From ca3818b6e5dcc27c211942f1df8960969956b3a3 Mon Sep 17 00:00:00 2001 From: Jan Niklas Richter Date: Sat, 1 Sep 2018 14:28:40 +0200 Subject: [PATCH 1/2] Add instructions to sign the kernel --- README.md | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) diff --git a/README.md b/README.md index 55458e0d0..04fc928b1 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,105 @@ If you don't want to use the pre-built kernel and headers, you can compile the k sudo dpkg -i linux-headers-[VERSION].deb linux-image-[VERSION].deb linux-libc-dev-[VERSION].deb ``` +### Signing the kernel for Secure Boot + +(Instructions are for ubuntu, but should work similar for other distros, if they are using shim +and grub as bootloader.) + +Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned +kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during +upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort. + +Thus you have three options to solve this problem: + +1. You sign the kernel yourself. +2. You use a signed, generic kernel of your distro. +3. You disable Secure Boot. + +Since option two and three are not really viable, these are the steps to sign the kernel yourself: + +Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot). + +1. Create the config to create the signing key, save as mokconfig.cnf: +``` +# This definition stops the following lines failing if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3 +string_mask = utf8only +prompt = no + +[ req_distinguished_name ] +countryName = +stateOrProvinceName = +localityName = +0.organizationName = +commonName = Secure Boot Signing Key +emailAddress = + +[ v3 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:FALSE +extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 +nsComment = "OpenSSL Generated Certificate" +``` +Adjust all parts with to your details. + +2. Create the public and private key for signing the kernel: +``` +openssl req -config ./mokconfig.cnf \ + -new -x509 -newkey rsa:2048 \ + -nodes -days 36500 -outform DER \ + -keyout "MOK.priv" \ + -out "MOK.der" +``` + +3. Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM): +``` +openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem +``` + +4. Enroll the key to your shim installation: +``` +sudo mokutil --import MOK.der +``` +You will be asked for a password, you will just use it to confirm your key selection in the +next step, so choose any. + +5. Restart your system. You will encounter a blue screen of a tool called MOKManager. +Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2. +Afterwards continue the process and you must enter the password which you provided in +step 4. Continue with booting your system. + +6. Verify your key is enrolled via: +``` +sudo mokutil --list-enrolled +``` + +7. Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface): +``` +sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed +``` + +8. Update your grub-config +``` +sudo update-grub +``` + +9. Reboot your system and select signed kernel. If booting works, you can remove the unsigned kernel: +``` +sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,} +sudo update-grub +``` + +Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want +to upgrade the custom kernel, you can sign the new version easily by following above steps +again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv). + ### NOTES * If you are getting stuck at boot when loading the ramdisk, you need to install the Processor Microcode Firmware for Intel CPUs (usually found under Additional Drivers in Software and Updates). From a14e5865f0936b80449226d1a3502582b4296583 Mon Sep 17 00:00:00 2001 From: Jan Niklas Richter Date: Tue, 2 Oct 2018 14:45:34 +0200 Subject: [PATCH 2/2] Move signing instructions to seperate file --- README.md | 97 +---------------------------------------------------- SIGNING.md | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+), 96 deletions(-) create mode 100644 SIGNING.md diff --git a/README.md b/README.md index 04fc928b1..0081ba21a 100644 --- a/README.md +++ b/README.md @@ -108,102 +108,7 @@ If you don't want to use the pre-built kernel and headers, you can compile the k ### Signing the kernel for Secure Boot -(Instructions are for ubuntu, but should work similar for other distros, if they are using shim -and grub as bootloader.) - -Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned -kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during -upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort. - -Thus you have three options to solve this problem: - -1. You sign the kernel yourself. -2. You use a signed, generic kernel of your distro. -3. You disable Secure Boot. - -Since option two and three are not really viable, these are the steps to sign the kernel yourself: - -Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot). - -1. Create the config to create the signing key, save as mokconfig.cnf: -``` -# This definition stops the following lines failing if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd -[ req ] -distinguished_name = req_distinguished_name -x509_extensions = v3 -string_mask = utf8only -prompt = no - -[ req_distinguished_name ] -countryName = -stateOrProvinceName = -localityName = -0.organizationName = -commonName = Secure Boot Signing Key -emailAddress = - -[ v3 ] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical,CA:FALSE -extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 -nsComment = "OpenSSL Generated Certificate" -``` -Adjust all parts with to your details. - -2. Create the public and private key for signing the kernel: -``` -openssl req -config ./mokconfig.cnf \ - -new -x509 -newkey rsa:2048 \ - -nodes -days 36500 -outform DER \ - -keyout "MOK.priv" \ - -out "MOK.der" -``` - -3. Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM): -``` -openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem -``` - -4. Enroll the key to your shim installation: -``` -sudo mokutil --import MOK.der -``` -You will be asked for a password, you will just use it to confirm your key selection in the -next step, so choose any. - -5. Restart your system. You will encounter a blue screen of a tool called MOKManager. -Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2. -Afterwards continue the process and you must enter the password which you provided in -step 4. Continue with booting your system. - -6. Verify your key is enrolled via: -``` -sudo mokutil --list-enrolled -``` - -7. Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface): -``` -sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed -``` - -8. Update your grub-config -``` -sudo update-grub -``` - -9. Reboot your system and select signed kernel. If booting works, you can remove the unsigned kernel: -``` -sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,} -sudo update-grub -``` - -Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want -to upgrade the custom kernel, you can sign the new version easily by following above steps -again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv). +Please consult the [SIGNING.md](SIGNING.md). ### NOTES diff --git a/SIGNING.md b/SIGNING.md new file mode 100644 index 000000000..9436285f5 --- /dev/null +++ b/SIGNING.md @@ -0,0 +1,98 @@ +# Signing a custom kernel for Secure Boot + +(Instructions are for ubuntu, but should work similar for other distros, if they are using shim +and grub as bootloader.) + +Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned +kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during +upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort. + +Thus you have three options to solve this problem: + +1. You sign the kernel yourself. +2. You use a signed, generic kernel of your distro. +3. You disable Secure Boot. + +Since option two and three are not really viable, these are the steps to sign the kernel yourself: + +Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot). + +1. Create the config to create the signing key, save as mokconfig.cnf: +``` +# This definition stops the following lines failing if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3 +string_mask = utf8only +prompt = no + +[ req_distinguished_name ] +countryName = +stateOrProvinceName = +localityName = +0.organizationName = +commonName = Secure Boot Signing Key +emailAddress = + +[ v3 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:FALSE +extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 +nsComment = "OpenSSL Generated Certificate" +``` +Adjust all parts with to your details. + +2. Create the public and private key for signing the kernel: +``` +openssl req -config ./mokconfig.cnf \ + -new -x509 -newkey rsa:2048 \ + -nodes -days 36500 -outform DER \ + -keyout "MOK.priv" \ + -out "MOK.der" +``` + +3. Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM): +``` +openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem +``` + +4. Enroll the key to your shim installation: +``` +sudo mokutil --import MOK.der +``` +You will be asked for a password, you will just use it to confirm your key selection in the +next step, so choose any. + +5. Restart your system. You will encounter a blue screen of a tool called MOKManager. +Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2. +Afterwards continue the process and you must enter the password which you provided in +step 4. Continue with booting your system. + +6. Verify your key is enrolled via: +``` +sudo mokutil --list-enrolled +``` + +7. Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface): +``` +sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed +``` + +8. Update your grub-config +``` +sudo update-grub +``` + +9. Reboot your system and select signed kernel. If booting works, you can remove the unsigned kernel: +``` +sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,} +sudo update-grub +``` + +Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want +to upgrade the custom kernel, you can sign the new version easily by following above steps +again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv).