Tool for complete hardening of Linux boot chain with UEFI Secure Boot. Inspired by Hanno Heinrichs and Florent Hochwelker blog post.
Even if your hard disk is encrypted with full disk encryption, your bootloader config or initramdrive may be spoofed while you left your computer unattended. And this way your encryption key may be silently extracted when you unlock your system next time.
What does it do?
This kit establishes following signature verification chain: UEFI Secure Boot -> Custom GRUB2 Image with your embedded verification keys -> Signed kernel, initramrs, grub config.
How to use it?
Here is step by step guide:
Step 1. Satisfy requirements
- x64 UEFI-enabled Linux installation with GRUB2 bootloader
- GRUB2 config without
blscfgdirectives (they will fail boot since all files will have to be signed). Where applicable it is disabled automatically upon installation via
- GRUB2 tools and modules (grub2-efi-x64-modules and grub2-tools on RPM-based distros, Debian-based provides them by default)
- sbsigntools (sbsigntool) 0.6+ (https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/). If it is absent in your distro or too old, you have two options:
- efitools 1.9.2+ (https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git). If it is absent in your distro or too old, you have two options:
Fedora 30 hint
If you are building efitools on Fedora you'll need this build script to workaroud library paths issue.
Step 2. Backup current UEFI keys
Step 3. Clear your current UEFI keys (putting platform into Setup Mode)
Usually, it can be done via BIOS Setup Menu.
When done, verify it.
efi-readvar output should look like this:
# efi-readvar Variable PK has no entries Variable KEK has no entries Variable db has no entries Variable dbx has no entries Variable MokList has no entries
Step 4. Build keys, certificates, signed grub2 image and password hash for grub2
Root access is required for proper embedded boot config generation. You will be asked for GRUB password during build process.
Step 5. Install UEFI keys, bootloader and boot GPG signing keys
sudo make install
Step 6. Sign all kernels, ramdrives and boot config
All new installed kernels, ramdrives and grub config has to be signed on update. Automation of this process may differ on various distros, but basicly all you have to do is generate detached signature with
gpg like this:
FILE=/boot/vmlinuz-5.0.13-300.fc30.x86_64 gpg2 --quiet --no-permission-warning \ --homedir /var/lib/secureboot/gpg-home \ --detach-sign \ --default-key "bootsigner@localhost" < "$FILE" > "$FILE.sig"
For some distros we already have such installable automation.
sudo make fedora30-install
Debian 9, Debian 10
sudo make debian9-install
sudo make ubuntu-install
sudo make centos7-install
Actually, you may just run single command with final target for your system and
make will figure out which actions are pending. But step-by-step process is more explicit and easier to troubleshoot.
Step 7. Lockdown your system
Ensure Secure Boot is enabled in your BIOS settings and administrator password is set. Set 'SignedBoot' UEFI boot entry as your first boot option.