johnstonj / ubuntu-secure-boot Goto Github PK
View Code? Open in Web Editor NEWSelf-signed UEFI- and GRUB-based secure boot system for Ubuntu.
License: MIT License
Self-signed UEFI- and GRUB-based secure boot system for Ubuntu.
License: MIT License
ubuntu-secure-boot package -------------------------- The stock Ubuntu 15.10 installation only implements secure boot just enough to get a Microsoft-signed shim in place. It does nothing to actually secure the boot process. This package can help users do so. Assumptions: (1) 64-bit computer booting via EFI, (2) full disk encryption is used. While this package will install without full disk encryption, it does nothing to secure the booted operating system beyond signing the kernel and initramfs. Private keys are stored within the /etc directory, so this must be secured as well. Note that the /boot partition may remain unencrypted, as one purpose of this package is to secure it. After installing, you will need to run make-secure-boot-keys. Then, you will need to enable secure boot in your system firmware and import the generated keys into the configuration. Build instructions ------------------ 1. Install debhelper if needed: apt-get install debhelper 2. Build the package: dpkg-buildpackage Install instructions -------------------- 1. Remove shim-related packages: apt-get purge shim-signed apt-get purge shim 2. Install the package as normal: dpkg -i ubuntu-secure-boot_<version>_amd64.deb If prompted about missing dependencies, install them as normal using apt-get. 3. Generate key pairs and sign your current boot files: make-secure-boot-keys Digital signatures will be maintained whenever you install new kernels or update initramfs. Features of ubuntu-secure-boot ------------------------------ * Self-signed bootloader files: take control over your boot process by stripping Canonical / Microsoft signatures from your boot files and signing everything yourself. * Summary of files that are digitally signed and verified during the boot process are: * GRUB itself (self-signed) * GRUB configuration (self-signed) * GRUB modules and other external files (self-signed) * Linux kernel (self-signed) * Linux initramfs / initrd (self-signed) * Linux kernel modules (using existing Canonical signatures) * Self-signed private keys are stored in /etc/ubuntu-secure-boot/keys and protected by a passphrase. * UEFI Secure Boot self-signed key pairs are generated and used to sign the self-contained GRUB .efi image. They can be imported into a UEFI firmware to take full control over the secure boot process. * The secure GRUB image is added as a boot option in EFI firmware. * Digital signature support in GRUB is enabled to check signatures on any boot file that is loaded from disk. The risk of loading an unsigned file from GRUB is eliminated (e.g. an unsigned kernel). * GRUB is now deployed as a stand-alone .efi image that contains a memdisk with the full configuration and all loadable modules. This eliminates the risk of tampering with the GRUB configuration. * GRUB is automatically locked down with a password so that users cannot tamper with boot settings or use advanced boot options. * Unsigned GRUB files in /boot remaining from the original GRUB packages are completely wiped (but restored upon uninstall of this package). * Newly-installed kernels are automatically signed whenever they are installed. Existing Canonical .efi signatures in the linux-signed-image-* packages are stripped and replaced with your signature. * The initramfs is automatically re-signed whenever update-initramfs is run. * Linux kernel module signing enforcement is automatically enabled by default. This can be controlled from /etc/default/grub.d/ubuntu-secure-boot.cfg.
to dpkg divert files use https://packages.debian.org/buster/config-package-dev / https://debathena.mit.edu/config-package-dev/ rather than directly using dpkg divert
avoid dpkg diversions by making use of default PATH? If you were to ship /usr/bin/update-grub then that would take preference over /usr/sbin/update-grub so original /usr/sbin/update-grub does not need to be touched?
there is limited ubuntu specificity. Avoid writing ubuntu
whenever possible. That would make it easier to merge this into Debian so it can then flow down into any Debian based Linux distribution.
try to merge this upstream?
Hello, running make-secure-boot-keys
as root on ubuntu 16.04 fails in the end with:
Generating grub configuration file ...
patching file /tmp/tmp.CuOB9NyrEo (read from /etc/ubuntu-secure-boot/10_linux.distrib)
Found linux image: /boot/vmlinuz-4.4.0-116-generic
Found initrd image: /boot/initrd.img-4.4.0-116-generic
Found linux image: /boot/vmlinuz-4.4.0-87-generic
Found initrd image: /boot/initrd.img-4.4.0-87-generic
Adding boot menu entry for EFI firmware configuration
done
Gathering GRUB modules... (please disregard any messages regarding network configuration...
Netboot directory for x86_64-efi created. Configure your DHCP server to point to /tmp/tmp.xHxB5wKqW0/boot/grub/x86_64-efi/core.efi
Signing GRUB modules... (this will take a minute)
Creating memdisk...
Building GRUB image...
writing RSA key
Signing GRUB image...
Adding bootloader to EFI configuration...
efibootmgr: Could not set variable: No such file or directory
efibootmgr: Could not prepare boot variable: No such file or directory
The part in which it fails is:
DEVICE="$(df -T /boot/efi | sed -n 2p | awk '{ print $1}')"
DISK="$(echo "$DEVICE" | sed 's|[0-9]||g')"
PARTNUM="$(echo "$DEVICE" | sed 's|[^0-9]||g')"
efibootmgr --quiet --create --disk "$DISK" --part "$PARTNUM" \
--write-signature --label "$BOOTLOADER_ID" \
--loader "\\EFI\\$BOOTLOADER_ID\\$EFI_FILENAME"
Any ideas what could be wrong?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.