summaryrefslogtreecommitdiffstats
path: root/wiki/src/blueprint/UEFI_Secure_boot.mdwn
blob: 1b246f3b2148cd8ac497dbcd05f20a73afb79bad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Ticket: [[!tails_ticket 6560]]

[[!toc levels=2]]

# One possible plan

Goal: avoid the need to disable Secure Boot in the firmware
configuration. Tails should boot out-of-the-box with Secure Boot
enabled, without the user having to do _anything_ special about it.

Means: use the shim signed by Microsoft + GRUB2.

We don't support booting on a custom built kernel, so that should be
relatively easy. Except:

* The kernel won't allow loading an unsigned `aufs` module so we need
  to migrate to `overlayfs` ([[!tails_ticket 8415]]).
* `overlayfs` does not allow stacking enough layers for our current
  upgrade system, so we need to [[!tails_ticket 15281 desc="stack one
  single SquashFS diff when upgrading"]].

Resources
=========

* Debian's [[!debwiki SecureBoot desc="Secure Boot support"]] will be
  done for GRUB first, unclear if other bootloaders will be supported
  - tracker bug: [[!debbug 820036]]
  - shim is [[!debpts shim-signed desc="in Debian"]] (signed by the
    Microsoft UEFI CA) but grub2-signed is not ([[!debbug 820050 desc="RFP bug"]]).
* How other distros do it:
  - [Ubuntu](https://wiki.ubuntu.com/UEFI/SecureBoot)
  - [ArchLinux](https://wiki.archlinux.org/index.php/Secure_Boot)
  - [Fedora](https://fedoraproject.org/wiki/Features/SecureBoot)
  - [ALT Linux' SecureBoot mini HOWTO](http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO) and
    [their](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-copy-efiboot;h=1ca6b0137c7488ae50540b027cf4a541074daba5;hb=HEAD)
    [scripts](http://git.altlinux.org/people/mike/packages/?p=mkimage.git;a=blob;f=tools/mki-pack-isoboot;h=85ca988c6aab94e3c44e64519baf2231e39d8d24;hb=HEAD)
  - [Ubuntu Privacy Remix](https://www.privacy-cd.org/)'s next release
    (UPR 12.04r1) will support UEFI; a beta is available; they copied
    the solution from Ubuntu 13.10 (beta): the shim bootloader and
    a corresponding GRUB binary which passes secure boot. See their
    [build script](https://www.privacy-cd.org/en/tutorials/build-your-own-cd/79).
* Matthew Garrett:
  - [Handling UEFI Secure Boot in smaller distributions](http://mjg59.dreamwidth.org/17542.html)
  - [Secure Boot bootloader for distributions available now](http://mjg59.dreamwidth.org/20303.html)
  - [An overview of Fedora's Secure Boot implementation](http://mjg59.dreamwidth.org/18945.html)
  - [Terse howto for getting a signed shim](http://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183)
* [Managing EFI Boot Loaders for Linux: Dealing with Secure Boot](http://www.rodsbooks.com/efi-bootloaders/secureboot.html), by Rod Smith
* GRUB 2.04 will support UEFI Secure Boot (currently every distro has
  patches for that)
* [Booting a Self-signed Linux
  Kernel](http://www.kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/),
  by Greg Kroah-Hartman
* Linux Foundation's
  [Making UEFI Secure Boot Work With Open Platforms](http://linuxfoundation.org/publications/making-uefi-secure-boot-work-with-open-platforms)
* [Automating Secure Boot Testing](https://www.youtube.com/watch?v=qtyRR-KbXYQ):
  how Red Hat does CI for Secure Boot (FOSDEM 2018)