Skip to content

Instantly share code, notes, and snippets.

@dnoliver

dnoliver/README.md

Last active April 14, 2021 17:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dnoliver/3da8f33397c978dce513ff63e58cd9d7 to your computer and use it in GitHub Desktop.
Save dnoliver/3da8f33397c978dce513ff63e58cd9d7 to your computer and use it in GitHub Desktop.
Download ZIP
Trusted Boot
Raw
README.md

Trusted Boot Stuff

Instructions on how to enable Tboot.

Discussion thread: Tboot on Intel NUC8i7HVK and Fedora 33

Check if Intel TXT is supported

dnf install -y cpuid
cpuid --one-cpu | grep SMX

Install and configure tboot from rpm

dnf install -y tboot grub2-efi-x64-modules
mkdir -p /boot/efi/EFI/fedora/x86_64-efi/
cp /usr/lib/grub/x86_64-efi/multiboot2.mod /boot/efi/EFI/fedora/x86_64-efi/
cp /usr/lib/grub/x86_64-efi/relocator.mod /boot/efi/EFI/fedora/x86_64-efi/
curl https://software.intel.com/content/dam/develop/external/us/en/protected/8th_9th_gen_i5_i7-SINIT_81.zip -o 8th_9th_gen_i5_i7-SINIT_81.zip
unzip 8th_9th_gen_i5_i7-SINIT_81.zip
cp 7th_8th_gen_i5_i7-SINIT_81.bin /boot/
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

# WORKAROUND for tboot kernel command line arguments bug in Fedora 33
# Add "rootflags=subvol=root" to the generated config

Dockerfile to build tboot

FROM fedora:33
RUN dnf install -y mercurial-py3 trousers-devel openssl-devel zlib-devel make gcc perl-interpreter
RUN hg clone http://hg.code.sf.net/p/tboot/code -r 2.x tboot-code
WORKDIR tboot-code
RUN cp README.md README && make world

Dockerfile to build grub

FROM fedora:33
RUN dnf install -y git autoconf automake gettext-devel bison \
                   findutils pkgconf-pkg-config python-unversioned-command \
                   patch git-merge-changelog gcc flex
RUN git clone https://git.savannah.gnu.org/git/grub.git
WORKDIR grub
RUN git checkout grub-2.04 && \
    ./bootstrap && \
    mkdir EFI64 && cd EFI64 && \
    CFLAGS=-Wno-error ../configure --with-platform=efi --target=x86_64 && \
    make -j4
RUN ./grub-mkimage -d grub-core -O x86_64-efi -o grubx64.efi -p "/EFI/BOOT" \
    echo all_video boot btrfs cat chain configfile echo efifwsetup efinet \
    ext2 fat font gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg loadenv lvm \
    mdraid09 mdraid1x minicmd normal part_apple part_msdos part_gpt password_pbkdf2 \
    png reboot search search_fs_uuid search_fs_file search_label sleep syslinuxcfg \
    test tftp regexp video xfs relocator multiboot2 linux efinet tftp serial shim_lock multiboot

Installing custom grub in Fedora

dnf install -y sbsigntools
cat > openssl.cnf << EOF
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions         = v3
string_mask             = utf8only
prompt                  = no
[ req_distinguished_name ]
countryName             = US
stateOrProvinceName     = OR
localityName            = Hillsboro
0.organizationName      = Organization
commonName              = Secure Boot Signing
emailAddress            = secureboot@test.com
[ v3 ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical,CA:FALSE
extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment               = "OpenSSL Generated Certificate"
EOF
openssl req -config ./openssl.cnf \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 3650 -outform DER \
        -keyout MOK.key \
        -out MOK.der
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem        
sbsign --key MOK.key --cert MOK.pem \
       --output ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi
sbverify --cert MOK.pem ./grubx64.efi
/usr/bin/cp ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi
./grub-mkconfig --output /boot/efi/EFI/fedora/grub.cfg
sed -i 's/terminal_output gfxterm/terminal_output console/g' /boot/efi/EFI/fedora/grub.cfg
mokutil --import MOK.der
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment