Re: Where are we with SB? What's missing?

To: Steve McIntyre <steve@einval.com>, Ansgar Burchardt <ansgar@debian.org>
Cc: debian-efi@lists.debian.org, Ben Hutchings <ben@decadent.org.uk>
Subject: Re: Where are we with SB? What's missing?
From: Yves-Alexis Perez <corsac@debian.org>
Date: Fri, 23 Nov 2018 14:19:33 +0100
Message-id: <[🔎] 5a571db3aa3c9e3a551511846a2046e13386f711.camel@debian.org>
In-reply-to: <20181011155848.4ikpjtiwqe2wqljj@tack.einval.com>
References: <20181005180116.v6knu3y4dwhm6iuu@tack.einval.com> <77c954bc179c19dd5ddf8a51221196c3bd0e0896.camel@43-1.org> <20181011155848.4ikpjtiwqe2wqljj@tack.einval.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, 2018-10-11 at 16:58 +0100, Steve McIntyre wrote:
> > Short howto, hopefully I didn't forget anything:
> >     - You need a second way to boot the system!
> >     - Grab test cert from src:linux,
> >       debian/certs/test-signing-certs.pem
> >     - Convert to DER:
> >       openssl -inform pem -in test-signing-certs.pem -outform der -out
> > /boot/efi/EFI/debian/testcert.der
> >     - Install shim-signed, grub-efi-amd64-signed, linux-image-4.19.0-rc6-
> > amd64 from experimental.
> >     - In /boot/efi/EFI/debian:
> >       - cp grubx64.efi grubx64.efi.ori
> >       - cp mmx64.efi grubx64.efi
> >     - Enable Secure Boot and reboot; should boot into MOK (mmx64.efi)
> >     - Enroll testcert.der from above
> >     - Boot via rescue (might need to disable secure boot)
> >     - Restore grub2: cp grubx64.efi.ori grubx64.efi
> >     - Reboot with Secure Boot
> 
> Awesome!

Hi,

I also wanted to try Secure-Boot on real hardware. I first followed the same
procedure as you on ThinkPad X230, then following advice on #debian-kernel did
the following on X250:

- - boot without secure boot (current config)
- - install linux-image 4.19+ from experimental
- - install shim-signed and grub-efi-amd64-signed
- - install mokutil
- - convert test cert to DER
- - import DER test cert using mokutil:
  mokutil --import debian/certs/test-signing-certs.der
- - reboot

Default configuration actually use shim-signed as default boot entry, which
then sees that there is a request and chainload automatically to mmx64.efi (so
need to rename them).

After another reboot, shim will happily load grub-signed, which in turn will
load linux-signed. 

At that point, you can now enable secure boot in the BIOS and it should work
just fine.

The mokutil --import step won't be necessary once the kernel is signed with
the production key, since shim already embeds CN=Debian Secure Boot CA (it
appears in mokutil --list-enrolled).

Maybe some more test on non-thinkpads would be nice, but it looks like on the
user part things are looking good (no idea about install media though).

Regarding module signature, they are correctly enforced when booting 4.19 with
secure boot, thanks to lockdown patch. Obviously this breaks out-of-tree
modules as indicated by Ben later in the thread.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlv3/mUACgkQ3rYcyPpX
RFukRAf/WNxdJoz5CMtORYgmwIXGx8VZn/4EEbYmk/IdkIltfhAOk+oAArGqVNmf
Zs9KDF/FrIuWMwkStGARjRQe4hKKeqBH4cH+bFNoHiXh0ke5btnp7t0+SaQ4KO0G
J1mDluOoYOE0pgx/hHxc4vcBvrgqDCS+Y1FVAZCLmjoxZTavPtq1QPOJ2GzJ4gey
yXyi/UTE3nLw7Zwv0g5LNFQoiub8e01ucXPT8NGd483gEIwFfGhr9XDaqaaA0EEo
4W0Xc6g8i+6wdvTs8GAyODDerSWSx/JNZeu+uu6OCfkR1MLxOdOqSlgUuFYCcykC
doPHzdgmgo6y4NJ/6l9L1txDQd+7fg==
=Nj+B
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: RE: Processed: severity of 912414 is important
Next by Date: Re: Where are we with SB? What's missing?
Previous by thread: RE: Processed: severity of 912414 is important
Next by thread: Re: Where are we with SB? What's missing?
Index(es):
- Date
- Thread