size 48, owner 00000000-0000-0000-0000-000000000000
        Hash:0000000000000000000000000000000000000000000000000000000000000000
Variable MokList has no entries
Output of sbverify --cert /etc/efikeys/db.crt /boot/efi/EFI/debian/vmlinuz

Code:
Signature verification OK
Output of sbverify --list /boot/efi/EFI/debian/vmlinuz

Code:
signature 1
image signature issuers:
 - /CN=Debian Secure Boot CA
image signature certificates:
 - subject: /CN=Debian Secure Boot Signer
   issuer:  /CN=Debian Secure Boot CA
signature 2
image signature issuers:
 - /CN=adinsx's kernel-signing key
image signature certificates:
 - subject: /CN=adinsx's kernel-signing key
   issuer:  /CN=adinsx's kernel-signing key
Bonus question: Is there any way yet to sign an initrd without having to use GRUB+GPG?

Last edited by adinsx3; 07-12-2019 at 12:41 AM.
 
Old 07-12-2019, 11:26 AM   #2
ehartman
Member
 
Registered: Jul 2007
Location: Delft, The Netherlands
Distribution: Slackware
Posts: 724

Rep: Reputation: 343Reputation: 343Reputation: 343Reputation: 343
Quote:
Originally Posted by adinsx3 View Post
I've signed the kernel with my own keys

Bonus question: Is there any way yet to sign an initrd without having to use GRUB+GPG?
As far as I understand it, secure boot only works with officially signed certicates, that is: signatures, stored on a public certificate server. So not self-signed ones at all, that would default the purpose OF secure boot.
 
Old 07-12-2019, 02:47 PM   #3
adinsx3
LQ Newbie
 
Registered: Jul 2019
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by ehartman View Post
As far as I understand it, secure boot only works with officially signed certicates, that is: signatures, stored on a public certificate server. So not self-signed ones at all, that would default the purpose OF secure boot.
You can add/remove keys from the UEFI key database, as I have done. The purpose of secureboot is not to only allow "official certificates" (although when secureboot was released there were theories going around that such was the case). It's purpose is to only allow authorized bootloaders/kernels/drivers to be ran, the authorization of which is determined by the owner. IIRC, the UEFI spec (for x86, anyway) *requires* that keys be changeable.

The guides I linked go into detail on how to accomplish this.
 
Old 07-13-2019, 08:40 AM   #4
system001
Member
 
Registered: Nov 2018
Posts: 123

Rep: Reputation: Disabled
secure boot really isn't worth it, should just keep it disabled.
 
Old 07-13-2019, 08:48 AM   #5
colorpurple21859
Senior Member
 
Registered: Jan 2008
Location: florida panhandle
Distribution: slackware64-current, arch, ubuntu, others
Posts: 3,120

Rep: Reputation: 513Reputation: 513Reputation: 513Reputation: 513Reputation: 513Reputation: 513
Have you done this before on this system or a different system? Not all uefi bios are created equal. For example, the bios on the system I have now doesn't allow efibootmgr to change the boot order, have to do change boot order from the bios, where as my other system efibootmgr worked as advertised.

Last edited by colorpurple21859; 07-13-2019 at 08:52 AM.
 
Old 07-17-2019, 05:08 PM   #6
adinsx3
LQ Newbie
 
Registered: Jul 2019
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by colorpurple21859 View Post
Have you done this before on this system or a different system? Not all uefi bios are created equal. For example, the bios on the system I have now doesn't allow efibootmgr to change the boot order, have to do change boot order from the bios, where as my other system efibootmgr worked as advertised.
This is a good point. I'll try the same process on my desktop and see if it works there. I'm really hoping I just did something wrong and it's not a bios bug, as I already have the latest bios installed on this laptop and they haven't released an update since 2015.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Microsoft has signed up to the Open Invention Network. We repeat. Microsoft has signed up to the OIN LXer Syndicated Linux News 0 10-11-2018 09:02 AM
SSL - Signed vs non-Signed wh33t Linux - Security 8 06-20-2014 12:59 PM
how to create signed (not self signed) certificate for Apache ? dlugasx Linux - Server 4 12-16-2011 10:08 AM
Trying to upload manually signed packages to PPA that are showing up as not signed. Kenny_Strawn Ubuntu 3 10-14-2010 05:54 PM
Problem with sending a signed int to another signed int. Almost random number given. RHLinuxGUY Programming 8 08-15-2006 11:38 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 04:25 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration