zigford.org

About | Links | Scripts
Sharing linux/windows scripts and tips

Gentoo Secure Boot on Precision 5510

August 07, 2023 — Jesse Harris

Work requires me to run Windows from time to time. With modern deployments of Windows requiring BitLocker and Secure Boot, I want to be able to seamlessly reboot to Gentoo without having to fiddle with UEFI and disable Secure Boot.


Why

You may recall a long time ago work supplied me with a Precision 5510 The laptop has served me well and has been running Gentoo faithfully which was installed back then.

Recently I started a new role which required me to run Windows from time to time. Rather than wiping Gentoo, I've moved it over to a secondary drive. This is all fine and dandy, however, the new Windows install requires Secure Boot.

Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.

With Gentoo, you are often compiling your own kernerl. Therefore the kernel is never signed by the powers that be. Thankfully the industry understands that not everyone will use an operating system with big enough market share to warrant getting each kernel update signed.

There exists the ability to sign your own kernels. Basically this is what is involved:

  1. Download the platform keys, signing keys and other sundry keys/certs from your existing UEFI firmware.
  2. Create your own keys, and certs, append them to the keys downloaded from your UEFI.
  3. Upload them to your UEFI firmware.
  4. Sign anything you want to boot and thus, UEFI will trust your code (the kernel).

Details

  1. Reboot into UEFI
  2. Plug in a Fat32 USB drive
  3. On the 'Startup' page, scroll to the bottom. For each key/cert you can select it and download the file. I saved all of mine onto a USB key.
  4. Reboot back into linux (Secure boot is disabled at this stage)
  5. Create a working directory ~/secureboot/factoryconfig
  6. Download the key's saved onto the USB into the factory_config file. The directory should look like this:

    secureboot ├── factoryconfig │   ├── db.esl │   ├── dbx.esl │   ├── KEK.esl │   └── PK.esl

  7. Follow the steps on Gentoo's fabulous wiki article Here are commands I ran verbatim

    mkdir ~/secureboot/customconfig cd !$ uuidgen > uuid.txt mkfifo keypipe & sleep 1 && for keytype in PK KEK db dbx; do openssl req -new -x509 -newkey rsa:2048 -subj "/CN=Larry's ${keytype}" -keyout keypipe -out ${keytype}.crt -days 9999 -nodes -sha256 & gpg --output ${keytype}.key.gpg --recipient larry@gentoo.org --encrypt < keypipe ; done ; rm keypipe for keytype in PK KEK db dbx; do cert-to-efi-sig-list -g $(< uuid.txt) ${keytype}.crt ${keytype}.esl; done cd .. for keytype in KEK db dbx; do cat factoryconfig/${keytype}.esl customconfig/${keytype}.esl > ${keytype}.esl; done mkfifo keypipe & sleep 1 && gpg --decrypt customconfig/PK.key.gpg > keypipe & sign-efi-sig-list -k keypipe -c customconfig/PK.crt PK PK.esl PK.auth ; rm keypipe mkfifo keypipe & sleep 1 && gpg --decrypt customconfig/PK.key.gpg > keypipe & sign-efi-sig-list -a -k keypipe -c customconfig/PK.crt KEK KEK.esl KEK.auth ; rm keypipe mkfifo keypipe & sleep 1 && for dbtype in db dbx; do gpg --decrypt customconfig/KEK.key.gpg > keypipe & sign-efi-sig-list -k keypipe -c customconfig/KEK.crt $dbtype ${dbtype}.esl ${dbtype}.auth ; done ; rm key_pipe

  8. Next, copy the *.esl files in ~/secure_boot back to the USB key.

  9. Reboot back into the EFI and use the UI to upload the new esl files overtop of the original.

  10. Reboot back into Gentoo and your ready to sign your keys.

    cd ~/secureboot mkfifo keypipe & sleep 1 && gpg --decrypt customconfig/db.key.gpg > keypipe & sudo sbsign --key keypipe --cert customconfig/db.crt --output /boot/signed-vmlinuz /boot/vmlinuz; rm key_pipe

  11. Verify the signed image using sbverify (You can also test it on Microsoft's boot loader)

    sbverify --cert customconfig/db.crt /boot/signed-vmlinuz sbverify --cert customconfig/db.crt /mnt/windows/EFI/Boot/bootx64.efi

  12. Add the new boot image to the efi boot loader

        sudo cp /boot/signed-vmlinux /boot/efi/EFI/gentoo/vmlinuz-6.1.41.efi
        sudo cp /boot/initramfs-6.1.41-gentoo-dist.img /boot/efi/EFI/gentoo/initramfs-6.1.41
    
        cmdline="root=UUID=515bcca4-f46e-4645-a26b-17afbad95c34 ro \
            rootflags=subvol=@gentoo/@root dolvm dobtrfs \
            rd.luks.uuid=luks-fe37a15e-26d8-446b-9c8f-f73128f63a1c \
            resume=/dev/mapper/gentoo quiet splash root_trim=yes \
            loglevel=3 udev.log-priority=3 vt.global_cursor_default=0 \
            apparmor=1 security=apparmor intel_iommu=on \
            modprobe.blacklist=nvidia,nvidia_drm,nvidia_modeset \
            initrd=\efi\EFI\gentoo\initramfs-6.1.41"
    
        sudo efibootmgr --create --disk /dev/nvme0n1 --full-dev-path \
            --label "Gentoo 6.1.41" --loader '\efi\EFI\gentoo\vmlinuz-6.1.41.efi' \
            --unicode "$cmdline"
    

Tags: gentoo, secure_boot