Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
UEFI secure boot.
UEFI secure boot.
Hello there, I want to ask how can I enable secure boot in Debian 11, I have full disk encryption in my install, but having secure boot disabled is a security issue since an attacker with phisical access to the machine, could insert modules in the initramfs to steal the passphrase at boot (/boot and /boot/efi need to be unencrypted). Thanks for the support. I've found this article on the wiki: https://wiki.debian.org/SecureBoot, but it gaves errors and doesn't work.
-
- Posts: 932
- Joined: 2020-05-03 14:16
- Has thanked: 7 times
- Been thanked: 68 times
Re: UEFI secure boot.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
The_full_story and Nothing_have_changed
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: UEFI secure boot.
Debian supports secure boot by default. You just have to enable it in the UEFI firmware settings.
Secure boot alone won't protect against initramfs tampering.
This statement does not provide any useful information. Please show full commands, output and config files.DN-gian5x wrote: ↑2022-04-25 13:31 I've found this article on the wiki: https://wiki.debian.org/SecureBoot, but it gaves errors and doesn't work.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: UEFI secure boot.
It does if a unified kernel image is used.
@OP: see https://wiki.archlinux.org/title/Unifie ... e#Manually & https://dev1galaxy.org/viewtopic.php?pid=35067#p35067 for the details.
EDIT: place the unified image at /EFI/Boot/bootx64.efi on the EFI system partition to make the system boot without any bootloader or NVRAM boot entries (remove superfluous boot entries first though).
deadbang
-
- Posts: 932
- Joined: 2020-05-03 14:16
- Has thanked: 7 times
- Been thanked: 68 times
Re: UEFI secure boot.
HOAS! so You're alive
What is that snorting cat doing in Your avatar?
What is that snorting cat doing in Your avatar?
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
The_full_story and Nothing_have_changed
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: UEFI secure boot.
It is a symbol of solidarity with my fellow workers in our fight against the bourgeoisie:
https://en.wikipedia.org/wiki/Black_cat ... yndicalism
And now back to the topic at hand...
deadbang
-
- Posts: 932
- Joined: 2020-05-03 14:16
- Has thanked: 7 times
- Been thanked: 68 times
Re: UEFI secure boot.
I understand, and although I don't fully agree with such interpretation, thanks for the explanation.
Now, back to the topic:
All the aspects of SecureBoot can be managed from the admin/root account - which means, that SecureBoot itself can't be "more secure" than the root account.
Regards.
Now, back to the topic:
All the aspects of SecureBoot can be managed from the admin/root account - which means, that SecureBoot itself can't be "more secure" than the root account.
Regards.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
The_full_story and Nothing_have_changed
Re: UEFI secure boot.
To everyone, thanks for the response but I've found an alternative workaround for this: I've set up full disk encryption and I put /boot/efi and /boot on a separate usb key, in this way not only they can't tamper initramfs or anything else, they can't even boot without the usb key
@LE_746F6D617A7A69
@Head_on_a_Stick
@p.H
@LE_746F6D617A7A69
@Head_on_a_Stick
@p.H
-
- Posts: 932
- Joined: 2020-05-03 14:16
- Has thanked: 7 times
- Been thanked: 68 times
Re: UEFI secure boot.
Such solution only prevents unauthorized booting, but it does not prevent modifying the bootloader or initramfs in case of unauthorized access to the root account (there is an exception: You can use USB drive equipped with a HW switch which disables writing to the device).DN-gian5x wrote: ↑2022-05-09 15:42 To everyone, thanks for the response but I've found an alternative workaround for this: I've set up full disk encryption and I put /boot/efi and /boot on a separate usb key, in this way not only they can't tamper initramfs or anything else, they can't even boot without the usb key
Besides, there's a risk that the USB drive gets damaged (not so rare case), what would make Your system unbootable.
Another problem is, that encryption provides protection only in case of stolen hardware. Once the system is booted and running, the encrypted but mounted drives are not protected in any way - they can be controlled/modified by using the root account, or even a regular user account, depending on mount options.
This means that an attacker still can install and/or execute malicious scripts/executables once he get a root privileges.
Regards.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
The_full_story and Nothing_have_changed
Re: UEFI secure boot.
It does prevent modification of the bootloader since it is on the USB key that is separated from the computer. Also I know about the risk of the USB and I'm okay with that, I know too about the risk of computer getting stolen while is booted.LE_746F6D617A7A69 wrote: ↑2022-05-09 20:14DN-gian5x wrote: ↑2022-05-09 15:42 To everyone, thanks for the response but I've found an alternative workaround for this: I've set up full disk encryption and I put /boot/efi and /boot on a separate usb key, in this way not only they can't tamper initramfs or anything else, they can't even boot without the usb key
Such solution only prevents unauthorized booting, but it does not prevent modifying the bootloader or initramfs in case of unauthorized access to the root account (there is an exception: You can use USB drive equipped with a HW switch which disables writing to the device).
Besides, there's a risk that the USB drive gets damaged (not so rare case), what would make Your system unbootable.
Another problem is, that encryption provides protection only in case of stolen hardware. Once the system is booted and running, the encrypted but mounted drives are not protected in any way - they can be controlled/modified by using the root account, or even a regular user account, depending on mount options.
This means that an attacker still can install and/or execute malicious scripts/executables once he get a root privileges.
Regards.
-
- Posts: 932
- Joined: 2020-05-03 14:16
- Has thanked: 7 times
- Been thanked: 68 times
Re: UEFI secure boot.
It does not, as long the USB drive is writeable
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
The_full_story and Nothing_have_changed