Bypassing UEFI Secure Boot?

Here you can discuss every aspect of Debian. Note: not for support requests!

Bypassing UEFI Secure Boot?

Postby edbarx » 2016-03-04 07:03

I think, with a signed Linux kernel, UEFI Secure Boot can be made to load any other unsigned Linux kernel, which would imply, any distribution would be possible to be booted.

I am assuming that UEFI can only make sure it is loading a signed kernel while Secure Boot is enabled.

How it might be done:
  • boot partition would contain a signed Linux kernel which UEFI loads
    as soon as the boot sequence starts
  • the signed kernel would run a simple program that loads a
    bootloader like GRUB2
  • the bootloader would continue as it normally does
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5394
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: Bypassing UEFI Secure Boot?

Postby Head_on_a_Stick » 2016-03-04 08:19

You don't need a signed kernel at all, the standard Debian kernel can be enrolled into your motherboard's NVRAM as an authorised image by using the Linux Foundation's PreLoader & HashTool.

See here for more:
http://www.linuxfoundation.org/news-med ... pen-source

PreLoader.efi & HashTool.efi from here:
http://blog.hansenpartnership.com/linux ... -released/

Simply copy the GRUB .efi loader to the default loader file on the EFI system partition (/boot/efi in UEFI Debian systems):
Code: Select all
# mkdir -p /boot/efi/EFI/BOOT
# cp /boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/BOOT/loader.efi

Then copy over the HashTool.efi & PreLoader.efi (the PreLoader goes to the default loader location):
Code: Select all
cp HashTool.efi /boot/efi/EFI/BOOT/HashTool.efi
cp PreLoader.efi /boot/efi/EFI/BOOT/BOOTX64.EFI

(The FAT filesystem is case-insensitive so capitalisation is unimportant)

For 32-bit systems, replace "X64.EFI" with "IA32.EFI"

You may need to re-jig the boot order afterwards with:
Code: Select all
# efibootmgr -o xxxx,yyyy,zzzz

Replace "xxxx" with the bootnumber in the output of `efibootmgr` for the "default UEFI loader" (or similar, *not* the GRUB entry) NVRAM entry.

Of course, it is possible to sign your kernel images instead.

See the excellent Rod Smith site for more on this:
http://www.rodsbooks.com/efi-bootloader ... eboot.html
I'm old school like Happy Shopper
User avatar
Head_on_a_Stick
 
Posts: 7794
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Bypassing UEFI Secure Boot?

Postby edbarx » 2016-03-04 11:16

To Head_on_a_Stick:

Thanks for your very informative post.

So, it seems ALL GNU/Linux distributions can be booted even in UEFI Secure Boot. If this is the case, there is no point in worrying about UEFI and Secure Boot.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5394
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: Bypassing UEFI Secure Boot?

Postby Head_on_a_Stick » 2016-03-04 22:02

edbarx wrote:So, it seems ALL GNU/Linux distributions can be booted even in UEFI Secure Boot. If this is the case, there is no point in worrying about UEFI and Secure Boot.

Yes indeed.

This was posted from OpenBSD-current, booted in UEFI mode with Secure Boot enabled :D
I'm old school like Happy Shopper
User avatar
Head_on_a_Stick
 
Posts: 7794
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Bypassing UEFI Secure Boot?

Postby spacex » 2016-03-05 01:48

No point worrying perhaps, but unskilled users might find it a bit more of a challenge than before.
spacex
 
Posts: 637
Joined: 2015-01-17 01:27


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

fashionable