this post was submitted on 13 Oct 2023
211 points (99.5% liked)

Linux

48348 readers
416 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Been down the rabbit hole lately of UEFI Secure Boot issues, and decided to write an overview of how it works out-of-the-box in the excellent Debian-based Linux Mint LMDE 6.

Have mostly been researching this stuff as I was looking to replace GRUB entirely with systemd-boot on one of my systems. Will likely write a follow-up piece documenting that journey if I think it'd be interesting to some nerds out there.

top 36 comments
sorted by: hot top controversial new old
[–] [email protected] 20 points 1 year ago (2 children)

If you want to experiment with UEFI you don't need systemd-boot either, just create an efi bootable kernel and direct boot it. reFind is still around I think too for graphical boot (although that's mainly used by macs.. apple users like guis :p).

[–] [email protected] 12 points 1 year ago (2 children)

Booting the kernel directly via EFIStub from the firmware is certainly an interesting idea, although it sounds like a potential pain to manage updates. Will definitely take a look down that rabbit hole though. =)

[–] [email protected] 4 points 1 year ago

I've been working on a tool to make management of EFI boot entries easier, specifically with the use case of booting Linux in mind.

https://github.com/cbarrick/efiboot

I haven't made a public release yet though... I really should.

[–] [email protected] 4 points 1 year ago

At this point it's pretty well battle tested.

https://wiki.archlinux.org/title/EFISTUB

[–] [email protected] 1 points 1 year ago (1 children)

rEFInd is finally a reasonable boot loader. It and ventoy might finally make dual boot Linux + windows viable

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Isn't Ventoy used to boot images like ISOs?

[–] [email protected] 15 points 1 year ago (3 children)

First, I'd personally always opt for systemd-boot instead of GRUB when I have the choice. GRUB is just very complex and systemd-boot rather simple.

Getting Secure Boot to work isn't always trivial, especially since mainboards and TPMs don't always document how enrolling your own keys works.

[–] [email protected] 2 points 1 year ago

Hard same. systemd-boot is about as tricky as, say, syslinux (which I used to use) to get working, which is itself far simpler to work with than GRUB ever was.

[–] [email protected] 1 points 1 year ago

personally for me, grub beaks when sdax changes but, in systemd boot doesn't. this is my main reason to prefer it. easy access to boot configuration is a plus i guess.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (1 children)

GRUB is just very complex and systemd-boot rather simple.

Well, except the Systemd part. Efistub or Refind it is for me.

[–] [email protected] 5 points 1 year ago

systemd-boot is basically gummiboot with an interface to systemd so that the latter can get information on boot time in firmware and stuff. I prefer a boot loader instead of Efistub because it allows easier configuration of boot options etc. but it just comes down to personal preference

[–] [email protected] 15 points 1 year ago

How to use secure boot in linux:

Step 1. Go to the UEFI settings and disable it

Done

[–] [email protected] 9 points 1 year ago (1 children)

Wait, Mint switched base from Ubuntu to Debian?

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (1 children)

'Normal' Mint is still based on Ubuntu, but there is LMDE (Linux Mint Debian Edition), which is Debian based.

[–] [email protected] 7 points 1 year ago

Thats awesome

[–] [email protected] 9 points 1 year ago (2 children)

Fun read.

So, is the implication here that ONLY Microsoft keys can be in the db, and thus they're the ultimate authority on who gets signed? Does Microsoft somehow own the UEFI standard?

Relatedly, can anyone elaborate on their reason for refusing to sign GRUB? I'm not following just from that short quote.

[–] [email protected] 16 points 1 year ago (2 children)

Microsoft doesn't own the standard. It's actually an open standard maintained and contributed to by a whole host of technology companies. This is contrary to the old BIOS method which was originally proprietary to IBM.

The fact they have such wide authority in signing is a product of how wide-reaching their market share it. They essentially mandate that OEMs include their signing keys in the signature database if their systems are to ship with Windows, thus making them a de facto authority on what gets signed. This was a point that made a lot of people in the FOSS community uncomfortable and still does to this day, although if one wants they can actually take full control of the Secure Boot process by replacing the Platform Key (PK) with their own. This gives ultimate control to the owner of the machine as they can then replace the Key Exchange Keys to allow them to replace Microsoft's keys within the signature database (db). This completely removes reliance on any third party signatures and enables ditching the first-stage Shim bootloader from the boot flow entirely, since the owner could just sign whichever bootloader they wanted to use directly with their own key in the database. As it would require manually signing everything from the bootloader to the kernel and its modules though, including re-signing them after updates, this is definitely a much more involved way of doing things although arguably even more secure as the system would be entirely locked down to only binaries signed by its owner at that point.

As to why they don't sign GRUB, it's about licensing. Since GRUB is GPLv3, there are provisions in the license that Microsoft interprets as potentially mandating them to disclose their private key to facilitate users installing modified versions of it. Ubuntu came to the same conclusion when contemplating how to deal with Secure Boot back in the day, where they wanted to provide an alternative to the Microsoft keys by having Canonical's keys also shipped with firmware, although proliferation of their keys is a lot less widespread and in some peoples' eyes not all that much different than just using VeriSign's service for the Microsoft keys anyway.

[–] [email protected] 6 points 1 year ago (2 children)

What is the point of secure boot, if secure boot will boot a shim bootloader which will then boot whatever else you want?

[–] [email protected] 2 points 1 year ago

All the marketing and hype.

[–] [email protected] 1 points 1 year ago

I think the shim bootloader as well as the booted software must perform some verifications too.

[–] cdombroski 2 points 1 year ago

although if one wants they can actually take full control of the Secure Boot process by replacing the Platform Key (PK) with their own.

Fun fact, actually replacing the platform key will often end up with the motherboard not being usable until you do a firmware install or nvram clear. This is because various modules (most relevantly GPUs) on the motherboard have their own signed firmware that's loaded at boot and if you replace the platform key they can't be loaded anymore as they don't have a valid signature. See: https://github.com/Foxboron/sbctl/wiki/FAQ#option-rom

[–] [email protected] 7 points 1 year ago (1 children)

You can put your own keys in on many motherboards using some of the command line EFI tools, but you would have to basically recompile everything from scratch using your keys to get them to run. I.e. might as well switch to gentoo at that point.

On the other hand, Microsoft's keys are a common target and if the distro is partners with MS, they can have their packages signed with the MS keys. This is technically less secure as the key is widely shared and if it gets cracked somehow, anyone using it is compromised. But it's a "good enough" solution for many who care to use secureboot at all.

Personally I just turn it off, and I haven't experienced any attacks on my machines over the last decade that would take advantage of something that low level. Then again, I'm very careful with what I download and who I open emails from, etc.

[–] [email protected] 3 points 1 year ago

You just have to sign everything, not compile. But huge pain.

[–] [email protected] 5 points 1 year ago (1 children)

Perhaps I missed it when skimming the article, but why were you looking to replace GRUB?

In case it was in the article, it might be worth adding that information up here.

[–] [email protected] 19 points 1 year ago* (last edited 1 year ago) (2 children)

Good question! There's a few reasons, I guess:

  • There's a large element of "because I can" to this, just to explore how stupid the scope of systemd is as a suite.
  • There's a small practical element. GRUB itself is quite a hefty tool to accommodate all kinds of boot setups, and it works well. If you have a simple boot setup though you could probably shave a couple of seconds off of the boot time just by using the simplified sd-boot and loading the kernel via its EFIStub.
  • A learning exercise in self-signing EFI binaries, enrolling a MOK (if I use Shim), and setting up scripts to handle updates.

All boils down to my enjoyment of doing weird nerdy things though, ultimately. =)

[–] cdombroski 1 points 1 year ago

Using systemd-boot with the shim is definitely doable, you just have to name the systemd-boot loader as grubx64.efi in the EFI/BOOT directory. After that, you just need to sign any dkms modules with a key imported into MOK and register the hash of systemd-boot with MOK

[–] [email protected] -1 points 1 year ago (1 children)

In the interest of politeness I reserved my initial reaction of absolute horror that this would even be attempted by systemd.

[–] [email protected] 1 points 1 year ago

sysd boot doesn't just sign itself.

[–] [email protected] 5 points 1 year ago (2 children)

Interesting. I guess this could be a method to allow actual full disk encryption? Unless there's a way to have grub encrypted too?

[–] [email protected] 8 points 1 year ago

What do you mean by that? TPM and Secure boot do not manage encryption, but rather authentication and key management aspects. You still need an unencrypted UEFI partition storing your EFI binaries. This partition is always readable by an attacker, however any changes to binaries will make booting fail. Also no secrets should be stored here.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

[This comment has been deleted by an automated system]

[–] [email protected] 2 points 1 year ago

here's also an interesting read on linux secure boot, using MX21 https://forum.mxlinux.org/viewtopic.php?t=67022

[–] [email protected] 2 points 1 year ago

If distros signed the bootloaders with their own keys, then I would configure my system to only use those keys and not include Microsoft’s.

[–] [email protected] 1 points 1 year ago

Short: UEFI is Microsoft crap, only Heads Coreboot is a really secure system

[–] [email protected] 0 points 1 year ago (1 children)

The EFI binary is signed by a private key, whose public key signature is present in the trusted Signature Database (db).

Shouldn't it be the opposite? i.e signed by a public key?

[–] [email protected] 10 points 1 year ago

Nope. You sign with the private key and verify with the public key. Basically you use the private key to do stuff only you should be able to do and the public key is used by the public to verify it was you who did it.