blob: 266d32328becf27d0526656ef6ae53e39323b79f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
Ticket: [[!tails_ticket 6560]]
[[!toc levels=2]]
# One possible plan
Goal: avoid the need to disable Secure Boot in the firmware
configuration. Tails should boot out-of-the-box with Secure Boot
enabled, without the user having to do _anything_ special about it.
Means: use the shim signed by Microsoft + GRUB2.
We don't support booting on a custom built kernel, so that should be
relatively easy.
Resources
=========
* Debian's [[!debwiki SecureBoot desc="Secure Boot support"]] will be
done for GRUB first, unclear if other bootloaders will be supported
- tracker bug: [[!debbug 820036]]
- shim is [[!debpts shim-signed desc="in Debian"]] (signed by the
Microsoft UEFI CA) but grub2-signed is not ([[!debbug 820050 desc="RFP bug"]]).
* How other distros do it:
- [Ubuntu](https://wiki.ubuntu.com/UEFI/SecureBoot)
- [ArchLinux](https://wiki.archlinux.org/index.php/Secure_Boot)
- [Fedora](https://fedoraproject.org/wiki/Features/SecureBoot)
- [ALT Linux' SecureBoot mini HOWTO](http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO) and
[their](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-copy-efiboot;h=1ca6b0137c7488ae50540b027cf4a541074daba5;hb=HEAD)
[scripts](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-pack-isoboot;h=85ca988c6aab94e3c44e64519baf2231e39d8d24;hb=HEAD)
- [Ubuntu Privacy Remix](https://www.privacy-cd.org/)'s next release
(UPR 12.04r1) will support UEFI; a beta is available; they copied
the solution from Ubuntu 13.10 (beta): the shim bootloader and
a corresponding GRUB binary which passes secure boot. See their
[build script](https://www.privacy-cd.org/en/tutorials/build-your-own-cd/79).
* Matthew Garrett:
- [Handling UEFI Secure Boot in smaller distributions](http://mjg59.dreamwidth.org/17542.html)
- [Secure Boot bootloader for distributions available now](http://mjg59.dreamwidth.org/20303.html)
- [An overview of Fedora's Secure Boot implementation](http://mjg59.dreamwidth.org/18945.html)
- [Terse howto for getting a signed shim](http://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183)
* [Managing EFI Boot Loaders for Linux: Dealing with Secure Boot](http://www.rodsbooks.com/efi-bootloaders/secureboot.html), by Rod Smith
* GRUB 2.04 will support UEFI Secure Boot (currently every distro has
patches for that)
* [Booting a Self-signed Linux
Kernel](http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/),
by Greg Kroah-Hartman
* Linux Foundation's
[Making UEFI Secure Boot Work With Open Platforms](http://linuxfoundation.org/publications/making-uefi-secure-boot-work-with-open-platforms)
* [Automating Secure Boot Testing](https://www.youtube.com/watch?v=qtyRR-KbXYQ):
how Red Hat does CI for Secure Boot (FOSDEM 2018)
|