Hi All, I don't know how valid this information is but it may be worth checking out. http://www.linuxfoundation.org/news-media/blogs/browse/2012/10/linux-foundation-uefi-secure-boot-system-open-source git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git Best Colin
On Friday 11 Sep 2015 21:46:26 Konstantin Vlasov wrote: > Hi, Tomasz. > > You are welcome. > > But keep in mind that OMV signed shim will not be accepted by Secure Boot. > The certificate used for signing shim must be present in UEFI database, that > means either platform vendor (BIOS or motherboard developer), or any other > vendor cross-certified by them. The only "universal" one (present and > cross-signed on all or almost all platforms) is Microsoft. > > However, you can use the MOK database approach. > Advantages: > a) costless; > b) quick (does not require long interaction with DigiCert and Microsoft). > Drawbacks: > a) you will have to use shim and MokManager EFI binaries built outside of OMV > (but Grub2 still can be built in your repos and signed by OMV); > b) each user will have to go through manual steps to add the OMV certificate > into the trusted list. > > Generally, it looks like this. You need to get any MS-signed shim (it may not > contain the OMV certificate), and also the MokManager EFI binary which is > trusted by this particular shim (that is, MokManager must be signed either by > MS certificate, or by the certificate which is built-in with shim). UEFI will > boot shim (because it's MS signed and therefore trusted), shim will try to > boot Grub, but initially will fail (because it's signed by OMV and not > trusted yet), and fallback to MokManager (which is properly signed and > trusted). MokManager will display a simple text-base interface to user, where > it will be possible to explicitly trust-mark either OMV certificate (if you > include it to iso), or specific EFI binary (grubx64.efi). Next time the > computer reboots, shim will successfully load grub2. Of course, it is > preferrable to add the certificate into MOK instead of file, because this way > it will continue to work when Grub2 updates (otherwise each new updated > version of the EFI binary will have to be added to MOK manually). > > > > Thanks Konstantin I did not know that this procedure is this complicated, > especially topic of buying certificate. > I think I'll go with shim signed by OMV key for a start. > 11 wrz 2015 16:12 "Konstantin Vlasov" <[email protected]> > napisaĆ(a): > Hi, Tomasz. > > No, the scheme is different. You don't need to sign any RPM with Microsoft, > only EFI binaries are signed. > Unfortunately, it's all quite costly, but if you want users to avoid any > manual steps, it's the only way. :-( (Except for using the compiled and > signed binaries of shim and grub2 from some other vendor, of course.) > > In short, the steps are the following: > 1) You need to purchase an Extended Validation key from one of the MS > partners (we got one from DigiCert). This is the only step that requires > payment, but the key is only purchased for limited time (1-3 years) and has > to be purchased again after expiration. > 2) Extract the public certificate from the EV token you receive and save it > into file. > 3) Build shim with VENDOR_CERT_FILE variable pointing to the certificate file > - this way it will be compiled into the shim binary. > 4) Register at MS and perform the procedure for signing the shim EFI binary > (the steps for signing request are described on the corresponding MS portal). > > After MS approves and sends you the signed shim, you can now use it for > building Secure Boot compatible distro. To implement it: > 1) Rename the MS signed shim binary into BOOTx64.efi. > 2) When you build grub2-efi, make sure its EFI binaries are signed with your > EV key (the same which certificate was compiled into the shim). > 3) Build the distro iso using shim named BOOTx64.efi, and grub2 named > grubx64.efi (the "grubx64.efi" filename is built-in into shim, but can be > changed during compilation). If you decide to also implement 32-bit UEFI > support, the names should be BOOTIA32.efi and grubia32.efi, respectively. > 4) When installing system, make sure shim and grub2 are installed into the > EFI partition, and UEFI boot record points to the shim binary. > > You can take a look at how we build shim in ROSA: > https://abf.rosalinux.ru/import/shim-unsigned/tree/rosa2014.1 > It is called "unsigned", meaning, it's not signed by Microsoft (but signed by > ROSA). > Ignore the %auto_sign macro in the spec, it's our private implementation for > automatic signing of EFI files before packaging them into RPM. > > After we received the signed shim, we simply repackaged it as binary blob: > https://abf.rosalinux.ru/import/shim/tree/rosa2014.1 > > If you have questions on any specific step, please, feel free to ask for > further details. > > > > Hi Konstantin, > > can you please share with us your knowledge how to do this properly ? > > From what i know and understood, first i have to sign shim rpm with M$ > certificate, then build final shim with previous signed shim bit this time > with "our" certificate, am i right ? > > 2015-09-11 13:43 GMT+02:00 Konstantin Vlasov <[email protected]>: > Hi, Tomasz. > > For that you'll have to sign shim with Microsoft. It contains the built-in > certificate for your key (which will be considered trusted), and therefore > you cannot use existing shims from another vendor, you need to recompile it > to include the correct certificate. > > > > > > > > 2015-09-11 11:44 GMT+02:00 Bernhard Rosenkraenzer <[email protected]>: > Btw, what use is signing this stuff? I don't presume we have access to a > generally accepted signing key? > ttyl > bero > > There are people which do not know how to disable secure boot which by > default is enabled. > So basically those people who burned OMDV iso image simply gave up. > > I think we can sign efi images with our own key with use of shim. > > > > > > > -- > Bye. With best regards, > Konstantin Vlasov. > > > > > > -- > Bye. With best regards, > Konstantin Vlasov. > > > > > -- > Bye. With best regards, > Konstantin Vlasov. > _______________________________________________ OM-Cooker mailing list [email protected] http://ml.openmandriva.org/listinfo.cgi/om-cooker-openmandriva.org
