|
|
Ticket: [[!tails_ticket 6560]]
|
|
|
|
|
|
[[!toc levels=2]]
|
|
|
|
|
|
# One possible plan
|
|
|
|
|
|
Goal: avoid the need to disable Secure Boot in the firmware
|
|
|
configuration. Tails should boot out-of-the-box with Secure Boot
|
|
|
enabled, without the user having to do _anything_ special about it.
|
|
|
|
|
|
Means: use the shim signed by Microsoft + GRUB2.
|
|
|
|
|
|
We don't support booting on a custom built kernel, so that should be
|
|
|
relatively easy. Except:
|
|
|
|
|
|
* The kernel won't allow loading an unsigned `aufs` module so we need
|
|
|
to migrate to `overlayfs` ([[!tails_ticket 8415]]).
|
|
|
* `overlayfs` does not allow stacking enough layers for our current
|
|
|
upgrade system, so we need to [[!tails_ticket 15281 desc="stack one
|
|
|
single SquashFS diff when upgrading"]].
|
|
|
|
|
|
Resources
|
|
|
=========
|
|
|
|
|
|
* Debian's [[!debwiki SecureBoot desc="Secure Boot support"]] will be
|
|
|
done for GRUB first, unclear if other bootloaders will be supported
|
|
|
- tracker bug: [[!debbug 820036]]
|
|
|
- shim is [[!debpts shim-signed desc="in Debian"]] (signed by the
|
|
|
Microsoft UEFI CA) but grub2-signed is not ([[!debbug 820050 desc="RFP bug"]]).
|
|
|
* How other distros do it:
|
|
|
- [Ubuntu](https://wiki.ubuntu.com/UEFI/SecureBoot)
|
|
|
- [ArchLinux](https://wiki.archlinux.org/index.php/Secure_Boot)
|
|
|
- [Fedora](https://fedoraproject.org/wiki/Features/SecureBoot)
|
|
|
- [ALT Linux' SecureBoot mini HOWTO](http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO) and
|
|
|
[their](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-copy-efiboot;h=1ca6b0137c7488ae50540b027cf4a541074daba5;hb=HEAD)
|
|
|
[scripts](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-pack-isoboot;h=85ca988c6aab94e3c44e64519baf2231e39d8d24;hb=HEAD)
|
|
|
- [Ubuntu Privacy Remix](https://www.privacy-cd.org/)'s next release
|
|
|
(UPR 12.04r1) will support UEFI; a beta is available; they copied
|
|
|
the solution from Ubuntu 13.10 (beta): the shim bootloader and
|
|
|
a corresponding GRUB binary which passes secure boot. See their
|
|
|
[build script](https://www.privacy-cd.org/en/tutorials/build-your-own-cd/79).
|
|
|
* Matthew Garrett:
|
|
|
- [Handling UEFI Secure Boot in smaller distributions](http://mjg59.dreamwidth.org/17542.html)
|
|
|
- [Secure Boot bootloader for distributions available now](http://mjg59.dreamwidth.org/20303.html)
|
|
|
- [An overview of Fedora's Secure Boot implementation](http://mjg59.dreamwidth.org/18945.html)
|
|
|
- [Terse howto for getting a signed shim](http://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183)
|
|
|
* [Managing EFI Boot Loaders for Linux: Dealing with Secure Boot](http://www.rodsbooks.com/efi-bootloaders/secureboot.html), by Rod Smith
|
|
|
* GRUB 2.04 will support UEFI Secure Boot (currently every distro has
|
|
|
patches for that)
|
|
|
* [Booting a Self-signed Linux
|
|
|
Kernel](http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/),
|
|
|
by Greg Kroah-Hartman
|
|
|
* Linux Foundation's
|
|
|
[Making UEFI Secure Boot Work With Open Platforms](http://linuxfoundation.org/publications/making-uefi-secure-boot-work-with-open-platforms)
|
|
|
|
|
|
<a id="automated-testing"></a>
|
|
|
|
|
|
Automated testing
|
|
|
=================
|
|
|
|
|
|
* The hard(est) part seems to be about how to enroll the signing keys
|
|
|
into the nvram file.
|
|
|
- [[!debpkg ovmf]] 0.0~20200229-2 installs a "ms" firmware
|
|
|
descriptor, "which has keys pre-enrolled and Secure Boot enabled".
|
|
|
E.g. in the package there's `/usr/share/OVMF/OVMF_VARS.ms.fd`
|
|
|
and `/usr/share/qemu/firmware/40-edk2-x86_64-secure-enrolled.json`.
|
|
|
There's probably a way to ask libvirt to instruct QEMU to use that.
|
|
|
- One option is to use `EnrollDefaultKeys.efi` from OVMF.
|
|
|
* [Automating Secure Boot Testing](https://www.youtube.com/watch?v=qtyRR-KbXYQ):
|
|
|
how Red Hat does CI for Secure Boot (FOSDEM 2018)
|
|
|
* <https://wiki.ubuntu.com/UEFI/SecureBoot/Testing>
|
|
|
* <https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm>
|
|
|
* <https://fedoraproject.org/wiki/Using_UEFI_with_QEMU#Testing_Secureboot_in_a_VM>
|
|
|
* <https://github.com/puiterwijk/qemu-ovmf-secureboot> |