Secure boot #5282
Open
Secure boot #5282
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lguohan
reviewed
Aug 31, 2020
| @@ -412,7 +412,7 @@ demo_install_uefi_grub() | |||
| efibootmgr --quiet --create \ | |||
| --label "$demo_volume_label" \ | |||
| --disk $blk_dev --part $uefi_part \ | |||
| --loader "/EFI/$demo_volume_label/grubx64.efi" || { | |||
| --loader "/EFI/$demo_volume_label/shimx64.efi" || { | |||
There was a problem hiding this comment.
does this affect non secure boot?
There was a problem hiding this comment.
Yes, but not if we add shimx64.efi to the EFI partition. Still working on this.
|
Please add more detail to the PR title |
lguohan
reviewed
Aug 31, 2020
build_debian.sh
Outdated
| sudo apt-get -y install efitools | ||
| sudo openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout kernel_db.key -out kernel_db.crt -days 365 -nodes -sha256 | ||
| sudo openssl x509 -in kernel_db.crt -outform der -out kernel_db.der | ||
| sudo sbsign --key kernel_db.key --cert kernel_db.crt --output fsroot/boot/vmlinuz-4.19.0-9-2-amd64 fsroot/boot/vmlinuz-4.19.0-9-2-amd64 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why I did it
To make SONiC boot with signed shim and grub when secure boot is enabled
Allow secure boot key signing and secure boot verification
How I did it
Added signed grub and shim binary packages
Boot with shim instead of grub
Added efitools and mokutil
How to verify it
Use sbsign to sign binaries and mokutil to check secure boot state
Check if the following exists:
/usr/lib/shim/shimx64.efi.signed
/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed