On Fri, Oct 19, 2012 at 02:06:16PM +0100, Mr Dash Four wrote:
> If so, the answer
>is sort of. grub2 won't check the kernel, but it will still be signed
>if it's a 64-bit F18 or newer release kernel.
Would that be possible - for the kernel to be checked - or is that
only allowed from Secure Boot?
You'd have to write some code for both grub2 and shim. Grub2 doesn't
actually do the authentication itself, it calls back to shim to do that.
And shim is looking in two databases for certs/hashes.
You'd probably need to rebuild shim with your personal key embedded,
and modified to always verify. Then you'd need to modify grub2 to
always call shim to do verification and install that. I honestly have
no idea how difficult that would be.
> The modules will all be
>signed regardless as that's done with a different key generated at
>kernel build time.
The whole point of me asking this is, because I wish to use my own
key (not Fedora's and certainly not M$) and when I build the kernel
- from source - I wish this to be signed and later enforced, if
> There's a kernel parameter you can enable to force
>the kernel into a "secure boot" mode.
I presume I could find the appropriate parameter documented in the
kernel docs directory, right?
It's carried in the patchset and put in
Documentation/kernel-parameters.txt. It's called "secureboot_enable=".
>Without the secure firmware, I'm not entirely sure why
you'd want to do
>that though. It won't prevent bootloader based attacks.
I am aware of that, but at least it would prevent loading rogue
modules, which either haven't been signed or have been altered.
The kernel doesn't need to be signed for that as I said.
> If you just
>want signed modules, there's a different kernel parameter you can pass
>to enforce signed modules.
Ideally, I'd like to protect the kernel as well, but if that's not
possible then just the modules will do.
In an ideal world, I would like to have the option to boot my UEFI
in "Setup" mode so that I could register my own platform key, which
could then be used to register all other "trusted" keys (including
the M$ one - if I choose to trust it) and then enable UEFI to boot
in as normal, enforcing bootloader, kernel as well as kernel module
In reality though, I am finding it difficult to find a hardware
manufacturer who distributes motherboards with that option enabled
(UEFI in "Setup" mode) - the most I could get, and it still seems a
rarity these days, is to have a separate key registered, alongside
the already existing one (which, in 99% of the cases is from M$).
You should be able to disable Secure Boot in the firmware, and reboot
back into setup mode. It should allow you to delete all the existing
keys at that point. Though you'd actually need to have a machine that
has Secure Boot implemented in the first place.
That, while acceptable somewhat, forces me to trust the master key,
which I am not willing to do - it should be up to me as owner of my
own hardware (My PC!) to choose what to trust and what not to.
Apologies for this rant, but it had to be said!
You can. In order to be specification compliant, the machine needs to
allow you to disable Secure Boot. Once that's done, it'll enter setup
mode. Once in that mode, I believe there are even some open source
tools that will help you enroll keys, etc.