You are welcome.
But keep in mind that OMV signed shim will not be accepted by Secure Boot. The certificate used for signing shim must be present in UEFI database, that means either platform vendor (BIOS or motherboard developer), or any other vendor cross-certified by them. The only "universal" one (present and cross-signed on all or almost all platforms) is Microsoft.
However, you can use the MOK database approach.
Advantages:
a) costless;
b) quick (does not require long interaction with DigiCert and Microsoft).
Drawbacks:
a) you will have to use shim and MokManager EFI binaries built outside of OMV (but Grub2 still can be built in your repos and signed by OMV);
b) each user will have to go through manual steps to add the OMV certificate into the trusted list.
Generally, it looks like this. You need to get any MS-signed shim (it may not contain the OMV certificate), and also the MokManager EFI binary which is trusted by this particular shim (that is, MokManager must be signed either by MS certificate, or by the certificate which is built-in with shim). UEFI will boot shim (because it's MS signed and therefore trusted), shim will try to boot Grub, but initially will fail (because it's signed by OMV and not trusted yet), and fallback to MokManager (which is properly signed and trusted). MokManager will display a simple text-base interface to user, where it will be possible to explicitly trust-mark either OMV certificate (if you include it to iso), or specific EFI binary (grubx64.efi). Next time the computer reboots, shim will successfully load grub2. Of course, it is preferrable to add the certificate into MOK instead of file, because this way it will continue to work when Grub2 updates (otherwise each new updated version of the EFI binary will have to be added to MOK manually).
| Thanks Konstantin I did not know that this procedure is this complicated, especially topic of buying certificate. I think I'll go with shim signed by OMV key for a start. 11 wrz 2015 16:12 "Konstantin Vlasov" <[email protected]> napisaĆ(a): Hi, Tomasz. No, the scheme is different. You don't need to sign any RPM with Microsoft, only EFI binaries are signed. Unfortunately, it's all quite costly, but if you want users to avoid any manual steps, it's the only way. :-( (Except for using the compiled and signed binaries of shim and grub2 from some other vendor, of course.) In short, the steps are the following: 1) You need to purchase an Extended Validation key from one of the MS partners (we got one from DigiCert). This is the only step that requires payment, but the key is only purchased for limited time (1-3 years) and has to be purchased again after expiration. 2) Extract the public certificate from the EV token you receive and save it into file. 3) Build shim with VENDOR_CERT_FILE variable pointing to the certificate file - this way it will be compiled into the shim binary. 4) Register at MS and perform the procedure for signing the shim EFI binary (the steps for signing request are described on the corresponding MS portal). After MS approves and sends you the signed shim, you can now use it for building Secure Boot compatible distro. To implement it: 1) Rename the MS signed shim binary into BOOTx64.efi. 2) When you build grub2-efi, make sure its EFI binaries are signed with your EV key (the same which certificate was compiled into the shim). 3) Build the distro iso using shim named BOOTx64.efi, and grub2 named grubx64.efi (the "grubx64.efi" filename is built-in into shim, but can be changed during compilation). If you decide to also implement 32-bit UEFI support, the names should be BOOTIA32.efi and grubia32.efi, respectively. 4) When installing system, make sure shim and grub2 are installed into the EFI partition, and UEFI boot record points to the shim binary. You can take a look at how we build shim in ROSA: https://abf.rosalinux.ru/import/shim-unsigned/tree/rosa2014.1 It is called "unsigned", meaning, it's not signed by Microsoft (but signed by ROSA). Ignore the %auto_sign macro in the spec, it's our private implementation for automatic signing of EFI files before packaging them into RPM. After we received the signed shim, we simply repackaged it as binary blob: https://abf.rosalinux.ru/import/shim/tree/rosa2014.1 If you have questions on any specific step, please, feel free to ask for further details.
-- Bye. With best regards, Konstantin Vlasov. |
--
Bye. With best regards,
Konstantin Vlasov.
_______________________________________________ OM-Cooker mailing list [email protected] http://ml.openmandriva.org/listinfo.cgi/om-cooker-openmandriva.org
