Talk:Secure Boot

From ArchWiki
Revision as of 05:53, 1 June 2016 by MountainX (talk | contribs) (added a resource for Pacman hook for signing bootloader and kernel)
Jump to navigation Jump to search

Moving Secure Boot to a new page

Move here from Talk:Unified Extensible Firmware Interface

Couldn't we create a new page regarding all the intricacies of secure boot and explaining all the possible options.:

  1. Disable secure boot entirely
  2. Use the prebootloader as the stage 1 loader
  3. Create your own keys and take ownership of your system

The first two steps have already been discussed to a good extent, but the third one needs a little bit more explanation regarding creating the keys, updating them in the firmware, manually signing your EFI binaries etc, which would probably be long enough to deserve a page of its own. What do you guys think?? Hydracone (talk) 07:34, 3 January 2016 (UTC)

If you are willing to expand on that, possibly also linking to external references, you have my full support. If you're not sure whether the new countent will be long enough, you can start simply with a new section in this article, and maybe splitting later. If splitting, of course all the secure boot info will have to be moved from this page, not simply duplicated. If you want to start immediately with a separate article, you can choose whether to use your User page (or a subpage) as a draft, or start editing on the already existing Secure Boot redirect, putting an instance of Template:Expansion at the top. — Kynikos (talk) 02:37, 4 January 2016 (UTC)
I have done the action. The page still need some expansion and maybe merge from Dual_boot_with_Windows#UEFI_Secure_Boot. --Fengchao (talk) 09:54, 24 February 2016 (UTC)

Enroll hash file name

I am a bit confused regarding the following lines:

* In the HashTool main menu, select Enroll Hash, choose \loader.efi and confirm with Yes. Again, select Enroll Hash and archiso to enter the archiso directory, then select vmlinuz-efi and confirm with Yes. Then choose Exit to return to the boot device selection menu.

  • In the boot device selection menu choose Arch Linux archiso x86_64 UEFI CD

There is no file vmlinuz-efi in the said directory, there is only efiboot.img. Then, the USB stick actually wants to boot from arch/boot/x86_64/vmlinuz. I am not sure which file I actually had to enroll, it was either archiso.img in that directory or the vmlinuz kernel image. In either case the instruction is not accurate. --Johannes Rohr (talk) 09:03, 5 February 2015 (UTC)

New "remove" section

I added this new section, review it, especially if all the mentioned commands are really needed.... Now I'd like the have the index at the start of the page but I don't know how to add it. Please point me to a guide about it.

—This unsigned comment is by NTia89 (talk) 11:29, 5 May 2016‎. Please sign your posts with ~~~~!

--nTia89 (talk) 15:28, 5 May 2016 (UTC)

The name of the section seems wrong, we are not actually removing Secure Boot, only some EFI applications from the ESP. Regarding the table of contents read Help:Editing#Headings and subheadings. –– nl6720talk 15:23, 5 May 2016 (UTC)
yes, you're right: we are removing files/what-else needed to use Secure Boot feature, so... maybe a title like `disable Secure Boot` is better. Let me know! --nTia89 (talk) 15:37, 5 May 2016 (UTC)
That would be even worse. I suggest "Removing PreLoader". –– nl6720talk 15:58, 5 May 2016 (UTC)
I disagree because Secure Boot is the goal, as the title of the archwiki page states and remembers. Preloader is `only` the tool that is used to achieve the goal, that is the handling of Secure Boot technology, feature. --nTia89 (talk) 16:04, 5 May 2016 (UTC)
My point is that nothing in that section removes (impossible without replacing the firmware) or disables [1] Secure Boot. –– nl6720talk 16:22, 5 May 2016 (UTC)
Yes, it simply misses "configuration". "Remove Secure Boot configuration of the installed system" is a little long, but describes better.
A question: The section goes about removing the tools, but obviously the most important step is to disable Secureboot in the EFI, otherwise the system won't boot. That should be added. And along with that: Turning off Secure Boot in EFI results in none of its checks being performed. Is there a need to perform any of the described steps in the section for the system to boot? Because if not, that should be mentioned. (The section to remove it is useful anyhow, if users want to change setup of boot configuration). --Indigo (talk) 17:16, 5 May 2016 (UTC)
oh yes, I was confused about disabling Secure Boot on EFI... this is the reason why I suggested my titles --nTia89 (talk) 09:24, 6 May 2016 (UTC)
so, What do you think about a title like `disabled Secure Boot` and the section starts `In order to don't use Secure Boot feature you have simply to disable it via EFI settings. If you follow the previous section in order to get Secure Boot working with your Arch Linux installation, you may want to remove those files and configuration and restoring original /boot situation and have it clean...` ???? --nTia89 (talk) 16:28, 6 May 2016 (UTC)

Separate pre-signed and self-signed

Currently the article solely focuses on the pre-signed PreLoader method. It lacks instructions for signing bootloaders and kernels with your own keys [2]. The current article may lead one to believe that using PreLoader is the only or best option to use Secure Boot. I think that there should be a top heading for each method. –– nl6720talk 16:12, 5 May 2016 (UTC)

+1. A section on own key setup would be great. This BBS thread has references too, then there is the GKH way - which is too much for this article, but contains a section on key creation which is very useful here. --Indigo (talk) 17:26, 5 May 2016 (UTC)
We can write this using Rod Smith's Dealing with Secure Boot & Controlling Secure Boot for inspiration (i.e blatantly, shamelessly copying parts of them).
Better section names are needed, but here's my idea for the article structure:
  • Using a signed boot loader done
    • Booting archiso: (currently "Secure boot archiso") done
    • Set up PreLoader: (currently "Secure Boot in the installed system") done
    • Remove PreLoader: (currently "Remove Secure Boot from an installed system") done
  • Using your own keys:
    • Creating keys: done
    • Signing bootloader and kernel
      • Pacman hook for signing bootloader and kernel
    • Put firmware in "Setup Mode"
    • Enrol keys in firmware
      • Using firmware setup utility done
      • Using KeyTool
    • Yay! (maybe not needed?)
  • Disable Secure Boot (maybe move to top?) done
I have to confess that personally I failed at the "Enrol keys in firmware" step. –– nl6720talk 09:32, 6 May 2016 (UTC)
That reads like a good draft TOC! We cannot recycle Rod Smith's work. As far as I can see it is not licensed for it, though if someone asks him, I am sure he would be sympathetic for sharing parts - I've seen him help many users in the BBS. We can of course link to them for background info, which is fine as well, because he keeps his documentation very updated. So the latter is preferable in my view.
There are other references we can rely on as well though. Most universally applicable references appear to follow the tianocore method (see also [3], [4], [5]) to create a securebooted virtualmachine. I still have to try it with an Arch ISO as install medium and I can't really help much with the section before I tried. The steps to enroll keys should come naturally once the VM install secureboots and the section can be based at that point. --Indigo (talk) 12:41, 7 May 2016 (UTC)
The sections are now separated. Now someone only needs to write the instructions. –– nl6720talk 08:12, 9 May 2016 (UTC)
First bunch of modifications look very good! --nTia89 (talk) 10:13, 9 May 2016 (UTC)
 :)
–– nl6720talk 16:01, 10 May 2016 (UTC)
I got Secure Boot working in qemu and real hardware (guess wich one actually enforces security policy beyond first executable it runs). Next I'll add key creation commands, using efitools README as reference. –– nl6720talk 16:02, 10 May 2016 (UTC)
Most sections are created, still needs more content and maybe better style. –– nl6720talk 18:42, 10 May 2016 (UTC)
This page is extremely helpful. Thanks to everyone who has worked on it. Regarding "Pacman hook for signing bootloader and kernel", this resource may be useful:
   GitHub - CrowdStrike/travel-laptop: Auxiliary documentation and scripts around "A Reasonably Safe Travel Burner Laptop"  MountainX (talk) 05:53, 1 June 2016 (UTC)