Thanks Konstantin I did not know that this procedure is this complicated, especially topic of buying certificate.
I think I'll go with shim signed by OMV key for a start. 11 wrz 2015 16:12 "Konstantin Vlasov" <[email protected]> napisaĆ(a): > Hi, Tomasz. > > No, the scheme is different. You don't need to sign any RPM with > Microsoft, only EFI binaries are signed. > Unfortunately, it's all quite costly, but if you want users to avoid any > manual steps, it's the only way. :-( (Except for using the compiled and > signed binaries of shim and grub2 from some other vendor, of course.) > > In short, the steps are the following: > 1) You need to purchase an Extended Validation key from one of the MS > partners (we got one from DigiCert). This is the only step that requires > payment, but the key is only purchased for limited time (1-3 years) and has > to be purchased again after expiration. > 2) Extract the public certificate from the EV token you receive and save > it into file. > 3) Build shim with VENDOR_CERT_FILE variable pointing to the certificate > file - this way it will be compiled into the shim binary. > 4) Register at MS and perform the procedure for signing the shim EFI > binary (the steps for signing request are described on the corresponding MS > portal). > > After MS approves and sends you the signed shim, you can now use it for > building Secure Boot compatible distro. To implement it: > 1) Rename the MS signed shim binary into BOOTx64.efi. > 2) When you build grub2-efi, make sure its EFI binaries are signed with > your EV key (the same which certificate was compiled into the shim). > 3) Build the distro iso using shim named BOOTx64.efi, and grub2 named > grubx64.efi (the "grubx64.efi" filename is built-in into shim, but can be > changed during compilation). If you decide to also implement 32-bit UEFI > support, the names should be BOOTIA32.efi and grubia32.efi, respectively. > 4) When installing system, make sure shim and grub2 are installed into the > EFI partition, and UEFI boot record points to the shim binary. > > You can take a look at how we build shim in ROSA: > https://abf.rosalinux.ru/import/shim-unsigned/tree/rosa2014.1 > It is called "unsigned", meaning, it's not signed by Microsoft (but signed > by ROSA). > Ignore the %auto_sign macro in the spec, it's our private implementation > for automatic signing of EFI files before packaging them into RPM. > > After we received the signed shim, we simply repackaged it as binary blob: > https://abf.rosalinux.ru/import/shim/tree/rosa2014.1 > > If you have questions on any specific step, please, feel free to ask for > further details. > > > > Hi Konstantin, > > can you please share with us your knowledge how to do this properly ? > > From what i know and understood, first i have to sign shim rpm with M$ > certificate, then build final shim with previous signed shim bit this time > with "our" certificate, am i right ? > > 2015-09-11 13:43 GMT+02:00 Konstantin Vlasov <[email protected] > >: > Hi, Tomasz. > > For that you'll have to sign shim with Microsoft. It contains the built-in > certificate for your key (which will be considered trusted), and therefore > you cannot use existing shims from another vendor, you need to recompile it > to include the correct certificate. > > > > > > > 2015-09-11 11:44 GMT+02:00 Bernhard Rosenkraenzer <[email protected]>: > Btw, what use is signing this stuff? I don't presume we have access to a > generally accepted signing key? > ttyl > bero > > There are people which do not know how to disable secure boot which by > default is enabled. > So basically those people who burned OMDV iso image simply gave up. > > I think we can sign efi images with our own key with use of shim. > > > > > > > *-- Bye. With best regards, > Konstantin Vlasov.* > > > > > > *-- Bye. With best regards, > Konstantin Vlasov.* >
_______________________________________________ OM-Cooker mailing list [email protected] http://ml.openmandriva.org/listinfo.cgi/om-cooker-openmandriva.org
