New feature: bootloader signing

[pandom79]

Hi,
I added bootloader's signing functionality.
I needed that so i though to create a merge request.
Pratically, i added two options: -d and -t.
-d to set key file. ( es. -d /keys/db.key )
-t to set cert file ( es. -t /keys/db.crt )

These options are complementary. It hasn't sence to set one without other.
If both are set, i also check sbsign command.
These controls are execute before the packages installation and initramfs generation.
If the user entered wrong data, it is useless go on.

Following, show the steps to get void linux usb key bootable under secure boot enabled:

1. sudo ./mklive.sh -d my.key -t my.crt

2. Via dd command, i write ISO image on USB stick.

3. Reboot machine with USB stick plugged

4. Setup firmware

You'll see a bootloader called BOOTX??.EFI and BOOTX??-signed.EFI ( ?? = 32 or 64 )

5. Select BOOTX64-signed.EFI

If the entered keys are correct, void linux will startup finely.

If you are interested that , i am available for eventual changes.
Regards

[sgn]

This is neither a support nor a non-support from me.
But, sbsign has config file in /etc/default/sbsigntool-kernel-hook

[sgn]

Why do we need sub-shell?

[sgn]

ditto

[sgn]

And please reset toSign variable in the beginning of script.

[sgn]

Make them a function, perhaps?

[sgn]

Ugly! Maybe?

if [ -n "$key" -a -n "$crt" ]; then
    ...
else if [ -n "$key$crt" ]; then
    die "...."
fi

[hippi777]

-a and -o are deprecated (according to bash faq), -n gives no much value in general if any, and similarly ! can be basically used instead of -z :D

[sgn]

I was talking about the order of execution ;)

[hippi777]

sure, the structure is fine :)

[sgn]

$dbkey and $dbcrt checked above! [ -f "$key" ] is enough.

[sgn]

What wrong with simple:

elif command -v sbsign; then

[hippi777]

command -v sbsign >/dev/null
or
hash sbsign 2>/dev/null
or
type sbsign >/dev/null 2>&1

and if im right, then hash is the fastest, but i think ive only ever seen command -v around void

[sgn]

I don't care about which one is the fastest. I was talking about the uselessness of [ -x ]

[hippi777]

the point was the redirection against littering the output, while u r right, just these are again two different things, i hope u didnt get me wrong or got offended or whatever! :)

[sgn]

Ah, no, I'm not offended (and I hope you aren't, too).
However, driving out of track is not productive.
You suggestion about appending >/dev/null is good, that's is nice.

[hippi777]

ahh, fine, and thx for the info! :)
however, just for the next time, what do u mean by driving out of track? it was about the same line, is there a way to isolate my stuff better that im not aware of, or i just need a better wording? im not a git/github pro actually :D (also, i often go off topic, but i dont think this was an example of that :D )

[sgn]

Actually, this one is not. The previous one is :-p

[sgn]

Why d and t? Is it because they're random characters that still available?

[pandom79]

This is neither a support nor a non-support from me.
But, sbsign has config file in /etc/default/sbsigntool-kernel-hook

Sorry, how can i to use that hook to sign bootloader in a custom Void ISO?
The iso image obtainable via mklive command have the efi file in a compressed image called efiboot.img,
therefore i haven't visibility to sign it after creation.
I thought about intervening during its creation to sign it, so I made this change.
My goal is to boot a Voidlinux USB stick with secure boot enabled.
It worked for me.
This patch is just an idea, obviously it can be improved and made more elegant.
If exist a better way to do that, please ignore it.

[ericonr]

I'm not sure there's an easy way to use the sbsign hook (which could be run inside the chroot with xbps-reconfigure) without including the private keys in the final ISO, which I don't think is ideal.

If possible, I would be in favor of signing the kernel in void ISOs with a throwaway key, which allows one to never turn off Secure Boot while installing, even if new keys will have to be added (once for the Void specific one, once for the user's keys).

[pandom79]

I'm not sure there's an easy way to use the sbsign hook (which could be run inside the chroot with xbps-reconfigure) without including the private keys in the final ISO, which I don't think is ideal.

If possible, I would be in favor of signing the kernel in void ISOs with a throwaway key, which allows one to never turn off Secure Boot while installing, even if new keys will have to be added (once for the Void specific one, once for the user's keys).

I just see that hook only signs vmlinuz does not sign the bootloader. Grub is loaded first and then the kernel.
If grub is unsigned it will not boot with secure boot enabled.
However, it worked for me by only signing the efi file, the kernel is unsigned.

[pandom79]

I still have to understand a lot about how void works :)
Let me know if you are interested.
It is useless to make changes

[ericonr]

However, it worked for me by only signing the efi file, the kernel is unsigned.

Really? GRUB should verify this, otherwise Secure Boot is useless. rEFInd does proper verification of the kernel.

[pandom79]

However, it worked for me by only signing the efi file, the kernel is unsigned.

Really? GRUB should verify this, otherwise Secure Boot is useless. rEFInd does proper verification of the kernel.

Probably grub handles it differently.
If grub is allowed to start then the rest are too.
As you can see from this example, i sign only efi file. I don't sign initrd.
Perhaps there is some setting....

[pandom79]

About hook /etc/default/sbsigntool-kernel-hook, i guess that this way is more onerous.
First of all, this hook is not installed by default, therefore, we'll need to install sbsigntool package via -p option for additional package or, in signature case, adding it at default packages.
After that, to enable it, we'll need edit it overwriting SBSIGN_EFI_KERNEL from 0 to 1.
The xbps-reconfigure command will call /etc/kernel.d/post-install/40-sbsigntool.
This post installation hook only sign vmlinuz, therefore, we'll need to append efi file sign via command
( for example "echo do_sign path-efi-file >> /etc/kernel.d/post-install/40-sbsigntool" )
Perhaps the keys could not be a problem...after signature we can delete them

Is correct? What do you think?

[sgn]

Sorry, how can i to use that hook to sign bootloader in a custom Void ISO?
The iso image obtainable via mklive command have the efi file in a compressed image called efiboot.img,
therefore i haven't visibility to sign it after creation.
I thought about intervening during its creation to sign it, so I made this change.

Sorry, I didn't say it clearly. I was trying to say about falling back to those key and cert in those config files

[pandom79]

Sorry, how can i to use that hook to sign bootloader in a custom Void ISO?
The iso image obtainable via mklive command have the efi file in a compressed image called efiboot.img,
therefore i haven't visibility to sign it after creation.
I thought about intervening during its creation to sign it, so I made this change.

Sorry, I didn't say it clearly. I was trying to say about falling back to those key and cert in those config files

Do you say to use the keys mentioned in sbsigntool-kernel-hook ?
EFI_KEY_FILE=/etc/efikeys/db.key
EFI_CERT_FILE=/etc/efikeys/db.crt

[sgn]

On 2020-10-09 07:03:59-0700, pandom79 ***@***.***> wrote: > > Sorry, how can i to use that hook to sign bootloader in a custom Void ISO? > > The iso image obtainable via mklive command have the efi file in a compressed image called efiboot.img, > > therefore i haven't visibility to sign it after creation. > > I thought about intervening during its creation to sign it, so I made this change. > > Sorry, I didn't say it clearly. I was trying to say about falling back to those key and cert in those config files Do you say to use the keys mentioned in sbsigntool-kernel-hook ? EFI_KEY_FILE=/etc/efikeys/db.key EFI_CERT_FILE=/etc/efikeys/db.crt

Exactly.

…

-- Danh

[pandom79]

On 2020-10-09 07:03:59-0700, pandom79 @.***> wrote: > > Sorry, how can i to use that hook to sign bootloader in a custom Void ISO? > > The iso image obtainable via mklive command have the efi file in a compressed image called efiboot.img, > > therefore i haven't visibility to sign it after creation. > > I thought about intervening during its creation to sign it, so I made this change. > > Sorry, I didn't say it clearly. I was trying to say about falling back to those key and cert in those config files Do you say to use the keys mentioned in sbsigntool-kernel-hook ? EFI_KEY_FILE=/etc/efikeys/db.key EFI_CERT_FILE=/etc/efikeys/db.crt
Exactly.
…
-- Danh

I say that my case it would not works because i don't use sbsigntool-kernel-hook. I sign kernel and bootloader directly in dracut and them path are different.
An other thing go in my mind, i could to create Void ISO on other machine but my keys are on external ssd. How to do.....?
I think that the best way is pass them as arguments. Use them and put in trash.

[pandom79]

Anyway, this is my definitive version.
If you want change something, please justify it with valid reason and write the change completely so i can test it.
Until now the some suggested changes seems don't works for me.

[pandom79]

Never say definitive...;)
i added the signing and signature verification control.
Someone could set wrong key.
For example :
db.cer in place of db.crt

[meator]

Suggested change

	while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:d:t:h" opt; do
	while getopts "a:b:r:c:C:T:Kk:l:i:I:s:o:p:v:d:t:h" opt; do

Sorry! I have removed the -S option, so there is a conflict now.