Page 1 of 2

Debian gains Secure Boot support in sid

PostPosted: 2016-07-15 20:51
by Head_on_a_Stick
I have just noticed that sid now has a signed kernel image available:
The kernel image and modules are signed for use with Secure Boot.

https://packages.debian.org/sid/linux-i ... d64-signed

I will try this out this weekend and report back!

:)

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-16 00:27
by stevepusser
Hopefully that'll make its way into jessie-backports or even Jessie.

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-16 13:53
by abhis3k
This sounds promising.
If this lands on stretch(I hope in a week), I can enable secureboot and check :D

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-16 19:01
by Head_on_a_Stick
No joy so far :(

I debootstrap(8)'d a sid system onto a btrfs subvolume and configured it as per https://www.debian.org/releases/jessie/ ... 03.html.en then installed linux-image-4.6.0-1-amd64-signed & linux-image-amd64 and copied the kernel image & initramfs to the EFI system partition and made a manual NVRAM entry as per https://wiki.debian.org/EFIStub

The system boots just fine in UEFI mode with Secure Boot disabled but throws up the standard error when Secure Boot is enabled.
:?

There is the possibility that my Secure Boot firmware is FUBAR though so I will have to investigate further...

EDIT: My `efibootmgr -v` output:
Code: Select all
BootCurrent: 0006
Timeout: 1 seconds
BootOrder: 0000,0006,0005
Boot0000* Debian sid    HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\sid\vmlinuz)r.o.o.t.=./.d.e.v./.s.d.a.3. .r.w. .r.o.o.t.f.l.a.g.s.=.s.u.b.v.o.l.=.s.i.d. .q.u.i.e.t. .z.s.w.a.p...e.n.a.b.l.e.d.=.1. .e.l.e.v.a.t.o.r.=.n.o.o.p. .i.n.i.t.r.d.=./.s.i.d./.i.n.i.t.r.d...i.m.g.
Boot0005* UEFI OS       VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0006* UEFI OS       HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\EFI\BOOT\BOOTX64.EFI)

Boot0005&6 are the default loader entries created automatically by the UEFI firmware; I have my systemd-boot .efi loader at $ESP/EFI/BOOT/BOOTX64.EFI

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-17 14:04
by Head_on_a_Stick
Tried mounting /boot/efi to the EFI system partition and installing and configuring GRUB-EFI but that won't boot Securely (as expected, works fine with Secure Boot disabled).

:(

The only thing left is to try mounting /boot to the EFI system partition and using bootctl(1) & systemd-boot but my Arch system already uses that and it will probably b0rk...

Maybe later.

EDIT: sid is really nice though :D

It's been a while...

viewtopic.php?f=3&t=9196&p=620153#p620153

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-18 19:04
by Head_on_a_Stick
I don't think this is ready for use yet :(

I tried Ubuntu [1] and Secure Boot works with that; poking around I noticed that a specific GRUB package in needed to install a Secure Bootable system and this doesn't seem to be available in Debian yet.

I will keep sid around for a bit and go back to this at a later date.

[1] :shock:

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-18 21:33
by tomazzi
The whole point behind a secure boot is to prevent unauthorized modifications of boot-time code -> like the OS loader or kernel in case of Linux-based OS.

The problem is, that Secure Boot was "invented" (quotes are in the right place) when there's almost no a single virus which is targeting boot code... - because today, there are far better and foremost easier ways to attack the OS, and today it's practically impossible to modify boot-code without deep infiltration of the OS, in which case there's no need to modify the boot-code...

Moreover, (and this is really funny) Secure Boot is not secure at all - it is proven, that the authentication keys can be relatively easily cracked, and the EFI data can be used to actually hide the viruses (so, for average users, re-installing the OS won't help).

just a first result from ddg (but there are literally hundreds of reports like this):
http://www.itworld.com/article/2734708/security/windows-8-secure-boot-already-cracked.html

Some people are even writing articles on how to improve crippled SecureBoot technology:
"Improving" SecureBoot (pdf)

So... the question is: why should Debian care about this at all?

The only answer I can imagine is:
"Because we, the Debian, are following so called "standards" or so called "upstream" solutions, no matter how stupid they are..."

Regards.

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 07:07
by Head_on_a_Stick
@tomazzi: I agree with everything you say but I would respectfully request that we keep this on-topic.

Do you have any suggestions in respect of allowing the signed Debian kernel image to start with Secure Boot enabled?

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 13:35
by tomazzi
1. The UEFI/SecureBoot is fully documented - so actually where's the problem?
2. Apparently the Ubuntu already works with SecureBoot enabled -> solution already exists -> there's nothing to invent.

Since the SecureBoot doesn't offer any real improvement of the OS security and the UEFI implementation allows to easily brick the motherboard, the obvious, but rethorical question is: Where's that "gain"?

Regards.

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 15:32
by Danielsan
@ Tomazzi

Unfair competition, is it good as answer? :mrgreen:

Secure Boot is a pain if you can't disable it from you MB, so in this case you are obligated to use only OS which are compliance with this feature, like Ubuntu the open OS which secretly aims to be closed. Good to see that Debian is moving in toward to address this issue.

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 18:09
by Head_on_a_Stick
tomazzi wrote:1. The UEFI/SecureBoot is fully documented - so actually where's the problem?

As far as I can ascertain, the kernel image is signed but it requires a package equivilent to Ubuntu's grub-efi-$arch-signed for it to boot sucessfully.

I am slightly confused though as to why the kernel image will not boot directly without a bootloader (taking advantage of CONFIG_EFI_STUB) when Secure Boot is enabled.

Do you have any ideas why this may be the case?

The kernel image EFI_STUB boots correctly without any separate bootloader with Secure Boot disabled.

2. Apparently the Ubuntu already works with SecureBoot enabled -> solution already exists -> there's nothing to invent.

I have had my Debian jessie system booting with Secure Boot enabled for over a year now, we don't actually need Ubuntu's solution at all...
:D

Since the SecureBoot doesn't offer any real improvement of the OS security and the UEFI implementation allows to easily brick the motherboard, the obvious, but rethorical question is: Where's that "gain"?

The subject of this thread is getting Debian to work with Secure Boot enabled, please start a new thread in off-topic for ramblings of this nature.

Thank You.
:mrgreen:

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 19:27
by tomazzi
Head_on_a_Stick wrote:I am slightly confused though as to why the kernel image will not boot directly without a bootloader (taking advantage of CONFIG_EFI_STUB) when Secure Boot is enabled.

Do you have any ideas why this may be the case?


Personally, I would try an alternative EFI boot manager, like rEFInd.

Regards.

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 19:41
by Head_on_a_Stick
tomazzi wrote: I would try an alternative EFI boot manager, like rEFInd.

Thanks for the suggestion but rEFInd is simply an abstraction for the EFI_STUB booting process which I have already tried (without the abstraction).
:(

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 20:39
by tomazzi
This is an experimental kernel (in Debian) - maybe it likes to be kick-started directly from a native fs partition (like btrfs), and that's what the rEFInd offers (among other nice things ;) ).

Regards.

Re: Debian gains Secure Boot support in sid

PostPosted: 2016-07-19 20:58
by Head_on_a_Stick
tomazzi wrote:maybe it likes to be kick-started directly from a native fs partition (like btrfs)

I already use btrfs:
Code: Select all
root@sid:~# wipefs /dev/sda3
offset               type
----------------------------------------------------------------
0x1fe                dos   [partition table]

0x10040              btrfs   [filesystem]
                     UUID:  347fcad5-6e39-4c73-ab69-710b4077051f

I will try the experimental images, thanks.