Discussion
Loading...

Post

  • About
  • Code of conduct
  • Privacy
  • Users
  • Instances
  • About Bonfire
Gabriele Svelto
@gabrielesvelto@mas.to  ·  activity timestamp 3 days ago

I've updated my blog post about setting up SecureBoot with shim & GRUB on Gentoo to reflect some recent changes to the kernel installation scripts. I've also added information and scripts to automate updating and removing kernels.

https://www.setphaserstostun.org/posts/secure-boot-on-gentoo-with-shim-grub/

#Gentoo #SecureBoot

Just another blog

Secure Boot on Gentoo with shim & GRUB

Setting up Secure Boot on Gentoo Linux using the shim and GRUB bootloaders
⁂
More from
Gabriele Svelto
  • Copy link
  • Flag this post
  • Block
Gabriele Svelto
@gabrielesvelto@mas.to replied  ·  activity timestamp 3 days ago

It's worth noting that Gentoo''s GRUB package already creates a signed EFI module that loads an external grub configuration file (grub.cfg) and which can be used out-of-the-box with shim. In this setup however the GRUB configuration file is not verified during boot. In my setup the GRUB configuration file is bundled in the GRUB EFI image and so is covered by the Secure Boot verification process. The downside is that changing the configuration forces me to regenerate the bootloader.

  • Copy link
  • Flag this comment
  • Block
mhoye
@mhoye@mastodon.social replied  ·  activity timestamp 3 days ago

@gabrielesvelto I've been meaning to ask - in this Secure Boot -> Grub -> Encrypted drive process, is there a reasonable way to set this up so it's roughly comparable to MacOS "just type in the password once" level of convenience?

  • Copy link
  • Flag this comment
  • Block
Gabriele Svelto
@gabrielesvelto@mas.to replied  ·  activity timestamp 3 days ago

@mhoye yes but only using the onboard TPM or an external FIDO/UDF key. GRUB can be instructed to pull the encryption key from there to unlock a LUKS-encrypted partition. It will bring you all the way to the login screen and only ask your password there. It is not a trivial setup in terms of complexity.

  • Copy link
  • Flag this comment
  • Block
(hic/haec/hoc)
@_hic_haec_hoc@fosstodon.org replied  ·  activity timestamp 3 days ago

@gabrielesvelto @mhoye I set up TPM decryption via systemd-cryptenroll on a Fedora system this week and it was surprisingly straightforward, and with a little work (30 minutes to figure out how to set the grub boot successful flag after resume) even hibernation to a swapfile on the encrypted partition works reliably. The only annoyance is being asked for the decryption password after upgrading the kernel or the bootloader and then having to refresh the TPM key, but it's literally one command

  • Copy link
  • Flag this comment
  • Block
mhoye
@mhoye@mastodon.social replied  ·  activity timestamp 3 days ago

@gabrielesvelto That's... interesting, though. As long as I can have a duplicate backup key. Do you know of uBoot can also be configured that way?

  • Copy link
  • Flag this comment
  • Block
Gabriele Svelto
@gabrielesvelto@mas.to replied  ·  activity timestamp 3 days ago

@mhoye I don't know but I have very little knowledge of uBoot

  • Copy link
  • Flag this comment
  • Block
mhoye
@mhoye@mastodon.social replied  ·  activity timestamp 3 days ago

@gabrielesvelto Well, I've gotta start somewhere; I'll look into it.

Thank you.

  • Copy link
  • Flag this comment
  • Block
Gabriele Svelto
@gabrielesvelto@mas.to replied  ·  activity timestamp 3 days ago

@mhoye alternatively you can have a disk encryption password which GRUB will ask at boot and then your user password later. This is much simpler and you can setup your system for auto-login in case you want to skip the second password.

  • Copy link
  • Flag this comment
  • Block
Log in

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances
Bonfire social · 1.0.0-rc.3.1 no JS en
Automatic federation enabled
  • Explore
  • About
  • Members
  • Code of Conduct
Home
Login