Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Bypassing UEFI Secure Boot?

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Bypassing UEFI Secure Boot?

#1 Post by edbarx »

I think, with a signed Linux kernel, UEFI Secure Boot can be made to load any other unsigned Linux kernel, which would imply, any distribution would be possible to be booted.

I am assuming that UEFI can only make sure it is loading a signed kernel while Secure Boot is enabled.

How it might be done:
  • boot partition would contain a signed Linux kernel which UEFI loads
    as soon as the boot sequence starts
  • the signed kernel would run a simple program that loads a
    bootloader like GRUB2
  • the bootloader would continue as it normally does
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Bypassing UEFI Secure Boot?

#2 Post by Head_on_a_Stick »

You don't need a signed kernel at all, the standard Debian kernel can be enrolled into your motherboard's NVRAM as an authorised image by using the Linux Foundation's PreLoader & HashTool.

See here for more:
http://www.linuxfoundation.org/news-med ... pen-source

PreLoader.efi & HashTool.efi from here:
http://blog.hansenpartnership.com/linux ... -released/

Simply copy the GRUB .efi loader to the default loader file on the EFI system partition (/boot/efi in UEFI Debian systems):

Code: Select all

# mkdir -p /boot/efi/EFI/BOOT
# cp /boot/efi/EFI/debian/grubx64.efi /boot/efi/EFI/BOOT/loader.efi
Then copy over the HashTool.efi & PreLoader.efi (the PreLoader goes to the default loader location):

Code: Select all

cp HashTool.efi /boot/efi/EFI/BOOT/HashTool.efi
cp PreLoader.efi /boot/efi/EFI/BOOT/BOOTX64.EFI
(The FAT filesystem is case-insensitive so capitalisation is unimportant)

For 32-bit systems, replace "X64.EFI" with "IA32.EFI"

You may need to re-jig the boot order afterwards with:

Code: Select all

# efibootmgr -o xxxx,yyyy,zzzz
Replace "xxxx" with the bootnumber in the output of `efibootmgr` for the "default UEFI loader" (or similar, *not* the GRUB entry) NVRAM entry.

Of course, it is possible to sign your kernel images instead.

See the excellent Rod Smith site for more on this:
http://www.rodsbooks.com/efi-bootloader ... eboot.html
deadbang

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: Bypassing UEFI Secure Boot?

#3 Post by edbarx »

To Head_on_a_Stick:

Thanks for your very informative post.

So, it seems ALL GNU/Linux distributions can be booted even in UEFI Secure Boot. If this is the case, there is no point in worrying about UEFI and Secure Boot.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Bypassing UEFI Secure Boot?

#4 Post by Head_on_a_Stick »

edbarx wrote:So, it seems ALL GNU/Linux distributions can be booted even in UEFI Secure Boot. If this is the case, there is no point in worrying about UEFI and Secure Boot.
Yes indeed.

This was posted from OpenBSD-current, booted in UEFI mode with Secure Boot enabled :D
deadbang

spacex
Posts: 637
Joined: 2015-01-17 01:27

Re: Bypassing UEFI Secure Boot?

#5 Post by spacex »

No point worrying perhaps, but unskilled users might find it a bit more of a challenge than before.

Post Reply