Re: [tboot-devel] Tboot on Intel NUC8i7HVK and Fedora 33

Wed, 24 Mar 2021 17:17:16 -0700 

Hi Lukasz,

I am having some problems to get that custom grub running with Secure Boot.
I am using an Hyper-V VM with Fedora 33 to test this, after having to reinstall 
the OS twice in my NUC.
I guess the end result will be the same in the VM and the NUC without TXT 
support.

My build instructions for grub are represented in the following Dockerfile:

FROM fedora:33
RUN dnf install -y git autoconf automake gettext-devel bison \
                   findutils pkgconf-pkg-config python-unversioned-command \
                   patch git-merge-changelog gcc flex
RUN git clone https://git.savannah.gnu.org/git/grub.git
WORKDIR grub
RUN ./bootstrap && ./configure --with-platform=efi --target=x86_64 && make

Then, the process I follow to install it in my VM are:

grub-install --efi-directory=/boot/efi
/usr/local/sbin/grub-mkconfig -o /boot/grub/grub.cfg

After this, if I disable secure boot on the VM, my custom grub (in 
/boot/efi/EFI/grub/grubx64.efi) gets called in the boot chain.
But if I enable secure boot, the default fedora bootloader is called 
(/boot/efi/EFI/fedora/grubx64.efi) 
To sign my custom grub, I am using the following (I know that it works for 
kernels, not sure for grub):

dnf install -y sbsigntools
cat > openssl.cnf << EOF
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions         = v3
string_mask             = utf8only
prompt                  = no
[ req_distinguished_name ]
countryName             = US
stateOrProvinceName     = OR
localityName            = Hillsboro
0.organizationName      = Organization
commonName              = Secure Boot Signing
emailAddress            = [email protected]
[ v3 ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical,CA:FALSE
extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment               = "OpenSSL Generated Certificate"
EOF
openssl req -config ./openssl.cnf \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 3650 -outform DER \
        -keyout MOK.key \
        -out MOK.der
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem        
sbsign --key MOK.key --cert MOK.pem \
       --output ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi
cp ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi
mokutil --import MOK.der

After the reboot, I do Mok Management to import the key.
But the system keeps booting with the  /boot/efi/EFI/grub/grubx64.efi Instead 
of my custom one.

Just to see what happens, I replaced the fedora bootloader with my custom one, 
and I got the following error:

error: verification requested but nobody cares: 
(hd0,gpt2)/grub/x86_64-efi/normal.mod
Entering rescue mode
grub rescue>

Any hints on what is happening? 

_______________________________________________
tboot-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/tboot-devel

Reply via email to