作者:张华 发表于:2020-09-29
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
secureboot is designed to present non-Windows OS from booting(Secure Boot works by placing the root of trust in firmware), you can still boot Grub2 with secureboot using shim and MOK manager. And from grub2, you can boot into other operating systems.也就是说:
secureboot将根证书放在固件firmware中, 然后可以验证signed bootloader, signed bootloader然后再验证signed kernel和signed 2nd stage boot loader.这样系统允许你修改secureboot keys.
默认地, 系统有硬件制造商的PK, microsoft和硬件制造商的公钥在db与KEK里. 这样就可以使用microsoft-certified bootloaders, 再通过它签名的shim来使用其他linuxers. 有的UEFI BIOS setup允许adding and delteing所有的secureboot keys, 而有些却允许你要么删除所有要么用默认(删除之前记得备份哦). 如果PK被删除的话, secure boot这时叫so-called setup mode. 你可能想有这个密钥:
the db set should contain:
the KEK set should contain:
bootloader有两种, shim与grub2都叫bootloader, 所以理论上是可以不需要shim的, 但为什么需要shim呢? 这个网页(https://unix.stackexchange.com/questions/423666/secureboot-with-uefi-bootloader-and-grub2-only)说:grub uses firmware API to validate binary signatures; you might prefer shim instead of signing the binaries with the “precious” key each time.
非secureboot模式下, 没有shim组件, efi直接启动grub2.
在secureboot模式下, 有shim组件, 且shim需要使用efi中的证书签名(grub2和kernel的签名不一定非要用efi中的证书, 可以自己随意定制后再使用shim相关工具导入nvram中). 即使在secureboot模式下也可以有shim和无shim:
1, 打开电源, 先运行Secure Boot-capable UEFI firmware (对于qemu虚机, 这个secureboot capable UEFI OVMF firmware叫UEFI x86_64 : usr/share/OVMF/OVMF_CODE.fd, (sudo apt install ovmf && sudo systemctl restart libvirtd)
2, firware验证bootloader的签名. UEFI firmware中预先在NVRAM系统中(或者compiled-in defaults)集成了一些公钥集合(secure boot key sets) , 它可以给bootloader验证签名(shim or grub2), 不使用shim的话, grub2得每次调用firware api去验证签名.
UEFI firmware uses /boot/efi/EFI/BOOT/BOOTX64.EFI (从md5sum看它和/boot/efi/EFI/centos/shimx64.efi是同一个文件, 对于shim就是将shimx64.efi拷贝到BOOTX64.EFI, 对于grub2可能就是将grubx64.efi拷贝到BOOTX64.EFI了) to boot at the first stage.
[root@test2 ~]# md5sum /boot/efi/EFI/BOOT/BOOTX64.EFI
25d9ccc49c419d76324a29615e8371c2 /boot/efi/EFI/BOOT/BOOTX64.EFI
[root@test2 ~]# md5sum /boot/efi/EFI/centos/shimx64.efi
25d9ccc49c419d76324a29615e8371c2 /boot/efi/EFI/centos/shimx64.efi
[root@test2 ~]# md5sum /boot/efi/EFI/centos/shimx64-centos.efi
d435494a957479acac3aca09915c21d1 /boot/efi/EFI/centos/shimx64-centos.efi
[root@test2 ~]# md5sum /boot/efi/EFI/centos/grubx64.efi
031b972f3ab267f37e01ada73f4b480d /boot/efi/EFI/centos/grubx64.efi
3, bootloader再去验证kernel的签名.
then shim will load grub2 (/boot/efi/EFI/centos/grubx64.efi) in the second stage
4, kernel再去验证module的签名.
[1] https://wiki.ubuntu.com/UEFI/SecureBoot/Testing?action=show&redirect=SecurityTeam%2FSecureBoot
[2] https://www.aioboot.com/en/secure-boot/
[3] https://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html
[4] Grub 2:拯救你的 bootloader, https://linux.cn/article-6892-1.html?pr
[5] https://unix.stackexchange.com/questions/423666/secureboot-with-uefi-bootloader-and-grub2-only