-
Notifications
You must be signed in to change notification settings - Fork 194
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New feature: bootloader signing #152
base: master
Are you sure you want to change the base?
Conversation
This is neither a support nor a non-support from me. |
mklive.sh.in
Outdated
@@ -233,6 +235,13 @@ generate_grub_efi_boot() { | |||
fi | |||
mkdir -p "${GRUB_EFI_TMPDIR}"/EFI/BOOT | |||
cp -f "$VOIDHOSTDIR"/tmp/bootia32.efi "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTIA32.EFI | |||
|
|||
#Bootloader signing | |||
if ([ $toSign ] && [ -f "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX32.EFI ]);then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need sub-shell?
mklive.sh.in
Outdated
@@ -244,6 +253,13 @@ generate_grub_efi_boot() { | |||
die "Failed to generate EFI loader" | |||
fi | |||
cp -f "$VOIDHOSTDIR"/tmp/bootx64.efi "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI | |||
|
|||
#Bootloader signing | |||
if ([ $toSign ] && [ -f "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI ]);then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And please reset toSign
variable in the beginning of script.
mklive.sh.in
Outdated
print_step "Signing BOOTX64.EFI..." | ||
sbsign --key $DBKEY --cert $DBCRT --output "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64-signed.EFI "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI | ||
fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Make them a function, perhaps?
mklive.sh.in
Outdated
#The -d and -t options are complementary. If one exists, the other must also exist. | ||
#If these options are set, I also check sbsign command. | ||
if ([ -z $DBKEY ] && [ ! -z $DBCRT ]) || ([ ! -z $DBKEY ] && [ -z $DBCRT ]); then | ||
die "Must be set a key and certificate via -d and -t option, exiting..." | ||
elif ([ $DBKEY ] && [ $DBCRT ]); then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugly! Maybe?
if [ -n "$key" -a -n "$crt" ]; then
...
else if [ -n "$key$crt" ]; then
die "...."
fi
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-a and -o are deprecated (according to bash faq), -n gives no much value in general if any, and similarly ! can be basically used instead of -z :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was talking about the order of execution ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, the structure is fine :)
mklive.sh.in
Outdated
if [ $DBKEY ] && [ ! -f $DBKEY ]; then | ||
die "$DBKEY does not exist, exiting..." | ||
elif [ $DBCRT ] && [ ! -f $DBCRT ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$dbkey
and $dbcrt
checked above! [ -f "$key" ]
is enough.
mklive.sh.in
Outdated
die "$DBKEY does not exist, exiting..." | ||
elif [ $DBCRT ] && [ ! -f $DBCRT ]; then | ||
die "$DBCRT does not exist, exiting..." | ||
elif ! [ -x "$(command -v sbsign)" ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What wrong with simple:
elif command -v sbsign; then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
command -v sbsign >/dev/null
or
hash sbsign 2>/dev/null
or
type sbsign >/dev/null 2>&1
and if im right, then hash is the fastest, but i think ive only ever seen command -v around void
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't care about which one is the fastest. I was talking about the uselessness of [ -x ]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the point was the redirection against littering the output, while u r right, just these are again two different things, i hope u didnt get me wrong or got offended or whatever! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, no, I'm not offended (and I hope you aren't, too).
However, driving out of track is not productive.
You suggestion about appending >/dev/null
is good, that's is nice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ahh, fine, and thx for the info! :)
however, just for the next time, what do u mean by driving out of track? it was about the same line, is there a way to isolate my stuff better that im not aware of, or i just need a better wording? im not a git/github pro actually :D (also, i often go off topic, but i dont think this was an example of that :D )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, this one is not. The previous one is :-p
-d <key-file> Set a key file to sign bootloader. | ||
-t <cert-file> Set a certificate file to sign bootloader. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why d
and t
? Is it because they're random characters that still available?
Sorry, how can i to use that hook to sign bootloader in a custom Void ISO? |
I'm not sure there's an easy way to use the If possible, I would be in favor of signing the kernel in void ISOs with a throwaway key, which allows one to never turn off Secure Boot while installing, even if new keys will have to be added (once for the Void specific one, once for the user's keys). |
I just see that hook only signs vmlinuz does not sign the bootloader. Grub is loaded first and then the kernel. |
I still have to understand a lot about how void works :) |
Really? GRUB should verify this, otherwise Secure Boot is useless. rEFInd does proper verification of the kernel. |
Probably grub handles it differently. |
About hook /etc/default/sbsigntool-kernel-hook, i guess that this way is more onerous. Is correct? What do you think? |
Sorry, I didn't say it clearly. I was trying to say about falling back to those key and cert in those config files |
Do you say to use the keys mentioned in sbsigntool-kernel-hook ? |
On 2020-10-09 07:03:59-0700, pandom79 ***@***.***> wrote:
> > Sorry, how can i to use that hook to sign bootloader in a custom Void ISO?
> > The iso image obtainable via mklive command have the efi file in a compressed image called efiboot.img,
> > therefore i haven't visibility to sign it after creation.
> > I thought about intervening during its creation to sign it, so I made this change.
>
> Sorry, I didn't say it clearly. I was trying to say about falling back to those key and cert in those config files
Do you say to use the keys mentioned in sbsigntool-kernel-hook ?
EFI_KEY_FILE=/etc/efikeys/db.key
EFI_CERT_FILE=/etc/efikeys/db.crt
Exactly.
…--
Danh
|
I say that my case it would not works because i don't use sbsigntool-kernel-hook. I sign kernel and bootloader directly in dracut and them path are different. |
Anyway, this is my definitive version. |
Never say definitive...;) |
fb6f6cd
to
4238036
Compare
b4fb193
to
6ed0788
Compare
@@ -282,7 +308,7 @@ generate_iso_image() { | |||
# | |||
# main() | |||
# | |||
while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:h" opt; do | |||
while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:d:t:h" opt; do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:d:t:h" opt; do | |
while getopts "a:b:r:c:C:T:Kk:l:i:I:s:o:p:v:d:t:h" opt; do |
Sorry! I have removed the -S
option, so there is a conflict now.
Hi,
I added bootloader's signing functionality.
I needed that so i though to create a merge request.
Pratically, i added two options: -d and -t.
-d to set key file. ( es. -d /keys/db.key )
-t to set cert file ( es. -t /keys/db.crt )
These options are complementary. It hasn't sence to set one without other.
If both are set, i also check sbsign command.
These controls are execute before the packages installation and initramfs generation.
If the user entered wrong data, it is useless go on.
Following, show the steps to get void linux usb key bootable under secure boot enabled:
sudo ./mklive.sh -d my.key -t my.crt
Via dd command, i write ISO image on USB stick.
Reboot machine with USB stick plugged
Setup firmware
You'll see a bootloader called BOOTX??.EFI and BOOTX??-signed.EFI ( ?? = 32 or 64 )
If the entered keys are correct, void linux will startup finely.
If you are interested that , i am available for eventual changes.
Regards