Skip to content

Latest commit

 

History

History
286 lines (210 loc) · 5.13 KB

shim.md

File metadata and controls

286 lines (210 loc) · 5.13 KB
Raw

Secure Boot and shim

Secure Boot accepts only trusted files during boot. The shim boot loader is a tool which allows you to select which files to trust. HackBGRT installs shim for you, but you need to configure it with these instructions.

On the first boot after installing HackBGRT, you will see an error message saying "Verification failed". You need to press a key to enter the setup tool (MOKManager) where you can choose to trust HackBGRT. After that, use arrow keys to navigate and Enter to continue as described below.

1. Verification failed

This is the start of shim configuration.

ERROR
Verification failed: (0x1A) Security Violation
+----+
| OK |
+----+

Select OK, Enter.

Shim UEFI key management
Press any key to perform MOK management
Booting in 5 seconds

Press a key quickly to enter MOK management or the MOKManager program.

2. MOK management

Perform MOK management

Continue to boot
Enroll key from disk
Enroll hash from disk

Select Enroll hash from disk, Enter. This is the safest option where you choose to trust only a specific version of HackBGRT.

You can also choose to Enroll key from disk, which means that you choose to trust anything signed with the same certificate. How do you know if it's safe? You don't – that's why you should rather use the other option or build your own version of HackBGRT with your own certificate.

3a. Enroll hash from disk

Select Binary

The Selected Binary will have its hash Enrolled
This means it will subsequently Boot with no prompting
Remember to make sure it is a genuine binary before enrolling its hash

+----------------+
| YOUR DISK NAME |
+----------------+

Select the disk, Enter.

+---------------+
|     EFI/      |
|    loader/    |
| vmlinuz-linux |
+---------------+

Select EFI/, Enter.

+------------+
|    ../     |
|   Boot/    |
| HackBGRT/  |
| Microsoft/ |
+------------+

Select HackBGRT/, Enter.

+-----------------+
|       ../       |
|   grubx64.efi   |
|   loader.efi    |
|    mmx64.efi    |
| certificate.cer |
|   splash.bmp    |
|   config.txt    |
+-----------------+

Select grubx64.efi, Enter.

[Enroll MOK]

+------------+
| View key 0 |
|  Continue  |
+------------+

To verify the key contents, select View key 0, Enter.

SHA256 hash
(some hexadecimal values)

Press Enter to continue.

[Enroll MOK]

+------------+
| View key 0 |
|  Continue  |
+------------+

Select Continue, Enter.

Enroll the key(s)?

+-----+
| No  |
| Yes |
+-----+

Select Yes, Enter.

Perform MOK management

+-----------------------+
|        Reboot         |
| Enroll key from disk  |
| Enroll hash from disk |
+-----------------------+

Select Reboot, Enter.

You are now ready to boot using HackBGRT.

3b. Enroll key from disk

Select Key

The selected key will be enrolled into the MOK database
This means any binaries signed with it will be run without prompting
Remember to make sure it is a genuine key before Enrolling it

+----------------+
| YOUR DISK NAME |
+----------------+

Select the disk, Enter.

+---------------+
|     EFI/      |
|    loader/    |
| vmlinuz-linux |
+---------------+

Select EFI/, Enter.

+------------+
|    ../     |
|   Boot/    |
| HackBGRT/  |
| Microsoft/ |
+------------+

Select HackBGRT/, Enter.

+-----------------+
|       ../       |
|   grubx64.efi   |
|   loader.efi    |
|    mmx64.efi    |
| certificate.cer |
|   splash.bmp    |
|   config.txt    |
+-----------------+

Select certificate.cer, Enter.

[Enroll MOK]

+------------+
| View key 0 |
|  Continue  |
+------------+

To verify the key contents, select View key 0, Enter.

[Extended Key Usage]
OID: Code Signing

[Serial Number]
6B:24:52:E9:3B:84:41:73:B0:22:92:E8:BE:8E:38:85:

[Issuer]
CN=HackBGRT Secure Boot Signer, O=Metabolix

[Subject]
CN=HackBGRT Secure Boot Signer, O=Metabolix

[Valid Not Before]
Nov  9 13:43:56 2023 GMT

[Valid Not After]
Jan 19 03:14:07 2037 GMT

[Fingerprint]
79 8E 64 40 D1 D1 F4 53 30 8D
A0 83 A4 77 FE 57 45 30 36 60

Press Enter to continue.

[Enroll MOK]

+------------+
| View key 0 |
|  Continue  |
+------------+

Select Continue, Enter.

Enroll the key(s)?

+-----+
| No  |
| Yes |
+-----+

Select Yes, Enter.

Perform MOK management

+-----------------------+
|        Reboot         |
| Enroll key from disk  |
| Enroll hash from disk |
+-----------------------+

Select Reboot, Enter.

You are now ready to boot using HackBGRT.

Tutorial: shim for dummies

To install shim manually, follow these steps (assuming x64 architecture):

  1. Get shim, preferably shim-signed.
  2. Rename your boot loader to grubx64.efi.
  3. Copy shimx64.efi where your loader used to be.
  4. Copy mmx64.efi to the same folder.

The shim boot process is as follows:

  1. Your computer starts your-loader-name.efi, which is now really shim.
  2. Next, shim tries to load grubx64.efi.
  3. If grubx64.efi is trusted, the boot process continues.
  4. Otherwise, shim offers to launch MOKManager mmx64.efi, and you can try again after that.