No, the scheme is different. You don't need to sign any RPM with Microsoft, only EFI binaries are signed.
Unfortunately, it's all quite costly, but if you want users to avoid any manual steps, it's the only way. :-( (Except for using the compiled and signed binaries of shim and grub2 from some other vendor, of course.)
In short, the steps are the following:
1) You need to purchase an Extended Validation key from one of the MS partners (we got one from DigiCert). This is the only step that requires payment, but the key is only purchased for limited time (1-3 years) and has to be purchased again after expiration.
2) Extract the public certificate from the EV token you receive and save it into file.
3) Build shim with VENDOR_CERT_FILE variable pointing to the certificate file - this way it will be compiled into the shim binary.
4) Register at MS and perform the procedure for signing the shim EFI binary (the steps for signing request are described on the corresponding MS portal).
After MS approves and sends you the signed shim, you can now use it for building Secure Boot compatible distro. To implement it:
1) Rename the MS signed shim binary into BOOTx64.efi.
2) When you build grub2-efi, make sure its EFI binaries are signed with your EV key (the same which certificate was compiled into the shim).
3) Build the distro iso using shim named BOOTx64.efi, and grub2 named grubx64.efi (the "grubx64.efi" filename is built-in into shim, but can be changed during compilation). If you decide to also implement 32-bit UEFI support, the names should be BOOTIA32.efi and grubia32.efi, respectively.
4) When installing system, make sure shim and grub2 are installed into the EFI partition, and UEFI boot record points to the shim binary.
You can take a look at how we build shim in ROSA:
https://abf.rosalinux.ru/import/shim-unsigned/tree/rosa2014.1
It is called "unsigned", meaning, it's not signed by Microsoft (but signed by ROSA).
Ignore the %auto_sign macro in the spec, it's our private implementation for automatic signing of EFI files before packaging them into RPM.
After we received the signed shim, we simply repackaged it as binary blob:
https://abf.rosalinux.ru/import/shim/tree/rosa2014.1
If you have questions on any specific step, please, feel free to ask for further details.
| Hi Konstantin, can you please share with us your knowledge how to do this properly ? From what i know and understood, first i have to sign shim rpm with M$ certificate, then build final shim with previous signed shim bit this time with "our" certificate, am i right ? 2015-09-11 13:43 GMT+02:00 Konstantin Vlasov <[email protected]>: Hi, Tomasz. For that you'll have to sign shim with Microsoft. It contains the built-in certificate for your key (which will be considered trusted), and therefore you cannot use existing shims from another vendor, you need to recompile it to include the correct certificate.
-- Bye. With best regards, Konstantin Vlasov. |
--
Bye. With best regards,
Konstantin Vlasov.
_______________________________________________ OM-Cooker mailing list [email protected] http://ml.openmandriva.org/listinfo.cgi/om-cooker-openmandriva.org
