Photon OS and UEFI Secure Boot - dcasota/photonos-scripts GitHub Wiki
The UEFI firmware on motherboards includes Secure Boot functionality, ensuring that boot loader files with embedded digital signatures are permitted to run. The activation of UEFI Secure Boot in Photon OS isn't documented, so here is a research attempt.
Secure Boot implementations use these keys:
Platform Key (PK) Top-level key.
Key Exchange Key (KEK)
Keys used to sign Signatures Database and Forbidden Signatures Database updates.
Signature Database (db)
Contains keys and/or hashes of allowed EFI binaries.
Forbidden Signatures Database (dbx)
Contains keys and/or hashes of denylisted EFI binaries.
See The Meaning of all the UEFI Keys for a more detailed explanation.
To use Secure Boot you need at least PK, KEK and db keys. While you can add multiple KEK, db and dbx certificates, only one Platform Key is allowed
The warning in [3] is crucial. The system is a Lenovo laptop with Windows 11.
As a first step, I've created a virtual machine on VMware Workstation with UEFI Boot (unencrypted disk, no TPM).
Let's analyze the efi variables.
tdnf install -y efivar
efivar --list-guids
output
{00000000-0000-0000-0000-000000000000} {zero} efi_guid_zero zeroed sentinel guid
{0223eddb-9079-4388-af77-2d65b1c35d3b} {redhat} efi_guid_redhat Red Hat
{093e0fae-a6c4-4f50-9f1b-d41e2b89c19a} {sha512} efi_guid_sha512 SHA-512 hash
{0abba7dc-e516-4167-bbf5-4d9d1c739416} {fwupdate} efi_guid_fwupdate Linux Firmware Update Tool
{0b6e5233-a65c-44c9-9407-d9ab83bfc8bd} {sha224} efi_guid_sha224 SHA-224 hash
{126a762d-5758-4fca-8531-201a7f57f850} {lenovo_boot_menu} efi_guid_lenovo_boot_menu Lenovo Boot Menu
{26dc4851-195f-4ae1-9a19-fbf883bbb35e} {supermicro} efi_guid_supermicro Super Micro
{3b053091-6c9f-04cc-b1ac-e2a51e3be5f5} {asus} efi_guid_asus Asus
{3b8c8162-188c-46a4-aec9-be43f1d65697} {ux_capsule} efi_guid_ux_capsule Firmware update localized text image
{3bd2a492-96c0-4079-b420-fcf98ef103ed} {x509_sha256} efi_guid_x509_sha256 SHA-256 hash of X.509 Certificate
{3c5766e8-269c-4e34-aa14-ed776e85b3b6} {rsa2048} efi_guid_rsa2048 RSA 2048 pubkey
{3cc24e96-22c7-41d8-8863-8e39dcdcc2cf} {lenovo} efi_guid_lenovo Lenovo
{3f7e615b-0d45-4f80-88dc-26b234958560} {lenovo_diag} efi_guid_lenovo_diag Lenovo Diagnostics
{446dbf63-2502-4cda-bcfa-2465d2b0fe9d} {x509_sha512} efi_guid_x509_sha512 SHA-512 hash of X.509 Certificate
{452e8ced-dfff-4b8c-ae01-5118862e682c} {external_management} efi_guid_external_management External Management Mechanism
{4aafd29d-68df-49ee-8aa9-347d375665a7} {pkcs7_cert} efi_guid_pkcs7_cert PKCS7 Certificate
{55555555-5555-5555-5555-555555555555} {fives} efi_guid_fives All Fives Test Data
{605dab50-e046-4300-abb6-3dd810dd8b23} {shim} efi_guid_shim shim
{665d3f60-ad3e-4cad-8e26-db46eee9f1b5} {lenovo_rescue} efi_guid_lenovo_rescue Lenovo Rescue and Recovery
{67f8444f-8743-48f1-a328-1eaab8736080} {rsa2048_sha1} efi_guid_rsa2048_sha1 RSA-2048 signature of a SHA-1 hash
{6dc40ae4-2ee8-9c4c-a314-0fc7b2008710} {canonical} efi_guid_canonical Canonical
{70564dce-9afc-4ee3-85fc-949649d7e45c} {dell} efi_guid_dell Dell
{7076876e-80c2-4ee6-aad2-28b349a6865b} {x509_sha384} efi_guid_x509_sha384 SHA-384 hash of X.509 Certificate
{721c8b66-426c-4e86-8e99-3457c46ab0b9} {lenovo_setup} efi_guid_lenovo_setup Lenovo Firmware Setup
{77fa9abd-0359-4d32-bd60-28f4e78f784b} {microsoft} efi_guid_microsoft Microsoft
{7facc7b6-127f-4e9c-9c5d-080f98994345} {lenovo_2} efi_guid_lenovo_2 Lenovo
{8108ac4e-9f11-4d59-850e-e21a522c59b2} {auto_created_boot_option} efi_guid_auto_created_boot_option Automatically Created Boot Option
{826ca512-cf10-4ac9-b187-be01496631bd} {sha1} efi_guid_sha1 SHA-1
{82988420-7467-4490-9059-feb448dd1963} {lenovo_me_config} efi_guid_lenovo_me_config Lenovo ME Configuration Menu
{8be4df61-93ca-11d2-aa0d-00e098032b8c} {global} efi_guid_global EFI Global Variable
{91376aff-cba6-42be-949d-06fde81128e8} {grub} efi_guid_grub GRUB
{a5c059a1-94e4-4aa7-87b5-ab155c2bf072} {x509_cert} efi_guid_x509_cert X.509 Certificate
{a7717414-c616-4977-9420-844712a735bf} {rsa2048_sha256_cert} efi_guid_rsa2048_sha256_cert RSA-2048 key with SHA-256 Certificate
{a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380} {lenovo_diag_splash} efi_guid_lenovo_diag_splash Lenovo Diagnostic Splash Screen
{bc7838d2-0f82-4d60-8316-c068ee79d25b} {lenovo_msg} efi_guid_lenovo_msg Lenovo Vendor Message Device
{c1c41626-504c-4092-aca9-41f936934328} {sha256} efi_guid_sha256 SHA-256
{c57ad6b7-0515-40a8-9d21-551652854e37} {shell} efi_guid_shell EFI Shell
{d719b2cb-3d3a-4596-a3bc-dad00e67656f} {security} efi_guid_security EFI Security Database
{e2b36190-879b-4a3d-ad8d-f2e7bba32784} {rsa2048_sha256} efi_guid_rsa2048_sha256 RSA-2048 signature of a SHA-256 hash
{f46ee6f4-4785-43a3-923d-7f786c3c8479} {lenovo_startup_interrupt} efi_guid_lenovo_startup_interrupt Lenovo Startup Interrupt Menu
{ff3e5307-9fd0-48c9-85f1-8ad56c701e01} {sha384} efi_guid_sha384 SHA-384
Actually, I've found two options for secure boot:
- Set up secure boot with systemd-ukify
- Set up secure boot with sbctl
Set up secure boot with systemd
Photon OS uses systemd and for the moment, systemd developer are heavily updating their ukify functionality. See e.g. https://github.com/systemd/systemd/commit/75ee025c5de5d753dc1d8a28f8780247f5a887ae
Set up secure boot with sbctl
sbctl [A] is a user-friendly way of setting up secure boot and signing files. On Photon OS 5, there is noc package. Here a recipe to install the tool.
# a2x is missing in Photon OS' asciidoc3 package. This is a prerequisite for sbctl. Use the python setup of asciidoc which contains a2x.
tdnf install -y python3-pip docbook-xsl
pip3 install asciidoc
# sbctl
tdnf install -y go util-linux binutils libxslt tar build-essential git
VERSION=0.16
curl -L "https://github.com/Foxboron/sbctl/releases/download/${VERSION}/sbctl-${VERSION}.tar.gz" | tar zxvf -
cd "sbctl-${VERSION}"
make
make install
cd ..
# cleanup
rm -rf "sbctl-${VERSION}"
rm sbctl-${VERSION}.tar.gz
pip3 uninstall -y asciidoc
tdnf remove -y go docbook-xsl tar build-essential git
Check sbctl status and if any enrolled keys .
# check sbctl status
sbctl status
Installed: ✗ sbctl is not installed
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft builtin-db builtin-db builtin-PK
list enrolled keys.
sbctl list-enrolled-keys
DB:
VMware Secure Boot Signing
Microsoft Corporation Third Party Marketplace Root
Microsoft Root Certificate Authority 2010
Microsoft Root Certificate Authority 2010
Microsoft RSA Devices Root CA 2021
PK:
KEK:
Microsoft RSA Devices Root CA 2021
Microsoft Corporation Third Party Marketplace Root
You see that sbctl is not installed, secure boot is disabled and there are existing keys e.g. from VMware Workstation installation.
Set up secure boot with sbctl: a first attempt
Create keys.
sbctl create-keys
Created Owner UUID 92663692-3f39-4adc-932d-538281fdb38c
Creating secure boot keys...✓
Secure boot keys created!
The status has changed to installed.
sbctl status
Installed: ✓ sbctl is installed
Owner GUID: 92663692-3f39-4adc-932d-538281fdb38c
Setup Mode: ✓ Disabled
Secure Boot: ✗ Disabled
Vendor Keys: microsoft builtin-db builtin-db builtin-PK
Here what's listed in enrolled keys:
sbctl list-enrolled-keys
KEK:
Microsoft RSA Devices Root CA 2021
Microsoft Corporation Third Party Marketplace Root
DB:
VMware Secure Boot Signing
Microsoft Corporation Third Party Marketplace Root
Microsoft Certificate Authority 2010
Microsoft RSA Devices Root CA 2021
PK:
Enroll keys.
sbctl enroll-keys
Your system is not in Setup Mode! Please reboot your machine and reset secure boot keys before attempting to enroll keys.
This does not seem possible as VMware Workstation BIOS does not have a secure boot keys reset option.
sbctl verify and signing of boot files.
sbctl verify
/boot/efi/EFI/BOOT/bootx64.efi is not signed
/boot/efi/EFI/BOOT/grubx64.efi is not signed
/boot/efi/EFI/BOOT/revocations.efi is not signed
sbctl sign /boot/efi/EFI/BOOT/bootx64.efi
sbctl sign /boot/efi/EFI/BOOT/grubx64.efi
sbctl sign /boot/efi/EFI/BOOT/revocations.efi
sbctl verify
/boot/efi/EFI/BOOT/bootx64.efi is signed
/boot/efi/EFI/BOOT/grubx64.efi is signed
/boot/efi/EFI/BOOT/revocations.efi is signed
Weblinks
Useful weblinks
[1] https://www.insanelymac.com/forum/topic/349530-guide-opencore-and-uefi-secure-boot-using-windows-subsystem-for-linux/
[2] https://medium.com/@umglurf/full-uefi-secure-boot-on-fedora-using-signed-initrd-and-systemd-boot-3ff2054593ab
[3] https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
[4] https://unix.stackexchange.com/questions/91620/efi-variables-are-not-supported-on-this-system
[5] https://uefi.org/press-release/uefi-forum-releases-uefi-211-specification-and-pi-19-specification-streamline-user
[6] https://uefi.org/specifications
Useful tools and threats
[A] https://github.com/Foxboron/sbctl
[B] https://github.com/ventoy/Ventoy/issues/2947
[C] https://github.com/rhboot/shim/issues/521
[D] https://archlinux.org/packages/core/x86_64/systemd-ukify/
[E] https://www.borncity.com/blog/2024/08/22/microsoft-uert-sich-zu-per-windows-august-2024-update-lahm-gelegtem-linux-boot/
unsorted
- https://forums.lenovo.com/t5/Other-Linux-Discussions/Reports-of-custom-secure-boot-keys-bricking-recent-X-P-and-T-series-laptops/m-p/5105571?page=3
- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
- https://github.com/ventoy/Ventoy/issues/2947
- https://archlinux.org/packages/core/x86_64/systemd-ukify/
- https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/about/
- https://gist.github.com/Zedeldi/7dd5dd5f2281e615ded9d87c565e2d80
- https://github.com/perez987/OpenCore-and-UEFI-Secure-Boot/blob/main/guide/Windows%20UEFI%20CA%202023.md
- https://unix.stackexchange.com/questions/91620/efi-variables-are-not-supported-on-this-system
- https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_2
- https://interrupt.memfault.com/blog/comparing-fw-dev-envs
- https://gist.github.com/Zedeldi/7dd5dd5f2281e615ded9d87c565e2d80