Secure Boot enroll-this.cer

Installer Issues via Installer -- Not for global upgrades or upgrading individual packages -- ONLY ISSUES WITH INSTALLATION OF THE OS -- Can't get Sabayon installed, than post here, otherwise use correct forums

Moderator: Moderators

Secure Boot enroll-this.cer

Postby foszoe » Wed Mar 08, 2017 4:35

I have a Windows 10 laptop with Secure Boot enabled, UEFI.

I shrank the Windows Partition and ran the installer from the liveDVD.

on the /boot/efi partition I have a sabayon directory containing two files

grubx64.efi and enroll-this.cer

I believe the enroll-this.cer contains the keys needed to validate the grubx64.efi.

When I select the boot from EFI file after powering the computer on, I get an error that indicates I am missing the secure boot keys required to boot from grubx64.efi.

How am I supposed to use the enroll-this.cer file to correct this?
foszoe
Baby Hen
 
Posts: 4
Joined: Wed Mar 08, 2017 4:26

Re: Secure Boot enroll-this.cer

Postby foszoe » Wed Mar 08, 2017 19:32

Today I ran the system update Rigo tool and upgraded the kernel using the kernel-switcher tool

While checking out my /boot directory I noticed another Directory

Code: Select all
sabayon boot # ls
bzImage  efi  grub  initramfs-genkernel-x86_64-4.8.0-sabayon  initramfs-genkernel-x86_64-4.9.0-sabayon  Initrd  kernel-genkernel-x86_64-4.8.0-sabayon  kernel-genkernel-x86_64-4.9.0-sabayon  SecureBoot  System.map-genkernel-x86_64-4.8.0-sabayon  System.map-genkernel-x86_64-4.9.0-sabayon


Inside the SecureBoot dir are two files.....

Code: Select all
[sabayon SecureBoot # ls
user-private.key  user-public.crt


The closest online info I can find that might help out was here..

https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot

It talks about backing up current keys which seems like a good idea, then it talks about creating new keys. However, I think the SecureBoot directory already contains the keys that I need.

Finally it speaks of installing the new keys, it seems like the KEK.crt corresponds to the private key and the db.cert corresponds to the user-public.crt in the SecureBoot directory.

Anyone have experience installing these keys from the SecureBoot directory that can offer advice?
foszoe
Baby Hen
 
Posts: 4
Joined: Wed Mar 08, 2017 4:26

Re: Secure Boot enroll-this.cer

Postby foszoe » Thu Mar 09, 2017 15:49

Found two more links discussing this.
[url]
https://wiki.archlinux.org/index.php/Se ... ating_keys [/url]
and
https://lxnay.wordpress.com/2013/01/02/uefi-and-uefi-secureboot-linux-is-the-nightmare-over/

From the latter:
The process is simple and works like this: you boot an UEFI-compatible Sabayon ISO image off DVD or USB, if SecureBoot is turned on, shim will launch MokManager, that you can use to enroll our distro key, called sabayon.der and available on our image under the “SecureBoot” directory. Once you enrolled the key, on some systems, you’re forced to reboot (I had to on my shiny new Asus Zenbook UX32VD), but then, the magic happens.

There is a tricky part however. Due to the way GRUB2 .efi images are generated (at install time, with settings depending on your partition layout and platform details), I have been forced to implement a nasty way to ensure that SecureBoot can still accept such platform-dependent images: our installer, Anaconda, now generates a hardware-specific SecureBoot keypair (private and public key), then our modified grub2-install version, automatically signs every .efi image it generates with that key, which is placed into the EFI Boot Partition under EFI/boot/sabayon ready to be enrolled by shim at the next boot.
This is sub-optimal, but after several days of messing around, it turned out that it’s the most reliable, cleanest and easiest way to support SecureBoot after install without disclosing our private key we use to sign our install media. Another advantage is that our distro keypair, once enrolled, will allow any Sabayon image to boot, while we still allow full control over the installed system to our users (by generating a platform-specific private key at install time).


When I booted from the liveDVD I had to enroll the key spoken of here. Since the LiveDVD would not boot without it, I must have accomplished this step.

According to how I understand the above quote, this step should have allowed Anaconda to generate a hardware specific SecureBoot keypair.

I believe the Keypair was created and it is now the two keys on my EFI partition inside the SecureBoot directory.

Code: Select all
sabayon SecureBoot # ls
user-private.key  user-public.crt


As I mentioned I also have

/boot/efi partition I have a sabayon directory containing two files

Code: Select all
grubx64.efi enroll-this.cer


The documentation available on how to do this seems sparse, but between the key on the LiveDVD and the 3 I mentioned above, I think I have the 4 variables needed for PK, KEK, dbx, and db.

But I think the bootx64.efi SHOULD have been signed automagically on install but wasn't.

The only part of the installation that didn't go as planned was the shim certificate from the DVD. I tried installing it in one place and it didn't work, but on the second try, it did. Perhaps that is why the rest of the process didn't go automatically.

However it's all a guessing game to me at this point
foszoe
Baby Hen
 
Posts: 4
Joined: Wed Mar 08, 2017 4:26

Re: Secure Boot enroll-this.cer

Postby foszoe » Fri Mar 10, 2017 16:19

I think what I am missing is the next boot did not bring up the shim mokmanager to enroll the key after the initial boot.

Is there anyone out there that has installed this successfully and can describe the process with a little more clarity than the blog post cited above?
foszoe
Baby Hen
 
Posts: 4
Joined: Wed Mar 08, 2017 4:26


Return to Installer Issues - Calamares **Not for Package Manager Stuff**

Who is online

Users browsing this forum: No registered users and 3 guests