8

Just like Windows has secure boot that prevents any external OS Loader code from running at boot, does Linux have any similar option for itself? I have looked around, but when I search, the only results I get is how to install Linux on a UEFI-enabled Windows machine. I cannot find how I can bring this option to my Linux machine.

Rohan
  • 3,491
  • 9
  • 28
  • 45

3 Answers3

5

For secure boot to work, your Hardware should support secure boot and your OS should support secure booting.

For HW, you can check in UEFI setting menus and you need to add the certificates/keys provided by the OS

For OS, you can check the support by following commands :

[root@secureboot-guest ~]# cat /sys/kernel/security/securelevel

If output of above command is "1" then secure boot is supported and enabled by your OS.

If this file does not exist, you need to check if your kernel is compiled with secure boot support :

$ egrep "CONFIG_EFI_SECURE_BOOT_SECURELEVEL|CONFIG_SECURITY_SECURELEVEL" /boot/config-$(uname -r) 
CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y
CONFIG_SECURITY_SECURELEVEL=y
SebMa
  • 1,941
  • 4
  • 22
  • 37
shubham
  • 407
  • 3
  • 12
  • 1
    There is no such file... – Rohan Mar 23 '16 at 16:26
  • @Rohan , It is possible that your kernel is not compiled with secure boot support. Check output of following : [root@secureboot-guest ~]# cat /boot/config-uname -r | grep SECURE If secure boot support is there in kernel then you will get output like below : CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y CONFIG_SECURITY_SECURELEVEL=y – shubham Mar 24 '16 at 05:45
  • `-r` is an invalid option for cat, according to my terminal. – Rohan Mar 24 '16 at 22:33
  • oh actually it was a linux command . This is the command : cat /boot/config-`uname -r` put uname -r inside \` at both ends – shubham Mar 28 '16 at 05:32
5

First at all: generate own key

openssl req -new -nodes -utf8 -sha256 -days 36500 -batch -x509 \
       -subj "/CN=Kernel Key" -outform DER -out kernel.der \
       -keyout kernel.key

Try to compile linux kernel with CONFIG_EFI_STUB and embed initramfs into it as described here: https://prosauce.org/blog/2015/10/31/booting-linux-securely, to sign modules you can use next script:

/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 kernel.key kernel.der module.ko

Then create file with kernel cmdline for your laptop\workstation, and create one image and copy it to efi boot dir like this:

# objcopy \
  --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
  --add-section .cmdline=/tmp/cmdline --change-section-vma .cmdline=0x30000 \
  --add-section .linux=/boot/vmlinuz --change-section-vma .linux=0x2000000 \
  --add-section .initrd=/boot/initrd.img --change-section-vma .initrd=0x3000000 \
/usr/lib/systemd/boot/efi/linuxx64.efi.stub linux.efi

# mkdir -p /boot/efi/EFI/BOOT

# sbsign --key /root/keys/ISK.key --cert /root/keys/ISK.pem --output /boot/efi/EFI/BOOT/BOOTX64.EFI linux.efi /boot/efi/EFI/BOOT/BOOTX64.EFI

To install own key into MB firmware you can do cmds like this:

openssl x509 -inform der -in kernel.der -outform pem -out kernel.pem
cert-to-efi-sig-list -g "$(uuidgen)" kernel.pem kernel.esl
sign-efi-sig-list -k KEK.key -c KEK.pem kernel kernel.esl kernel.auth
user1024
  • 61
  • 1
  • 3
0

AFAIK secure boot is a UEFI feature that is developed by Microsoft and some other companies that form the UEFI consortium.

UEFI is partly hardware enforced i.e. your motherboard config may/may-not come in the way. If you use complete UEFI then chances are that you will be able to enable secure boot from the UEFI menu itself.

However if your firmware is UEFI with CSM/BIOS then you may encounter certain roadblocks such as the option to enable secure boot being greyed out and all.

sohom154
  • 199
  • 6
  • 2
    It's not a Microsoft product, it's a standard Microsoft might have had a lot of say in its creation: https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface#Secure_boot – phk Mar 17 '16 at 14:19
  • @phk updated the answer accordingly – sohom154 Mar 17 '16 at 14:49