vyos/vyos-build
1
0
Fork 0
mirror of https://github.com/vyos/vyos-build.git synced 2025-10-01 20:28:40 +02:00
Code Issues Packages Projects Releases Wiki Activity
vyos-build/data/live-build-config/includes.chroot/var/lib/shim-signed/mok
History
Christian Breunig fd737172f1 T861: add UEFI Secure Boot support 
This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.

NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:

  data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
2024-09-14 23:05:23 +02:00
..
README.md
T861: add UEFI Secure Boot support
2024-09-14 23:05:23 +02:00

README.md

Secure Boot

CA

Create Certificate Authority used for Kernel signing. CA is loaded into the Machine Owner Key store on the target system.

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
openssl x509 -inform der -in MOK.der -out MOK.pem

Kernel Module Signing Key

We do not make use of ephemeral keys for Kernel module signing. Instead a key is generated and signed by the VyOS Secure Boot CA which signs all the Kernel modules during ISO assembly if present.

openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256