Moving Secure Boot to a new page
Move here from Talk:Unified Extensible Firmware Interface
Couldn't we create a new page regarding all the intricacies of secure boot and explaining all the possible options.:
- Disable secure boot entirely
- Use the prebootloader as the stage 1 loader
- Create your own keys and take ownership of your system
The first two steps have already been discussed to a good extent, but the third one needs a little bit more explanation regarding creating the keys, updating them in the firmware, manually signing your EFI binaries etc, which would probably be long enough to deserve a page of its own. What do you guys think?? Hydracone (talk) 07:34, 3 January 2016 (UTC)
- If you are willing to expand on that, possibly also linking to external references, you have my full support. If you're not sure whether the new countent will be long enough, you can start simply with a new section in this article, and maybe splitting later. If splitting, of course all the secure boot info will have to be moved from this page, not simply duplicated. If you want to start immediately with a separate article, you can choose whether to use your User page (or a subpage) as a draft, or start editing on the already existing Secure Boot redirect, putting an instance of Template:Expansion at the top. — Kynikos (talk) 02:37, 4 January 2016 (UTC)
Enroll hash file name
I am a bit confused regarding the following lines:
* In the HashTool main menu, select
Enroll Hash, choose
\loader.efi and confirm with
Yes. Again, select
Enroll Hash and
archiso to enter the archiso directory, then select
vmlinuz-efi and confirm with
Yes. Then choose
Exit to return to the boot device selection menu.
- In the boot device selection menu choose
Arch Linux archiso x86_64 UEFI CD
There is no file vmlinuz-efi in the said directory, there is only efiboot.img. Then, the USB stick actually wants to boot from arch/boot/x86_64/vmlinuz. I am not sure which file I actually had to enroll, it was either archiso.img in that directory or the vmlinuz kernel image. In either case the instruction is not accurate. --Johannes Rohr (talk) 09:03, 5 February 2015 (UTC)
New "remove" section
I added this new section, review it, especially if all the mentioned commands are really needed.... Now I'd like the have the index at the start of the page but I don't know how to add it. Please point me to a guide about it.
- The name of the section seems wrong, we are not actually removing Secure Boot, only some EFI applications from the ESP. Regarding the table of contents read Help:Editing#Headings and subheadings. –– nl6720 talk 15:23, 5 May 2016 (UTC)
- Yes, it simply misses "configuration". "Remove Secure Boot configuration of the installed system" is a little long, but describes better.
- A question: The section goes about removing the tools, but obviously the most important step is to disable Secureboot in the EFI, otherwise the system won't boot. That should be added. And along with that: Turning off Secure Boot in EFI results in none of its checks being performed. Is there a need to perform any of the described steps in the section for the system to boot? Because if not, that should be mentioned. (The section to remove it is useful anyhow, if users want to change setup of boot configuration). --Indigo (talk) 17:16, 5 May 2016 (UTC)
- so, What do you think about a title like `disabled Secure Boot` and the section starts `In order to don't use Secure Boot feature you have simply to disable it via EFI settings. If you follow the previous section in order to get Secure Boot working with your Arch Linux installation, you may want to remove those files and configuration and restoring original /boot situation and have it clean...` ???? --nTia89 (talk) 16:28, 6 May 2016 (UTC)
Separate pre-signed and self-signed
Currently the article solely focuses on the pre-signed PreLoader method. It lacks instructions for signing bootloaders and kernels with your own keys . The current article may lead one to believe that using PreLoader is the only or best option to use Secure Boot. I think that there should be a top heading for each method. –– nl6720 talk 16:12, 5 May 2016 (UTC)
- +1. A section on own key setup would be great. This BBS thread has references too, then there is the GKH way - which is too much for this article, but contains a section on key creation which is very useful here. --Indigo (talk) 17:26, 5 May 2016 (UTC)
- We can write this using Rod Smith's Dealing with Secure Boot & Controlling Secure Boot for inspiration (i.e blatantly, shamelessly copying parts of them).
- Better section names are needed, but here's my idea for the article structure:
Using a signed boot loaderdone Booting archiso: (currently "Secure boot archiso")done Set up PreLoader: (currently "Secure Boot in the installed system")done Remove PreLoader: (currently "Remove Secure Boot from an installed system")done
- Using your own keys:
- Signing bootloader and kernel
- Pacman hook for signing bootloader and kernel
- Put firmware in "Setup Mode"
- Enrol keys in firmware
Using firmware setup utilitydone
- Using KeyTool
- Yay! (maybe not needed?)
Disable Secure Boot (maybe move to top?)done
- I have to confess that personally I failed at the "Enrol keys in firmware" step. –– nl6720 talk 09:32, 6 May 2016 (UTC)
- That reads like a good draft TOC! We cannot recycle Rod Smith's work. As far as I can see it is not licensed for it, though if someone asks him, I am sure he would be sympathetic for sharing parts - I've seen him help many users in the BBS. We can of course link to them for background info, which is fine as well, because he keeps his documentation very updated. So the latter is preferable in my view.
- There are other references we can rely on as well though. Most universally applicable references appear to follow the tianocore method (see also , , ) to create a securebooted virtualmachine. I still have to try it with an Arch ISO as install medium and I can't really help much with the section before I tried. The steps to enroll keys should come naturally once the VM install secureboots and the section can be based at that point. --Indigo (talk) 12:41, 7 May 2016 (UTC)
- This page is extremely helpful. Thanks to everyone who has worked on it. Regarding "Pacman hook for signing bootloader and kernel", this resource may be useful: