Page MenuHomeSolus
Create Task
Maniphest T10457

Solus Secure Boot Support
Closed, ResolvedPublic
Actions

Assigned To
joebonrichie
Authored By
joebonrichie
Dec 22 2022, 9:39 AM
Tags
Referenced Files
None
Subscribers
joebonrichie
Triage Team
Tokens
"Yellow Medal" token, awarded by EbonJaeger."Hungry Hippo" token, awarded by ReillyBrogan.

Description

Information already posted internally but writing for public visibility

With D13867 it is now possible to enable to boot Solus with Secure Boot enabled. In order to facilitate this the following steps were taken:

Secure Boot Support
  • Packaging the pre-signed shim from Fedora - R5660
  • Creating a Solus Certificate/Machine Owner Key (mok) in a private repository
  • Signing systemd-bootx64.efi with the Solus MOK - R2999:beb51b6960dd
  • Signing linux-current with the Solus MOK - R3571:93a97437dae6
  • Signing linux-lts with the Solus MOK - R1966:fd3c91d2248c
  • Switching clr-boot-manager to use 'shim-systemd-boot' as the bootloader instead of 'systemd-boot'
  • Small clr-boot-manager patches to shim-systemd-boot to facilitate our needs
  • Install D13867, run 'clr-boot-manager update' boot from the new 'Solus Linux Bootloader' entry with secure boot enabled and perform the one-time-step of enrolling the Solus Certificate from disk.
A Note on Signing
  • Signing is automatic depending on whether the packager has rights to checkout the solus-secureboot-keys repository
  • The solus-secureboot-keys repository can only be checked out by the Packaging Team.
  • Users can still run their own builds of systemd and the kernel, however, they will not be signed.
Secure Boot Support without Having to Manually Enroll the Solus Cert on First Boot

Before continuing, it is important to remember that manually enrolling the certificate on first boot is only required once, and, only required when secure boot is enabled. If secure boot is disabled things will continue boot as before without any user intervention required.

Now, in order to avoid the confusing step of manually enrolling the Solus Certificate on first boot with secure boot enabled we would have to get our own shim built with the Solus certificate embedded signed by Microsoft. In order to do this, AFAICU, the following steps are required:

  • Obtain an EV certificate. The cheapest price I saw was $750 for three years
  • Register for the Microsoft Windows Hardware Developer Program - https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/hardware-program-register
  • Build our kernel with kernel lockdown mode enabled if secure boot is enabled
  • Build shim with make VENDOR_CERT_FILE=solus-cert.cer DEFAULT_LOADER=loaderx64.efi
  • Embed the resulting shim .efi file in a .cab file
  • Sign the .cab file with our certificate
  • From the Microsoft Windows Hardware Developer Program Platform: File Signing Service -> Submit New UEFI
  • Send the shim to review to https://github.com/rhboot/shim-review/, if shim-review is happy Microsoft will likely sign our shim.
  • Obtain our signed shim from Microsoft, extract the .efi from the .cab and package it up in shim-signed.

Useful current links:

Older links with out of date information:

Final Notes
  • We are not currently looking to obtain an EV certificate
  • With the thanks to the supporters on OpenCollective it is indeed within the budget to obtain one, but, it is a large cost without much of a meaningful gain.

Related Objects

Event Timeline

joebonrichie triaged this task as Wishlist priority.Dec 22 2022, 9:39 AM
joebonrichie created this task.
joebonrichie updated the task description. (Show Details)Dec 22 2022, 9:42 AM
ReillyBrogan awarded a token.Dec 22 2022, 5:53 PM
EbonJaeger awarded a token.Dec 28 2022, 4:06 PM
joebonrichie closed this task as Resolved.Jul 2 2023, 1:05 PM
joebonrichie claimed this task.

Basic secure boot support in, we may end up obtaining an EV Cert and getting our own shim signed in the future.

Copyright © 2015-2021 Solus Project. The Solus logo is Copyright © 2016-2021 Solus Project. All Rights Reserved.