sabayon boot # ls
bzImage efi grub initramfs-genkernel-x86_64-4.8.0-sabayon initramfs-genkernel-x86_64-4.9.0-sabayon Initrd kernel-genkernel-x86_64-4.8.0-sabayon kernel-genkernel-x86_64-4.9.0-sabayon SecureBoot System.map-genkernel-x86_64-4.8.0-sabayon System.map-genkernel-x86_64-4.9.0-sabayon
[sabayon SecureBoot # ls
The process is simple and works like this: you boot an UEFI-compatible Sabayon ISO image off DVD or USB, if SecureBoot is turned on, shim will launch MokManager, that you can use to enroll our distro key, called sabayon.der and available on our image under the “SecureBoot” directory. Once you enrolled the key, on some systems, you’re forced to reboot (I had to on my shiny new Asus Zenbook UX32VD), but then, the magic happens.
There is a tricky part however. Due to the way GRUB2 .efi images are generated (at install time, with settings depending on your partition layout and platform details), I have been forced to implement a nasty way to ensure that SecureBoot can still accept such platform-dependent images: our installer, Anaconda, now generates a hardware-specific SecureBoot keypair (private and public key), then our modified grub2-install version, automatically signs every .efi image it generates with that key, which is placed into the EFI Boot Partition under EFI/boot/sabayon ready to be enrolled by shim at the next boot.
This is sub-optimal, but after several days of messing around, it turned out that it’s the most reliable, cleanest and easiest way to support SecureBoot after install without disclosing our private key we use to sign our install media. Another advantage is that our distro keypair, once enrolled, will allow any Sabayon image to boot, while we still allow full control over the installed system to our users (by generating a platform-specific private key at install time).
sabayon SecureBoot # ls
Users browsing this forum: No registered users and 1 guest