Debian gains Secure Boot support in sid

Discussion about development of the Debian OS itself
Message
Author
User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Debian gains Secure Boot support in sid

#1 Post by Head_on_a_Stick »

I have just noticed that sid now has a signed kernel image available:
The kernel image and modules are signed for use with Secure Boot.
https://packages.debian.org/sid/linux-i ... d64-signed

I will try this out this weekend and report back!

:)
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

User avatar
stevepusser
Posts: 12572
Joined: 2009-10-06 05:53
Has thanked: 19 times
Been thanked: 28 times

Re: Debian gains Secure Boot support in sid

#2 Post by stevepusser »

Hopefully that'll make its way into jessie-backports or even Jessie.
MX Linux packager and developer

User avatar
abhis3k
Posts: 5
Joined: 2016-07-16 05:36
Location: India

Re: Debian gains Secure Boot support in sid

#3 Post by abhis3k »

This sounds promising.
If this lands on stretch(I hope in a week), I can enable secureboot and check :D
------------
Do what you love and love what you do!

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#4 Post by Head_on_a_Stick »

No joy so far :(

I debootstrap(8)'d a sid system onto a btrfs subvolume and configured it as per https://www.debian.org/releases/jessie/ ... 03.html.en then installed linux-image-4.6.0-1-amd64-signed & linux-image-amd64 and copied the kernel image & initramfs to the EFI system partition and made a manual NVRAM entry as per https://wiki.debian.org/EFIStub

The system boots just fine in UEFI mode with Secure Boot disabled but throws up the standard error when Secure Boot is enabled.
:?

There is the possibility that my Secure Boot firmware is FUBAR though so I will have to investigate further...

EDIT: My `efibootmgr -v` output:

Code: Select all

BootCurrent: 0006
Timeout: 1 seconds
BootOrder: 0000,0006,0005
Boot0000* Debian sid    HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\sid\vmlinuz)r.o.o.t.=./.d.e.v./.s.d.a.3. .r.w. .r.o.o.t.f.l.a.g.s.=.s.u.b.v.o.l.=.s.i.d. .q.u.i.e.t. .z.s.w.a.p...e.n.a.b.l.e.d.=.1. .e.l.e.v.a.t.o.r.=.n.o.o.p. .i.n.i.t.r.d.=./.s.i.d./.i.n.i.t.r.d...i.m.g.
Boot0005* UEFI OS       VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0006* UEFI OS       HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\EFI\BOOT\BOOTX64.EFI)
Boot0005&6 are the default loader entries created automatically by the UEFI firmware; I have my systemd-boot .efi loader at $ESP/EFI/BOOT/BOOTX64.EFI
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#5 Post by Head_on_a_Stick »

Tried mounting /boot/efi to the EFI system partition and installing and configuring GRUB-EFI but that won't boot Securely (as expected, works fine with Secure Boot disabled).

:(

The only thing left is to try mounting /boot to the EFI system partition and using bootctl(1) & systemd-boot but my Arch system already uses that and it will probably b0rk...

Maybe later.

EDIT: sid is really nice though :D

It's been a while...

http://forums.debian.net/viewtopic.php? ... 53#p620153
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#6 Post by Head_on_a_Stick »

I don't think this is ready for use yet :(

I tried Ubuntu [1] and Secure Boot works with that; poking around I noticed that a specific GRUB package in needed to install a Secure Bootable system and this doesn't seem to be available in Debian yet.

I will keep sid around for a bit and go back to this at a later date.

[1] :shock:
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

#7 Post by tomazzi »

The whole point behind a secure boot is to prevent unauthorized modifications of boot-time code -> like the OS loader or kernel in case of Linux-based OS.

The problem is, that Secure Boot was "invented" (quotes are in the right place) when there's almost no a single virus which is targeting boot code... - because today, there are far better and foremost easier ways to attack the OS, and today it's practically impossible to modify boot-code without deep infiltration of the OS, in which case there's no need to modify the boot-code...

Moreover, (and this is really funny) Secure Boot is not secure at all - it is proven, that the authentication keys can be relatively easily cracked, and the EFI data can be used to actually hide the viruses (so, for average users, re-installing the OS won't help).

just a first result from ddg (but there are literally hundreds of reports like this):
http://www.itworld.com/article/2734708/ ... acked.html

Some people are even writing articles on how to improve crippled SecureBoot technology:
"Improving" SecureBoot (pdf)

So... the question is: why should Debian care about this at all?

The only answer I can imagine is:
"Because we, the Debian, are following so called "standards" or so called "upstream" solutions, no matter how stupid they are..."

Regards.
Odi profanum vulgus

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#8 Post by Head_on_a_Stick »

@tomazzi: I agree with everything you say but I would respectfully request that we keep this on-topic.

Do you have any suggestions in respect of allowing the signed Debian kernel image to start with Secure Boot enabled?
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

#9 Post by tomazzi »

1. The UEFI/SecureBoot is fully documented - so actually where's the problem?
2. Apparently the Ubuntu already works with SecureBoot enabled -> solution already exists -> there's nothing to invent.

Since the SecureBoot doesn't offer any real improvement of the OS security and the UEFI implementation allows to easily brick the motherboard, the obvious, but rethorical question is: Where's that "gain"?

Regards.
Odi profanum vulgus

User avatar
Danielsan
Posts: 655
Joined: 2010-10-10 22:36
Has thanked: 1 time

Re: Debian gains Secure Boot support in sid

#10 Post by Danielsan »

@ Tomazzi

Unfair competition, is it good as answer? :mrgreen:

Secure Boot is a pain if you can't disable it from you MB, so in this case you are obligated to use only OS which are compliance with this feature, like Ubuntu the open OS which secretly aims to be closed. Good to see that Debian is moving in toward to address this issue.

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#11 Post by Head_on_a_Stick »

tomazzi wrote:1. The UEFI/SecureBoot is fully documented - so actually where's the problem?
As far as I can ascertain, the kernel image is signed but it requires a package equivilent to Ubuntu's grub-efi-$arch-signed for it to boot sucessfully.

I am slightly confused though as to why the kernel image will not boot directly without a bootloader (taking advantage of CONFIG_EFI_STUB) when Secure Boot is enabled.

Do you have any ideas why this may be the case?

The kernel image EFI_STUB boots correctly without any separate bootloader with Secure Boot disabled.
2. Apparently the Ubuntu already works with SecureBoot enabled -> solution already exists -> there's nothing to invent.
I have had my Debian jessie system booting with Secure Boot enabled for over a year now, we don't actually need Ubuntu's solution at all...
:D
Since the SecureBoot doesn't offer any real improvement of the OS security and the UEFI implementation allows to easily brick the motherboard, the obvious, but rethorical question is: Where's that "gain"?
The subject of this thread is getting Debian to work with Secure Boot enabled, please start a new thread in off-topic for ramblings of this nature.

Thank You.
:mrgreen:
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

#12 Post by tomazzi »

Head_on_a_Stick wrote:I am slightly confused though as to why the kernel image will not boot directly without a bootloader (taking advantage of CONFIG_EFI_STUB) when Secure Boot is enabled.

Do you have any ideas why this may be the case?
Personally, I would try an alternative EFI boot manager, like rEFInd.

Regards.
Odi profanum vulgus

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#13 Post by Head_on_a_Stick »

tomazzi wrote: I would try an alternative EFI boot manager, like rEFInd.
Thanks for the suggestion but rEFInd is simply an abstraction for the EFI_STUB booting process which I have already tried (without the abstraction).
:(
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

#14 Post by tomazzi »

This is an experimental kernel (in Debian) - maybe it likes to be kick-started directly from a native fs partition (like btrfs), and that's what the rEFInd offers (among other nice things ;) ).

Regards.
Odi profanum vulgus

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#15 Post by Head_on_a_Stick »

tomazzi wrote:maybe it likes to be kick-started directly from a native fs partition (like btrfs)
I already use btrfs:

Code: Select all

root@sid:~# wipefs /dev/sda3
offset               type
----------------------------------------------------------------
0x1fe                dos   [partition table]

0x10040              btrfs   [filesystem]
                     UUID:  347fcad5-6e39-4c73-ab69-710b4077051f
I will try the experimental images, thanks.
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#16 Post by Head_on_a_Stick »

tomazzi wrote:I would try an alternative EFI boot manager, like rEFInd
I installed refind and ran `refind-install`

The system starts fine and shows a (working) rEFInd menu but fails to start with Secure Boot enabled.
:(
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

#17 Post by tomazzi »

Head_on_a_Stick wrote:I already use btrfs:
Nope, As You said (in previous posts), You've copied the kernel image to the EFI partition?? - or am I missing something?
Head_on_a_Stick wrote:I installed refind and ran `refind-install`
The system starts fine and shows a (working) rEFInd menu but fails to start with Secure Boot enabled.
This is a bit strange...

First 2 things I would check is to:
a) fsck the EFI partition
b) compare copies of files in the EFI partition with originals, f.e. using 'cmp' command (bit by bit)

Regards.
Odi profanum vulgus

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#18 Post by Head_on_a_Stick »

tomazzi wrote:
Head_on_a_Stick wrote:I already use btrfs:
Nope, As You said (in previous posts), You've copied the kernel image to the EFI partition?? - or am I missing something?
Are you confused?

The EFI system partition *must* be FAT-formatted.

UEFI firmware cannot read any other filesystem.

My ESP is FAT32 but my root partition is btrfs.
a) fsck the EFI partition
b) compare copies of files in the EFI partition with originals, f.e. using 'cmp' command (bit by bit)
What would this accomplish? Anyway, systemd has already fsck'd the ESP :mrgreen:

The Debian kernel images that I have copied to the ESP boot just fine with Secure Boot disabled so clearly there is no corruption.

In fact, I have just installed the RC kernel from experimental and my kernel post-install script copied the fresh images over automatically.

This new kernel image boots just fine so I will now try a reboot in Secure mode with this NVRAM configuration:

Code: Select all

root@sid:~# efibootmgr -v
BootCurrent: 0006
Timeout: 1 seconds
BootOrder: 0001,0000,0006,0007,0005
Boot0000* Debian sid    HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\sid\vmlinuz)r.o.o.t.=./.d.e.v./.s.d.a.3. .r.o.o.t.f.l.a.g.s.=.s.u.b.v.o.l.=.s.i.d. .r.w. .q.u.i.e.t. .z.s.w.a.p...e.n.a.b.l.e.d.=.1. .e.l.e.v.a.t.o.r.=.n.o.o.p. .i.n.i.t.r.d.=./.s.i.d./.i.n.i.t.r.d...i.m.g.
Boot0001* rEFInd Boot Manager   HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\EFI\refind\refind_x64.efi)
Boot0005* UEFI OS       VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0006* UEFI OS       HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\EFI\BOOT\BOOTX64.EFI)
Boot0007* ubuntu        HD(1,GPT,876168c2-2afb-4f50-ba94-cc7732d47b98,0x800,0x100000)/File(\EFI\Ubuntu\grubx64.efi)
Back in a mo'...

EDIT: No, the RC kernel from experimental doesn't work with EFI_STUB booting and Secure Boot enabled either.
:(
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

tomazzi
Posts: 730
Joined: 2013-08-02 21:33

Re: Debian gains Secure Boot support in sid

#19 Post by tomazzi »

Head_on_a_Stick wrote:Are you confused?
I think I'm not...
Head_on_a_Stick wrote:The EFI system partition *must* be FAT-formatted.
UEFI firmware cannot read any other filesystem.
Correct - the UEFI firmware can't read "any other filesystem", but rEFInd can - and btrfs is supported in read-only mode.
Head_on_a_Stick wrote:The Debian kernel images that I have copied to the ESP boot just fine with Secure Boot disabled so clearly there is no corruption.
Nope, this doesn't mean anything - even slightly modified image can be still able to boot, but it won't pass the checksum verification.
Head_on_a_Stick wrote:What would this accomplish? Anyway, systemd has already fsck'd the ESP
fsck is simply not checking the correctness of the files - it's just checking consistency of the file system - those are 2 different things.

Regards.
Odi profanum vulgus

User avatar
Head_on_a_Stick
Posts: 13760
Joined: 2014-06-01 17:46
Location: /dev/chair
Has thanked: 8 times
Been thanked: 47 times

Re: Debian gains Secure Boot support in sid

#20 Post by Head_on_a_Stick »

tomazzi wrote:
Head_on_a_Stick wrote:The EFI system partition *must* be FAT-formatted.
UEFI firmware cannot read any other filesystem.
Correct - the UEFI firmware can't read "any other filesystem", but rEFInd can - and btrfs is supported in read-only mode.
I'm sorry, I don't understand what you mean here.

Clearly I have to learn more about rEFInd so thanks for the heads-up.

An update from my end: the Ubuntu GRUB-signed package is dependent on secureboot-db which pulls in sbsigntool which is utility to sign and manage .efi loaders.

These packages do not exist in Debian (yet) but they do have an equivalent in Arch:
https://www.archlinux.org/packages/extr ... /efitools/

I will try signing the Debian GRUB .efi loader and updating the key DB on my motherboard using the tools provided by Arch and report back...
"It seems that UNIX has become the victim of cancerous growth at the hands of organizations such as UCB. 4.2BSD is an order of magnitude larger than Version 5, but, Pike claims, not ten times better."

— Murray Hill, Bell Laboratories

Post Reply