Главная » Linux

Arch linux secure boot

Содержание
  1. Installation guide
  2. Contents
  3. Pre-installation
  4. Acquire an installation image
  5. Verify signature
  6. Prepare an installation medium
  7. Boot the live environment
  8. Set the console keyboard layout
  9. Verify the boot mode
  10. Connect to the internet
  11. Update the system clock
  12. Partition the disks
  13. Example layouts
  14. Format the partitions
  15. Mount the file systems
  16. Installation
  17. Select the mirrors
  18. Install essential packages
  19. Configure the system
  20. Fstab
  21. Chroot
  22. Time zone
  23. Localization
  24. Network configuration
  25. Initramfs
  26. Root password
  27. Boot loader
  28. Reboot
  29. Post-installation
  30. Arch Linux
  31. #1 2014-12-14 16:07:11
  32. UEFI Secure boot with custom keys
  33. #2 2014-12-14 19:25:01
  34. Re: UEFI Secure boot with custom keys
  35. #3 2014-12-14 19:58:10
  36. Re: UEFI Secure boot with custom keys
  37. #4 2014-12-15 05:45:23
  38. Re: UEFI Secure boot with custom keys
  39. #5 2014-12-15 12:49:43
  40. Re: UEFI Secure boot with custom keys
  41. #6 2014-12-15 13:44:12
  42. Re: UEFI Secure boot with custom keys
  43. #7 2014-12-15 14:35:28
  44. Re: UEFI Secure boot with custom keys
  45. #8 2014-12-15 15:50:07
  46. Re: UEFI Secure boot with custom keys

Installation guide

This document is a guide for installing Arch Linux using the live system booted from an installation medium made from an official installation image. The installation medium provides accessibility features which are described on the page Install Arch Linux with accessibility options. For alternative means of installation, see Category:Installation process.

Before installing, it would be advised to view the FAQ. For conventions used in this document, see Help:Reading. In particular, code examples may contain placeholders (formatted in italics ) that must be replaced manually.

For more detailed instructions, see the respective ArchWiki articles or the various programs’ man pages, both linked from this guide. For interactive help, the IRC channel and the forums are also available.

Arch Linux should run on any x86_64-compatible machine with a minimum of 512 MiB RAM, though more memory is needed to boot the live system for installation.[1] A basic installation should take less than 2 GiB of disk space. As the installation process needs to retrieve packages from a remote repository, this guide assumes a working internet connection is available.

Contents

Pre-installation

Acquire an installation image

Visit the Download page and, depending on how you want to boot, acquire the ISO file or a netboot image, and the respective GnuPG signature.

Verify signature

It is recommended to verify the image signature before use, especially when downloading from an HTTP mirror, where downloads are generally prone to be intercepted to serve malicious images.

On a system with GnuPG installed, do this by downloading the PGP signature (under Checksums in the Download page) to the ISO directory, and verifying it with:

Alternatively, from an existing Arch Linux installation run:

Prepare an installation medium

The installation image can be supplied to the target machine via a USB flash drive, an optical disc or a network with PXE: follow the appropriate article to prepare yourself an installation medium from the chosen image.

Boot the live environment

  1. Point the current boot device to the one which has the Arch Linux installation medium. Typically it is achieved by pressing a key during the POST phase, as indicated on the splash screen. Refer to your motherboard’s manual for details.
  2. When the installation medium’s boot loader menu appears, select Arch Linux install medium and press Enter to enter the installation environment.

To switch to a different console—for example, to view this guide with Lynx alongside the installation—use the Alt+arrow shortcut. To edit configuration files, mcedit(1) , nano and vim are available. See packages.x86_64 for a list of the packages included in the installation medium.

Set the console keyboard layout

The default console keymap is US. Available layouts can be listed with:

To modify the layout, append a corresponding file name to loadkeys(1) , omitting path and file extension. For example, to set a German keyboard layout:

Читайте также:  Win 10 для windows phone

Console fonts are located in /usr/share/kbd/consolefonts/ and can likewise be set with setfont(8) .

Verify the boot mode

To verify the boot mode, list the efivars directory:

If the command shows the directory without error, then the system is booted in UEFI mode. If the directory does not exist, the system may be booted in BIOS (or CSM) mode. If the system did not boot in the mode you desired, refer to your motherboard’s manual.

Connect to the internet

To set up a network connection in the live environment, go through the following steps:

  • Ensure your network interface is listed and enabled, for example with ip-link(8) :
  • For wireless and WWAN, make sure the card is not blocked with rfkill.
  • Connect to the network:
    • Ethernet—plug in the cable.
    • Wi-Fi—authenticate to the wireless network using iwctl.
    • Mobile broadband modem—connect to the mobile network with the mmcli utility.
  • Configure your network connection:
    • DHCP: dynamic IP address and DNS server assignment (provided by systemd-networkd and systemd-resolved) should work out of the box for Ethernet, WLAN and WWAN network interfaces.
    • Static IP address: follow Network configuration#Static IP address.
  • The connection may be verified with ping:

Update the system clock

Use timedatectl(1) to ensure the system clock is accurate:

To check the service status, use timedatectl status .

Partition the disks

When recognized by the live system, disks are assigned to a block device such as /dev/sda , /dev/nvme0n1 or /dev/mmcblk0 . To identify these devices, use lsblk or fdisk.

Results ending in rom , loop or airoot may be ignored.

The following partitions are required for a chosen device:

If you want to create any stacked block devices for LVM, system encryption or RAID, do it now.

Use fdisk or parted to modify partition tables. For example:

Example layouts

BIOS with MBR
Mount point Partition Partition type Suggested size
[SWAP] /dev/swap_partition Linux swap More than 512 MiB
/mnt /dev/root_partition Linux Remainder of the device
UEFI with GPT
Mount point Partition Partition type Suggested size
/mnt/boot or /mnt/efi 1 /dev/efi_system_partition EFI system partition At least 260 MiB
[SWAP] /dev/swap_partition Linux swap More than 512 MiB
/mnt /dev/root_partition Linux x86-64 root (/) Remainder of the device
  1. /mnt/efi should only be considered if the used boot loader is capable of loading the kernel and initramfs images from the root volume. See the warning in Arch boot process#Boot loader.

Format the partitions

Once the partitions have been created, each newly created partition must be formatted with an appropriate file system. For example, to create an Ext4 file system on /dev/root_partition , run:

If you created a partition for swap, initialize it with mkswap(8) :

Mount the file systems

Mount the root volume to /mnt . For example, if the root volume is /dev/root_partition :

Create any remaining mount points (such as /mnt/efi ) using mkdir(1) and mount their corresponding volumes.

If you created a swap volume, enable it with swapon(8) :

genfstab(8) will later detect mounted file systems and swap space.

Installation

Select the mirrors

Packages to be installed must be downloaded from mirror servers, which are defined in /etc/pacman.d/mirrorlist . On the live system, after connecting to the internet, reflector updates the mirror list by choosing 20 most recently synchronized HTTPS mirrors and sorting them by download rate.[2]

The higher a mirror is placed in the list, the more priority it is given when downloading a package. You may want to inspect the file to see if it is satisfactory. If it is not, edit the file accordingly, and move the geographically closest mirrors to the top of the list, although other criteria should be taken into account.

Читайте также:  Virtual sound card windows download

This file will later be copied to the new system by pacstrap, so it is worth getting right.

Install essential packages

Use the pacstrap(8) script to install the base package, Linux kernel and firmware for common hardware:

The base package does not include all tools from the live installation, so installing other packages may be necessary for a fully functional base system. In particular, consider installing:

  • userspace utilities for the management of file systems that will be used on the system,
  • utilities for accessing RAID or LVM partitions,
  • specific firmware for other devices not included in linux-firmware (e.g. sof-firmware for sound cards),
  • software necessary for networking,
  • a text editor,
  • packages for accessing documentation in man and info pages: man-db , man-pages and texinfo .

To install other packages or package groups, append the names to the pacstrap command above (space separated) or use pacman while chrooted into the new system. For comparison, packages available in the live system can be found in packages.x86_64.

Configure the system

Fstab

Generate an fstab file (use -U or -L to define by UUID or labels, respectively):

Check the resulting /mnt/etc/fstab file, and edit it in case of errors.

Chroot

Change root into the new system:

Time zone

Run hwclock(8) to generate /etc/adjtime :

This command assumes the hardware clock is set to UTC. See System time#Time standard for details.

Localization

Edit /etc/locale.gen and uncomment en_US.UTF-8 UTF-8 and other needed locales. Generate the locales by running:

Network configuration

Add matching entries to hosts(5) :

If the system has a permanent IP address or a fully qualified domain name, see the example in Network configuration#Local hostname resolution.

Complete the network configuration for the newly installed environment, that may include installing suitable network management software.

Initramfs

Creating a new initramfs is usually not required, because mkinitcpio was run on installation of the kernel package with pacstrap.

For LVM, system encryption or RAID, modify mkinitcpio.conf(5) and recreate the initramfs image:

Root password

Boot loader

Choose and install a Linux-capable boot loader. If you have an Intel or AMD CPU, enable microcode updates in addition.

Reboot

Exit the chroot environment by typing exit or pressing Ctrl+d .

Optionally manually unmount all the partitions with umount -R /mnt : this allows noticing any «busy» partitions, and finding the cause with fuser(1) .

Finally, restart the machine by typing reboot : any partitions still mounted will be automatically unmounted by systemd. Remember to remove the installation medium and then login into the new system with the root account.

Post-installation

See General recommendations for system management directions and post-installation tutorials (like creating unprivileged user accounts, setting up a graphical user interface, sound or a touchpad).

For a list of applications that may be of interest, see List of applications.

Источник

Arch Linux

You are not logged in.

#1 2014-12-14 16:07:11

UEFI Secure boot with custom keys

I nearly won this fight already but when its all done something is broken.

Custom keys generated

installed in efi firmware

boot entries added

And signature verification fails. I need some help.

My approach is based on self-signed bootable efi kernel how-to from Greg.

So this is what i have done:
1. Boot into efi setup and clear secure boot keys. This is mandatory step!
2. This script creates PK, KEK and db keys and installs them. Installation will fail if old keys are present in firmware.

3. Signed kernel:

4. Added boot entries to efi:

5. Verified signature:

Now i can reboot machine and boot directly into kernel if secure boot is disabled. No bootloader needed. But if i turn secure boot on kernel image is rejected because signature verification fails. WHYYYY. :\

Читайте также:  Vpn linux server l2tp

Does anyone know how i could maybe verify kernel image against installed keys? They seem to be available at /sys/firmware/efi/(efi)?vars. Not sure what else could i try..

P.S. CPU: AMD FX-8350, Motherboard: Asus Sabertooth FX990 R2.0. If it matters..

#2 2014-12-14 19:25:01

Re: UEFI Secure boot with custom keys

do it good first, it will be faster than do it twice the saint

#3 2014-12-14 19:58:10

Re: UEFI Secure boot with custom keys

No that slipped past me. Although it looks like pretty much what i have done except for inserting keys which i did from within OS. I am pretty sure inserting keys worked because if keys were present in firmware i could not insert new ones so i had to reboot and clear them. I could see no keys in firmware then and after booting into OS, generating new keys and inserting them (and sigbig kernel with new key ofc) i could see keys being again present in firmware. So that worked.

#4 2014-12-15 05:45:23

Re: UEFI Secure boot with custom keys

I can’t get you clear. Does it work now?

do it good first, it will be faster than do it twice the saint

#5 2014-12-15 12:49:43

Re: UEFI Secure boot with custom keys

No. What i was trying to say that only difference between what i did and what that page instructs was procedure of adding keys to firmware. Though my procedure adds keys too because i can see firmware saying keys loaded while before adding keys it was saying that keys are not loaded. not sure if i messed up with keys or what.

#6 2014-12-15 13:44:12

Re: UEFI Secure boot with custom keys

This replies is a little off topic, but I fail to understand the real purpose of all of this. If you sign an Archlinux kernel and enable secure boot, you will still be able to kexec an unsigned kernel with it (or load evil modules). So you end up in a system that have the same security as a system without secure boot: an evil malware could choose to start whatever kernel it wants by kexec-ing it from the signed Archlinux kernel. Simple tricks such as recompiling the kernel without kexec won’t really change anything since a custom evil module can still be loaded. Simply disabling secure boot is much easier than all of this for the same security.

Moreover I really have to think hard to find a situation where this secure boot really increase security.

Last edited by olive (2014-12-15 13:51:41)

#7 2014-12-15 14:35:28

Re: UEFI Secure boot with custom keys

FWIW I have tried the method linked by @TheSaint and successfully generated a signed kernel image with my own keys and loaded those keys to my motherboard’s firmware and it still wouldn’t boot the signed image.

I gave up and attributed this to my crappy firmware (it does not retain NVRAM entries consistently).

#8 2014-12-15 15:50:07

Re: UEFI Secure boot with custom keys

@novist
There’s a little quirk on point 4 (Added boot entries to efi), usually is rw mode. But I suppose you’re not getting there yet.
One more point is that you should care about your initcpio like

That’s also mention in that blog you posted above. And probably also the modules should be signed too.
One more question, why did you increase rsa to 4096 ?
The blog and my link use only 2048 words encryption.

do it good first, it will be faster than do it twice the saint

Источник

Оцените статью
© 2024 Советы по настройке компьютера