UEFI secure boot

UEFI secure boot

[Dennis Wassenberg]

Hi all,

I have a question regarding grub2 in relation with UEFI secure boot. I
do use a grub2 efi binary which is signed with sbsigntools. If the grub2
starts I think there is in general no information about that the grub2
is booted in secure boot environment.

Is there a possibility to show that in grub2? I found no way to do that.
Are you interested in having the possibility to show the uefi secure
boot status (e.g. EFI variable secureboot)?

Best regards,
Dennis

Re: UEFI secure boot

[Daniel Kiper]

On Thu, Feb 16, 2017 at 09:21:19AM +0100, Dennis Wassenberg wrote:
> Hi all,
>
> I have a question regarding grub2 in relation with UEFI secure boot. I
> do use a grub2 efi binary which is signed with sbsigntools. If the grub2
> starts I think there is in general no information about that the grub2
> is booted in secure boot environment.

Why do you need that?

> Is there a possibility to show that in grub2? I found no way to do that.

If there is an use case why not.

> Are you interested in having the possibility to show the uefi secure
> boot status (e.g. EFI variable secureboot)?

I am going to work on shim protocol verification for Multiboot2
compatible images. I hope that it will be taken into GRUB2 2.03.

Daniel

Re: UEFI secure boot

[Dennis Wassenberg]

Hi, Daniel,

On 16.02.2017 23:03, Daniel Kiper wrote:
> On Thu, Feb 16, 2017 at 09:21:19AM +0100, Dennis Wassenberg wrote:
>> Hi all,
>>
>> I have a question regarding grub2 in relation with UEFI secure boot. I
>> do use a grub2 efi binary which is signed with sbsigntools. If the grub2
>> starts I think there is in general no information about that the grub2
>> is booted in secure boot environment.
> 
> Why do you need that?
Just to show that it is booted in secure mode. In general there are only
a few devices which shows at the beginning that secureboot is active. So
maybe it makes sense to show it at the booted efi application. If a user
is interested in knowing if it is active or not he has to enter the
Setup. In case of Lenovo there it is not shown directly if secureboot is
active or not. At the secureboot tab there is shown that secureboot is
enabled or not and if secureboot is in custom mode or setup mode. I
believe that not every user known what this means. Thats why I think a
hint if secureboot is currently active or not would make sense.
> 
>> Is there a possibility to show that in grub2? I found no way to do that.
> 
> If there is an use case why not.
Would this be a use case?
> 
>> Are you interested in having the possibility to show the uefi secure
>> boot status (e.g. EFI variable secureboot)?
> 
> I am going to work on shim protocol verification for Multiboot2
> compatible images. I hope that it will be taken into GRUB2 2.03.
Ah ok.
> 
> Daniel

Thank you for your response.

Best regards,
Dennis
> 
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
> 

Re: UEFI secure boot

[Ignat Korchagin]

[-- Attachment #1: Type: text/plain, Size: 2326 bytes --]

I tried to submit a patch some time ago, where you can get SecureBoot and
SetupMode variables from GRUB shell and config file:
http://lists.gnu.org/archive/html/grub-devel/2016-01/msg00078.html

It was abandoned for some reason.

Also, I think recent patches proposed by Matthew Garrett also allow to do
this

On Fri, Feb 17, 2017 at 8:17 AM, Dennis Wassenberg <
dennis.wassenberg@secunet.com> wrote:

> Hi, Daniel,
>
> On 16.02.2017 23:03, Daniel Kiper wrote:
> > On Thu, Feb 16, 2017 at 09:21:19AM +0100, Dennis Wassenberg wrote:
> >> Hi all,
> >>
> >> I have a question regarding grub2 in relation with UEFI secure boot. I
> >> do use a grub2 efi binary which is signed with sbsigntools. If the grub2
> >> starts I think there is in general no information about that the grub2
> >> is booted in secure boot environment.
> >
> > Why do you need that?
> Just to show that it is booted in secure mode. In general there are only
> a few devices which shows at the beginning that secureboot is active. So
> maybe it makes sense to show it at the booted efi application. If a user
> is interested in knowing if it is active or not he has to enter the
> Setup. In case of Lenovo there it is not shown directly if secureboot is
> active or not. At the secureboot tab there is shown that secureboot is
> enabled or not and if secureboot is in custom mode or setup mode. I
> believe that not every user known what this means. Thats why I think a
> hint if secureboot is currently active or not would make sense.
> >
> >> Is there a possibility to show that in grub2? I found no way to do that.
> >
> > If there is an use case why not.
> Would this be a use case?
> >
> >> Are you interested in having the possibility to show the uefi secure
> >> boot status (e.g. EFI variable secureboot)?
> >
> > I am going to work on shim protocol verification for Multiboot2
> > compatible images. I hope that it will be taken into GRUB2 2.03.
> Ah ok.
> >
> > Daniel
>
> Thank you for your response.
>
> Best regards,
> Dennis
> >
> > _______________________________________________
> > Grub-devel mailing list
> > Grub-devel@gnu.org
> > https://lists.gnu.org/mailman/listinfo/grub-devel
> >
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>

[-- Attachment #2: Type: text/html, Size: 3330 bytes --]

Re: UEFI Secure Boot

[James Bottomley]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1317 bytes --]

[added mailing list cc's since this is probably going to be a common question]

On Wed, 2012-07-04 at 12:52 -0400, Finnbarr P. Murphy wrote:
> Hi James,
> 
> Nice work on your UEFI Secure Boot demo code!
> 
> Have you experimented with either of the following scenarios?
> 
>     - Removing current PK via a utility
>     - Replacing current PK with a new PK via a utility
> 
> assuming you know existing PK keys.

Not yet ... I'm still working on writing the code that constructs the
time based authentication bundle for the variables.  When I have it, it
will appear in my git repository (and I'll probably send a note to the
linux-efi list):

http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary

>  From Chapter 27 of the UEFI Specification, this should be possible but 
> I cannot get either scenarios to work (due to error 26 - Security 
> Violation)   Perhaps it is the OVMF implementation (latest from trunk) 
> but I suspect it is just my old age!

Constructing time based authentication bundles is complex ... are you
sure you have the code right?  error 26 means the platform doesn't think
the authentication is correct.

James

ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥