Debian gains Secure Boot support in sid

News and discussion about development of the Debian OS itself

Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-15 20:51

I have just noticed that sid now has a signed kernel image available:
The kernel image and modules are signed for use with Secure Boot.

https://packages.debian.org/sid/linux-i ... d64-signed

I will try this out this weekend and report back!

:)
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian gains Secure Boot support in sid

Postby stevepusser » 2016-07-16 00:27

Hopefully that'll make its way into jessie-backports or even Jessie.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: AzPainter 2.1.0, Pale Moon 27.4.2, Liquorix kernel 4.12-6, mpv 0.26.0, Kodi 17.3, 0ad 0.0.22, Mesa 13.0.6
User avatar
stevepusser
 
Posts: 8684
Joined: 2009-10-06 05:53

Re: Debian gains Secure Boot support in sid

Postby abhis3k » 2016-07-16 13:53

This sounds promising.
If this lands on stretch(I hope in a week), I can enable secureboot and check :D
------------
Do what you love and love what you do!
User avatar
abhis3k
 
Posts: 5
Joined: 2016-07-16 05:36
Location: India

Re: Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-16 19:01

No joy so far :(

I debootstrap(8)'d a sid system onto a btrfs subvolume and configured it as per https://www.debian.org/releases/jessie/ ... 03.html.en then installed linux-image-4.6.0-1-amd64-signed & linux-image-amd64 and copied the kernel image & initramfs to the EFI system partition and made a manual NVRAM entry as per https://wiki.debian.org/EFIStub

The system boots just fine in UEFI mode with Secure Boot disabled but throws up the standard error when Secure Boot is enabled.
:?

There is the possibility that my Secure Boot firmware is FUBAR though so I will have to investigate further...

EDIT: My `efibootmgr -v` output:
Code: Select all
BootCurrent: 0006
Timeout: 1 seconds
BootOrder: 0000,0006,0005
Boot0000* Debian sid    HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\sid\vmlinuz)r.o.o.t.=./.d.e.v./.s.d.a.3. .r.w. .r.o.o.t.f.l.a.g.s.=.s.u.b.v.o.l.=.s.i.d. .q.u.i.e.t. .z.s.w.a.p...e.n.a.b.l.e.d.=.1. .e.l.e.v.a.t.o.r.=.n.o.o.p. .i.n.i.t.r.d.=./.s.i.d./.i.n.i.t.r.d...i.m.g.
Boot0005* UEFI OS       VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0006* UEFI OS       HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\EFI\BOOT\BOOTX64.EFI)

Boot0005&6 are the default loader entries created automatically by the UEFI firmware; I have my systemd-boot .efi loader at $ESP/EFI/BOOT/BOOTX64.EFI
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-17 14:04

Tried mounting /boot/efi to the EFI system partition and installing and configuring GRUB-EFI but that won't boot Securely (as expected, works fine with Secure Boot disabled).

:(

The only thing left is to try mounting /boot to the EFI system partition and using bootctl(1) & systemd-boot but my Arch system already uses that and it will probably b0rk...

Maybe later.

EDIT: sid is really nice though :D

It's been a while...

viewtopic.php?f=3&t=9196&p=620153#p620153
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-18 19:04

I don't think this is ready for use yet :(

I tried Ubuntu [1] and Secure Boot works with that; poking around I noticed that a specific GRUB package in needed to install a Secure Bootable system and this doesn't seem to be available in Debian yet.

I will keep sid around for a bit and go back to this at a later date.

[1] :shock:
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian gains Secure Boot support in sid

Postby tomazzi » 2016-07-18 21:33

The whole point behind a secure boot is to prevent unauthorized modifications of boot-time code -> like the OS loader or kernel in case of Linux-based OS.

The problem is, that Secure Boot was "invented" (quotes are in the right place) when there's almost no a single virus which is targeting boot code... - because today, there are far better and foremost easier ways to attack the OS, and today it's practically impossible to modify boot-code without deep infiltration of the OS, in which case there's no need to modify the boot-code...

Moreover, (and this is really funny) Secure Boot is not secure at all - it is proven, that the authentication keys can be relatively easily cracked, and the EFI data can be used to actually hide the viruses (so, for average users, re-installing the OS won't help).

just a first result from ddg (but there are literally hundreds of reports like this):
http://www.itworld.com/article/2734708/security/windows-8-secure-boot-already-cracked.html

Some people are even writing articles on how to improve crippled SecureBoot technology:
"Improving" SecureBoot (pdf)

So... the question is: why should Debian care about this at all?

The only answer I can imagine is:
"Because we, the Debian, are following so called "standards" or so called "upstream" solutions, no matter how stupid they are..."

Regards.
Odi profanum vulgus
tomazzi
 
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-19 07:07

@tomazzi: I agree with everything you say but I would respectfully request that we keep this on-topic.

Do you have any suggestions in respect of allowing the signed Debian kernel image to start with Secure Boot enabled?
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian gains Secure Boot support in sid

Postby tomazzi » 2016-07-19 13:35

1. The UEFI/SecureBoot is fully documented - so actually where's the problem?
2. Apparently the Ubuntu already works with SecureBoot enabled -> solution already exists -> there's nothing to invent.

Since the SecureBoot doesn't offer any real improvement of the OS security and the UEFI implementation allows to easily brick the motherboard, the obvious, but rethorical question is: Where's that "gain"?

Regards.
Odi profanum vulgus
tomazzi
 
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

Postby Danielsan » 2016-07-19 15:32

@ Tomazzi

Unfair competition, is it good as answer? :mrgreen:

Secure Boot is a pain if you can't disable it from you MB, so in this case you are obligated to use only OS which are compliance with this feature, like Ubuntu the open OS which secretly aims to be closed. Good to see that Debian is moving in toward to address this issue.
If you can't fork then hold you in silence.
User avatar
Danielsan
 
Posts: 456
Joined: 2010-10-10 22:36

Re: Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-19 18:09

tomazzi wrote:1. The UEFI/SecureBoot is fully documented - so actually where's the problem?

As far as I can ascertain, the kernel image is signed but it requires a package equivilent to Ubuntu's grub-efi-$arch-signed for it to boot sucessfully.

I am slightly confused though as to why the kernel image will not boot directly without a bootloader (taking advantage of CONFIG_EFI_STUB) when Secure Boot is enabled.

Do you have any ideas why this may be the case?

The kernel image EFI_STUB boots correctly without any separate bootloader with Secure Boot disabled.

2. Apparently the Ubuntu already works with SecureBoot enabled -> solution already exists -> there's nothing to invent.

I have had my Debian jessie system booting with Secure Boot enabled for over a year now, we don't actually need Ubuntu's solution at all...
:D

Since the SecureBoot doesn't offer any real improvement of the OS security and the UEFI implementation allows to easily brick the motherboard, the obvious, but rethorical question is: Where's that "gain"?

The subject of this thread is getting Debian to work with Secure Boot enabled, please start a new thread in off-topic for ramblings of this nature.

Thank You.
:mrgreen:
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian gains Secure Boot support in sid

Postby tomazzi » 2016-07-19 19:27

Head_on_a_Stick wrote:I am slightly confused though as to why the kernel image will not boot directly without a bootloader (taking advantage of CONFIG_EFI_STUB) when Secure Boot is enabled.

Do you have any ideas why this may be the case?


Personally, I would try an alternative EFI boot manager, like rEFInd.

Regards.
Odi profanum vulgus
tomazzi
 
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-19 19:41

tomazzi wrote: I would try an alternative EFI boot manager, like rEFInd.

Thanks for the suggestion but rEFInd is simply an abstraction for the EFI_STUB booting process which I have already tried (without the abstraction).
:(
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Debian gains Secure Boot support in sid

Postby tomazzi » 2016-07-19 20:39

This is an experimental kernel (in Debian) - maybe it likes to be kick-started directly from a native fs partition (like btrfs), and that's what the rEFInd offers (among other nice things ;) ).

Regards.
Odi profanum vulgus
tomazzi
 
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

Postby Head_on_a_Stick » 2016-07-19 20:58

tomazzi wrote:maybe it likes to be kick-started directly from a native fs partition (like btrfs)

I already use btrfs:
Code: Select all
root@sid:~# wipefs /dev/sda3
offset               type
----------------------------------------------------------------
0x1fe                dos   [partition table]

0x10040              btrfs   [filesystem]
                     UUID:  347fcad5-6e39-4c73-ab69-710b4077051f

I will try the experimental images, thanks.
No code is faster than no code.

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6531
Joined: 2014-06-01 17:46
Location: /dev/chair

Next

Return to Debian Development

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable