On Thu, 2021-03-25 at 00:16 +0000, Oliver, Dario N wrote: > Hi Lukasz, > > I am having some problems to get that custom grub running with Secure Boot. > I am using an Hyper-V VM with Fedora 33 to test this, after having to > reinstall the OS twice in my NUC. > I guess the end result will be the same in the VM and the NUC without TXT > support. > > My build instructions for grub are represented in the following Dockerfile: > > FROM fedora:33 > RUN dnf install -y git autoconf automake gettext-devel bison \ > findutils pkgconf-pkg-config python-unversioned-command \ > patch git-merge-changelog gcc flex > RUN git clone https://git.savannah.gnu.org/git/grub.git > WORKDIR grub > RUN ./bootstrap && ./configure --with-platform=efi --target=x86_64 && make > > Then, the process I follow to install it in my VM are: > > grub-install --efi-directory=/boot/efi > /usr/local/sbin/grub-mkconfig -o /boot/grub/grub.cfg > > After this, if I disable secure boot on the VM, my custom grub (in > /boot/efi/EFI/grub/grubx64.efi) gets called in the boot chain. > But if I enable secure boot, the default fedora bootloader is called > (/boot/efi/EFI/fedora/grubx64.efi) > To sign my custom grub, I am using the following (I know that it works for > kernels, not sure for grub): > > dnf install -y sbsigntools > cat > openssl.cnf << EOF > [ req ] > distinguished_name = req_distinguished_name > x509_extensions = v3 > string_mask = utf8only > prompt = no > [ req_distinguished_name ] > countryName = US > stateOrProvinceName = OR > localityName = Hillsboro > 0.organizationName = Organization > commonName = Secure Boot Signing > emailAddress = secureb...@test.com > [ v3 ] > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer > basicConstraints = critical,CA:FALSE > extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 > nsComment = "OpenSSL Generated Certificate" > EOF > openssl req -config ./openssl.cnf \ > -new -x509 -newkey rsa:2048 \ > -nodes -days 3650 -outform DER \ > -keyout MOK.key \ > -out MOK.der > openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem > sbsign --key MOK.key --cert MOK.pem \ > --output ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi > cp ./grubx64.efi /boot/efi/EFI/grub/grubx64.efi > mokutil --import MOK.der > > After the reboot, I do Mok Management to import the key. > But the system keeps booting with the /boot/efi/EFI/grub/grubx64.efi Instead > of my custom one. > > Just to see what happens, I replaced the fedora bootloader with my custom > one, and I got the following error: > > error: verification requested but nobody cares: > (hd0,gpt2)/grub/x86_64-efi/normal.mod > Entering rescue mode > grub rescue> > > Any hints on what is happening?
Looks like you did everything correct, I am not quite sure how grub- install works, if it copies GRUB modules as standalone files you may have to sign them too. Please try to install GRUB using grub-mkimage command. That allows to include all required modules in GRUB binary, here is an example usage: ./grub-mkimage -d grub-core -O x86_64-efi -o grubx64.efi -p "/EFI/BOOT" echo all_video boot btrfs cat chain configfile echo efifwsetup efinet ext2 fat font gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg loadenv lvm mdraid09 mdraid1x minicmd normal part_apple part_msdos part_gpt password_pbkdf2 png reboot search search_fs_uuid search_fs_file search_label sleep syslinuxcfg test tftp regexp video xfs relocator multiboot2 linux efinet tftp serial shim_lock multiboot As a result you will get grubx64.efi file that you can sign and copy to /boot partition replacing Fedora's GRUB. I have prepared for you demo with GRUB and TBOOT that should work under Secure Boot enabled systems [1]. You can copy all files to any USB stick and try boot your NUC from it. Of course you will have to add key to MOK database. You can use for that mmx64.efi tool, key that was used to sign binaries from the demo is also included. [1] https://cloud.hawrylko.pl/s/gVD4pFQehDaNmbp Lukasz _______________________________________________ tboot-devel mailing list tboot-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/tboot-devel
