diff --git a/README.md b/README.md index 55458e0d0..04fc928b1 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,105 @@ If you don't want to use the pre-built kernel and headers, you can compile the k sudo dpkg -i linux-headers-[VERSION].deb linux-image-[VERSION].deb linux-libc-dev-[VERSION].deb ``` +### Signing the kernel for Secure Boot + +(Instructions are for ubuntu, but should work similar for other distros, if they are using shim +and grub as bootloader.) + +Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned +kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during +upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort. + +Thus you have three options to solve this problem: + +1. You sign the kernel yourself. +2. You use a signed, generic kernel of your distro. +3. You disable Secure Boot. + +Since option two and three are not really viable, these are the steps to sign the kernel yourself: + +Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot). + +1. Create the config to create the signing key, save as mokconfig.cnf: +``` +# This definition stops the following lines failing if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +[ req ] +distinguished_name = req_distinguished_name +x509_extensions = v3 +string_mask = utf8only +prompt = no + +[ req_distinguished_name ] +countryName = +stateOrProvinceName = +localityName = +0.organizationName = +commonName = Secure Boot Signing Key +emailAddress = + +[ v3 ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical,CA:FALSE +extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 +nsComment = "OpenSSL Generated Certificate" +``` +Adjust all parts with to your details. + +2. Create the public and private key for signing the kernel: +``` +openssl req -config ./mokconfig.cnf \ + -new -x509 -newkey rsa:2048 \ + -nodes -days 36500 -outform DER \ + -keyout "MOK.priv" \ + -out "MOK.der" +``` + +3. Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM): +``` +openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem +``` + +4. Enroll the key to your shim installation: +``` +sudo mokutil --import MOK.der +``` +You will be asked for a password, you will just use it to confirm your key selection in the +next step, so choose any. + +5. Restart your system. You will encounter a blue screen of a tool called MOKManager. +Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2. +Afterwards continue the process and you must enter the password which you provided in +step 4. Continue with booting your system. + +6. Verify your key is enrolled via: +``` +sudo mokutil --list-enrolled +``` + +7. Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface): +``` +sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed +``` + +8. Update your grub-config +``` +sudo update-grub +``` + +9. Reboot your system and select signed kernel. If booting works, you can remove the unsigned kernel: +``` +sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,} +sudo update-grub +``` + +Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want +to upgrade the custom kernel, you can sign the new version easily by following above steps +again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv). + ### NOTES * If you are getting stuck at boot when loading the ramdisk, you need to install the Processor Microcode Firmware for Intel CPUs (usually found under Additional Drivers in Software and Updates).