Home
Solus
Search
Configure Global Search
Log In
Transactions
T10457
Change Details
Change Details
Old
New
Diff
Information already posted internally but writing for public visibility With D13867 it is now possible to enable to boot Solus with Secure Boot enabled. In order to facilitate this the following steps were taken: ##### Secure Boot Support - Packaging the pre-signed shim from Fedora - R5660 - Creating a Solus Certificate/Machine Owner Key (mok) in a private repository - Signing systemd-bootx64.efi with the Solus MOK - R2999:beb51b6960dd - Signing linux-current with the Solus MOK - R3571:93a97437dae6 - Signing linux-lts with the Solus MOK - R1966:fd3c91d2248c - Switching clr-boot-manager to use 'shim-systemd-boot' as the bootloader instead of 'systemd-boot' - Small clr-boot-manager patches to shim-systemd-boot to facilitate our needs - Install D13867, run 'clr-boot-manager update' boot from the new 'Solus Linux Bootloader' entry with secure boot enabled and perform the one-time-step of enrolling the Solus Certificate from disk. ##### A Note on Signing - Signing is automatic depending on whether the packager has rights to checkout the `solus-secureboot-keys` repository - The solus-secureboot-keys repository can only be checked out by the Packaging Team. - Users can still run their own builds of systemd and the kernel, however, they will not be signed. #### Secure Boot Support without Having to Manually Enrolling the Solus Cert on First Boot //Before continuing, it is important to remember that manually enrolling the certificate on first boot is only required once, and, only required when secure boot is enabled. If secure boot is disabled things will continue boot as before without any user intervention required.// Now, in order to avoid the confusing step of manually enrolling the Solus Certificate on first boot with secure boot enabled we would have to get our own shim built with the Solus certificate embedded signed by Microsoft. In order to do this, AFAICU, the following steps are required: - Obtain an EV certificate. The cheapest price I saw was $750 for three years - Register for the Microsoft Windows Hardware Developer Program - https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/hardware-program-register - Build our kernel with kernel lockdown mode enabled if secure boot is enabled - Build `shim` with `make VENDOR_CERT_FILE=solus-cert.cer DEFAULT_LOADER=loaderx64.efi` - Embed the resulting shim .efi file in a .cab file - Sign the .cab file with our certificate - From the Microsoft Windows Hardware Developer Program Platform: File Signing Service -> Submit New UEFI - Send the shim to review to https://github.com/rhboot/shim-review/, if shim-review is happy Microsoft will likely sign our shim. - Obtain our signed shim from Microsoft, extract the .efi from the .cab and package it up in shim-signed. Useful current links: - https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/file-signing-reqs - https://github.com/rhboot/shim-review/ - https://lists.archlinux.org/pipermail/arch-releng/2019-January/003892.html Older links with out of date information: - https://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183 - https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO_update_2018#The_Plan ##### Final Notes - We are not currently looking to obtain an EV certificate - With the thanks to the supporters on OpenCollective it is indeed within the budget to obtain one, but, it is a large cost without much of a meaningful gain.
Information already posted internally but writing for public visibility With D13867 it is now possible to enable to boot Solus with Secure Boot enabled. In order to facilitate this the following steps were taken: ##### Secure Boot Support - Packaging the pre-signed shim from Fedora - R5660 - Creating a Solus Certificate/Machine Owner Key (mok) in a private repository - Signing systemd-bootx64.efi with the Solus MOK - R2999:beb51b6960dd - Signing linux-current with the Solus MOK - R3571:93a97437dae6 - Signing linux-lts with the Solus MOK - R1966:fd3c91d2248c - Switching clr-boot-manager to use 'shim-systemd-boot' as the bootloader instead of 'systemd-boot' - Small clr-boot-manager patches to shim-systemd-boot to facilitate our needs - Install D13867, run 'clr-boot-manager update' boot from the new 'Solus Linux Bootloader' entry with secure boot enabled and perform the one-time-step of enrolling the Solus Certificate from disk. ##### A Note on Signing - Signing is automatic depending on whether the packager has rights to checkout the `solus-secureboot-keys` repository - The solus-secureboot-keys repository can only be checked out by the Packaging Team. - Users can still run their own builds of systemd and the kernel, however, they will not be signed. #### Secure Boot Support without Having to Manually Enroll the Solus Cert on First Boot //Before continuing, it is important to remember that manually enrolling the certificate on first boot is only required once, and, only required when secure boot is enabled. If secure boot is disabled things will continue boot as before without any user intervention required.// Now, in order to avoid the confusing step of manually enrolling the Solus Certificate on first boot with secure boot enabled we would have to get our own shim built with the Solus certificate embedded signed by Microsoft. In order to do this, AFAICU, the following steps are required: - Obtain an EV certificate. The cheapest price I saw was $750 for three years - Register for the Microsoft Windows Hardware Developer Program - https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/hardware-program-register - Build our kernel with kernel lockdown mode enabled if secure boot is enabled - Build `shim` with `make VENDOR_CERT_FILE=solus-cert.cer DEFAULT_LOADER=loaderx64.efi` - Embed the resulting shim .efi file in a .cab file - Sign the .cab file with our certificate - From the Microsoft Windows Hardware Developer Program Platform: File Signing Service -> Submit New UEFI - Send the shim to review to https://github.com/rhboot/shim-review/, if shim-review is happy Microsoft will likely sign our shim. - Obtain our signed shim from Microsoft, extract the .efi from the .cab and package it up in shim-signed. Useful current links: - https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/file-signing-reqs - https://github.com/rhboot/shim-review/ - https://lists.archlinux.org/pipermail/arch-releng/2019-January/003892.html Older links with out of date information: - https://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183 - https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO_update_2018#The_Plan ##### Final Notes - We are not currently looking to obtain an EV certificate - With the thanks to the supporters on OpenCollective it is indeed within the budget to obtain one, but, it is a large cost without much of a meaningful gain.
Information already posted internally but writing for public visibility With D13867 it is now possible to enable to boot Solus with Secure Boot enabled. In order to facilitate this the following steps were taken: ##### Secure Boot Support - Packaging the pre-signed shim from Fedora - R5660 - Creating a Solus Certificate/Machine Owner Key (mok) in a private repository - Signing systemd-bootx64.efi with the Solus MOK - R2999:beb51b6960dd - Signing linux-current with the Solus MOK - R3571:93a97437dae6 - Signing linux-lts with the Solus MOK - R1966:fd3c91d2248c - Switching clr-boot-manager to use 'shim-systemd-boot' as the bootloader instead of 'systemd-boot' - Small clr-boot-manager patches to shim-systemd-boot to facilitate our needs - Install D13867, run 'clr-boot-manager update' boot from the new 'Solus Linux Bootloader' entry with secure boot enabled and perform the one-time-step of enrolling the Solus Certificate from disk. ##### A Note on Signing - Signing is automatic depending on whether the packager has rights to checkout the `solus-secureboot-keys` repository - The solus-secureboot-keys repository can only be checked out by the Packaging Team. - Users can still run their own builds of systemd and the kernel, however, they will not be signed. #### Secure Boot Support without Having to Manually Enroll
ing
the Solus Cert on First Boot //Before continuing, it is important to remember that manually enrolling the certificate on first boot is only required once, and, only required when secure boot is enabled. If secure boot is disabled things will continue boot as before without any user intervention required.// Now, in order to avoid the confusing step of manually enrolling the Solus Certificate on first boot with secure boot enabled we would have to get our own shim built with the Solus certificate embedded signed by Microsoft. In order to do this, AFAICU, the following steps are required: - Obtain an EV certificate. The cheapest price I saw was $750 for three years - Register for the Microsoft Windows Hardware Developer Program - https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/hardware-program-register - Build our kernel with kernel lockdown mode enabled if secure boot is enabled - Build `shim` with `make VENDOR_CERT_FILE=solus-cert.cer DEFAULT_LOADER=loaderx64.efi` - Embed the resulting shim .efi file in a .cab file - Sign the .cab file with our certificate - From the Microsoft Windows Hardware Developer Program Platform: File Signing Service -> Submit New UEFI - Send the shim to review to https://github.com/rhboot/shim-review/, if shim-review is happy Microsoft will likely sign our shim. - Obtain our signed shim from Microsoft, extract the .efi from the .cab and package it up in shim-signed. Useful current links: - https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/file-signing-reqs - https://github.com/rhboot/shim-review/ - https://lists.archlinux.org/pipermail/arch-releng/2019-January/003892.html Older links with out of date information: - https://mjg59.dreamwidth.org/20303.html?thread=783183#cmt783183 - https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO_update_2018#The_Plan ##### Final Notes - We are not currently looking to obtain an EV certificate - With the thanks to the supporters on OpenCollective it is indeed within the budget to obtain one, but, it is a large cost without much of a meaningful gain.
Continue