Post Reply 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Secure booting linux / additional certificates
2017-04-07, 10:54
Post: #3
RE: Secure booting linux / additional certificates

thanks for the re'. I'll try testing that Tuesday when I'm back at the office.

So far I've only tested by pointing DHCP 67 -> shim.efi and had both the grub and shim EFI's in the folder. shim automatically loaded grub, haven't tested yet what requests it does when the grub binary is missing. Grub was the first request.

Didn't have a config for grub yet, grub requested files in this order:

1) grub.cfg-01-52-54-00-a0-f4-1f (MAC prefixed with -01-)
2) grub.cfg-0AEAEA34 (not sure how this ID is generated)
3) grub.cfg-0AEAEA3
4) grub.cfg-0AEAEA
5) grub.cfg-0AEAE
6) grub.cfg-0AEA
7) grub.cfg-0AE
8) grub.cfg-0A
9) grub.cfg-0
10) grub.cfg
11) /EFI/fedora/grub.cfg-01-52-54-00-a0-f4-1f
12) /EFI/fedora/grub.cfg-0AEAEA34
13) /EFI/fedora/grub.cfg-0AEAEA3
14) /EFI/fedora/grub.cfg-0AEAEA
15) /EFI/fedora/grub.cfg-0AEAE
16) /EFI/fedora/grub.cfg-0AEA
17) /EFI/fedora/grub.cfg-0AE
18) /EFI/fedora/grub.cfg-0A
19) /EFI/fedora/grub.cfg-0
20) /EFI/fedora/grub.cfg
21) /EFI/fedora/x86_64-efi/command.lst
22) /EFI/fedora/x86_64-efi/fs.lst
23) /EFI/fedora/x86_64-efi/crypto.lst
24) /EFI/fedora/x86_64-efi/terminal.lst

It's the shim/grub supplied with Fedora 24 (used shim.efi not shim-fedora.efi, not sure what the difference is, would expect shim-fedora.efi to include additional certificates, but it's smaller than shim.efi).

Did eventually make a grub.cfg loading the Fedora kernel and this worked on a laptop with secureboot enabled. Was horribly slow though, the grub version provided unfortunately doesn't include the http module and including it would break the signature (pull from HTTP with iPXE). Besides, we'd like to use iPXE on all the environments so hoping your suggestion will indeed make shim load the kernel directly. End users will have to modify configurations for their own networks and we're stuck with BIOS, EFI-32 and EFI-64 bit environments. Haven't gotten feedback yet if the 32 bit EFI environments use secureboot because that could be troublesome as well as I only see a signed 64-bit grub. Not sure if the shim.efi is 32 or 64 bit but the end user stated the 32 bit EFI, whilst it has a 64 bit CPU, only loads 32 bit EFI code, which seems rather obvious (haven't had a chance to test it).

Preferably we'd use iPXE for all environments as it's much easier to configure and it's syntax it easier to understand for end-users.

Will have to discuss some stuff with our customer, but they might be willing to provide the sum required to get iPXE signed. We'll have to look into the best path to proceed.

When using just the included kernel modules we can go with the RedHat certificates, which have a shim signed by Microsoft. But we have machines with some issues that currently require the broadcom-wl package, which is compiled by the user and thus not signed by RedHat. Maybe we'll need our own certificates because of this or we must find a way for a kernel booted through secureboot to load unsigned modules or modules signed with another certificate. Haven't looked deeply enough at that yet. Might also require other proprietary kernel modules in the future.

Would prefer to be able to work with the default kernel provided by the distribution and not having to build our own kernel/modules and signing them every update by far. But if it can't be done otherwise we'll have to investigate our own certificate/signatures.

Thanks again and have a nice weekend.
Find all posts by this user
Quote this message in a reply
Post Reply 

Messages In This Thread
RE: Secure booting linux / additional certificates - freaky - 2017-04-07 10:54

User(s) browsing this thread: 1 Guest(s)