Skip to content

Instantly share code, notes, and snippets.

@81887821

81887821/Secure boot on Arch Linux.md

Last active May 12, 2022 01:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save 81887821/f8f9dae297369495669277c076327790 to your computer and use it in GitHub Desktop.
Save 81887821/f8f9dae297369495669277c076327790 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Secure boot on Arch Linux.md

Arch Linux에서 Secure boot 사용하기

패키지 설치

pacman -Syu efitools sbsigntools

Key 생성하기

readonly key_name="TODO: YOUR KEY NAME HERE"

uuidgen --random > GUID.txt
# platform key
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=${key_name}-platform-key/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
cert-to-efi-sig-list -g "$(cat GUID.txt)" PK.crt PK.esl
sign-efi-sig-list -g "$(cat GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
# key exchange key
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=${key_name}-key-exchange-key/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
cert-to-efi-sig-list -g "$(cat GUID.txt)" KEK.crt KEK.esl
sign-efi-sig-list -g "$(cat GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
# signature database key
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=${key_name}-signature-database-key/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer
cert-to-efi-sig-list -g "$(cat GUID.txt)" db.crt db.esl
sign-efi-sig-list -g "$(cat GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth

Unified kernel image 생성하기

  • /etc/mkinitcpio.d/${kernel_package}.presetALL_microcode, default_efi_image 추가
    • ${kernel_package}${cpu_vendor} 수정하기
# mkinitcpio preset file for the '${kernel_package}' package

ALL_config="/etc/mkinitcpio.conf"
ALL_kver="/boot/vmlinuz-${kernel_package}"
ALL_microcode=('/boot/${cpu_vendor}-ucode.img')

PRESETS=('default')

default_image="/boot/initramfs-${kernel_package}.img"
default_efi_image="/boot/EFI/Linux/archlinux-${kernel_package}.efi"
  • cmdline 작성하기
cp /proc/cmdline /etc/kernel/cmdline

pacman hook 만들기

Boot loader

  • 예시는 systemd-boot
  • /etc/pacman.d/hooks/98-systemd-boot.hook
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = systemd

[Action]
Description = Updating and signing systemd-boot...
When = PostTransaction
Exec = /usr/local/sbin/update-systemd-boot.sh
Depends = sbsigntools
Depends = grep
  • /usr/local/sbin/update-systemd-boot.sh
    • key_path 수정하기
#!/bin/sh

readonly key_path="TODO: YOUR KEY PATH HERE"
readonly target=/boot/EFI/systemd/systemd-bootx64.efi

/usr/bin/bootctl --no-variables --graceful update
if ! /usr/bin/sbverify --list "$target" 2>/dev/null | /usr/bin/grep -q "signature certificates"; then
    /usr/bin/sbsign --key="${key_path}/db.key" --cert="${key_path}/db.crt" --output="$target" "$target"
fi

Unified kernel image

  • /etc/pacman.d/hooks/99-sign-kernel.hook
    • ${key_path}${kernel_package} 수정하기
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/initcpio/*

[Action]
Description = Signing unified kernel image...
When = PostTransaction
Exec = /usr/bin/sbsign --key=${key_path}/db.key --cert=${key_path}/db.crt --output=/boot/EFI/Linux/archlinux-${kernel_package}.efi /boot/EFI/Linux/archlinux-${kernel_package}.efi
Depends = sbsigntools

알려진 문제점

  • kernel이나 kernel module 업데이트 없이 CPU 마이크로코드만 업데이트 되는 경우에도 unified kernel image 생성 및 signing 되도록 수정 필요
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment