Talk:Secure Boot/GRUB

A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC)
: A reply [[User:Sally|Sally]] 07:46, 28 February 2025 (UTC)
:: Your reply ~~~~

Script fails to sign dist kernel

Hello, I'm opening a discussion instead of editing directly because I don't have a ton of experience writing scripts and just starting using gentoo a few weeks ago. I have some input for the section below, found in section 6.2 GRUB.

sign_file_for_grub()
{

	# Sign all files that GRUB will use in the boot chain; see 'info grub' section 19.2. The list of files to sign include:
	# - GRUB-related files (configs, environment, modules).
	# - kernel.
	# - initramfs.
	# - CPU microcode.
	local valid_file=''
	for valid_file in $(find /boot -regextype posix-extended -regex '.*(\.cfg|\.lst|\.mod|vmlinuz.*gentoo(-r[[:digit:]]+)?(\.old)?|init.*(-r[[:digit:]]+)?\.img(\.old)?|grubenv|-uc\.img)$'); do
	
		# Delete the old signature.
		[[ -f "$valid_file".sig ]] && rm "$valid_file".sig
	
		# Make a new detached signature for a file that GRUB will verify on boot.
		gpg --batch -bu grub --digest-algo SHA512 "$valid_file" || break
	done
}

sign_file_for_grub "$@"

I used this script and found it very useful, I ended up getting secureboot working with grub, but some additions may help. I'm relatively new to gentoo, and was using the dist kernel with "hardened" USE flag. This script did not sign my kernel for me for GPG, I had to run the command manually.

I was wondering if maybe a change from this:

for valid_file in $(find /boot -regextype posix-extended -regex '.*(\.cfg|\.lst|\.mod|vmlinuz.*gentoo(-r[[:digit:]]+)?(\.old)?|init.*(-r[[:digit:]]+)?\.img(\.old)?|grubenv|-uc\.img)$'); do

To this (bold sections added):

for valid_file in $(find /boot -regextype posix-extended -regex '.*(\.cfg|\.lst|\.mod|vmlinuz.*gentoo(-r[[:digit:]]+)?(\.old)?|vmlinuz.*dist(-r[[:digit:]]+)?(\.old)?|vmlinuz.*hardened(-r[[:digit:]]+)?(\.old)?|vmlinuz.*bin(-r[[:digit:]]+)?(\.old)?|init.*(-r[[:digit:]]+)?\.img(\.old)?|grubenv|-uc\.img)$'); do

Could solve that issue. Again, I'm not experienced with this, but in theory it should work. I'll be testing the updated script out on my machine if anyone needs confirmation.

Lastly, I noticed this script creates a file /root/.gnupg/public-keys.d/pubring.db.lock which prevents you from ever using the script again unless you delete the file with the "rm" command. I'd appreciate input from anybody, thank you.

Edit: I tested it out with the additions, and it signed my hardened distribution kernel.

Hello and welcome to Gentoo! I'm the creator of this page and I'm happy to hear that you were able to get everything working up to trying to use a distribution kernel. Before I continue, I need to address how to interact with a discussion page and other formatting guidelines:

For a complete overview, see Gentoo_Wiki:Contributor's_guide, but I will address some of them here.

* When you want to add a reply to this section, don't use the Edit button at the top of the page (that edits the entire page). There should be an Edit button next to the name of this section (Script fails to sign dist kernel) that only appears when you're signed in -- use that.

* When replying to someone, prefix the start of each line with a colon (:). The number of colons equals the number of indents. So, when you respond to this reply, you will start each line with "::". Take a look at my comments when you're editing; you will see I'm prefixing all my lines with a single colon.

* Note that the wiki formatting might mistaken text for something else; for example, [[:digit:]] needs to be surrounded with < nowiki > and < /nowiki > (no spaces in between < and >).

* Before you "Save changes", ensure that you finish off with your signature by typing 4 tildes in a row "~~~~". The tildes will automatically turn into your signature. You will be able to see my signature at the bottom of this reply. Also remember to use the "Show preview" button to check the formatting.

Okay, with that out of the way, let's get back to the topic at hand. You're using the distribution kernel, I've never used that as I'm using the manual Gentoo one (sys-kernel/gentoo-sources).

Which package are you using?

Different packaged kernels might have different names in /boot, which is why the script failed -- it doesn't account for different naming conventions of kernels. It only accounts for names for the manual Gentoo ones. Fortunately, the fix is trivial -- add the distribution kernel names to the regular expression. Unfortunately, this is not future-resistant, as the name formatting can change. A general fix would be to sign every file in /boot, even if GRUB doesn't need it to be signed; the logic of the script would need to change to account for files that end in '.sig'.

What do you get when you run ls -A1 /boot?

As for your problem with the lock file in /root/.gnupg/public-keys.d/pubring.db.lock, I have encountered lock file issues with GnuPG before, but not with this script. I've been able to run this script over and over without fail. I might need to add a test at the beginning of the script to see if the user is root.

Are you running the script as user root?

FlyingBullets (talk) 20:37, 16 February 2025 (UTC)

Hey FlyingBullets, thank you very much for the quick reply and thank you for the welcome. Your wiki page was extremely helpful for me getting secure boot setup and understanding how it works as a whole. So thank you for that as well. I will try to follow the formatting guidelines to the best of my abilities. To be honest, this is my first wiki post on any wiki.

The package I am using is (sys-kernel/gentoo-kernel). This one was recommended in the amd64 installation guide as a good option for beginners. There is also the (sys-kernel/gentoo-kernel-bin that others have used to download a binary kernel. However, I chose to compile to have the option to use the "hardened" USE flag. I am actually planning on experimenting with the (sys-kernel/gentoo-sources) package soon, but wanted to figure out secure boot before tackling that. Kernel customization is something I'm very much looking forward to.

To answer your question, here is the output of ls -A1 /boot

config-6.6.74-gentoo-dist-hardened

grub

initramfs-6.6.74-gentoo-dist-hardened.img

initramfs-6.6.74-gentoo-dist-hardened.img.sig

System.map-6.6.74-gentoo-dist-hardened

vmlinuz-6.6.74-gentoo-dist-hardened

vmlinuz-6.6.74-gentoo-dist-hardened.sig

Note that the kernel ends in "hardened." Without the "hardened" USE flag, it ends at "dist." I don't have the binary kernel but I believe it would like this: vmlinuz-6.6.74-gentoo-dist-bin

Regarding the lock file, I ran into this issue using sudo with my user account, as well as after chrooting in from a gentoo live environment. The live environment was when I initially failed to boot from grub due to the signing issue. This wasn't a particularly serious issue for me, as I just deleted the file. I usually disable root login on my installations.

In the end, I do agree that the problem may be unavoidable as the kernel names change over time. I also had the same thought of signing everything in /boot, but I don't really have the expertise to know whether that would cause other issues. If modifying the script isn't possible or would fail eventually anyway, maybe it would be best to just add a note that distribution kernels need to manually be signed using:

gpg --batch -bu grub --digest-algo SHA512 /boot/vmlinuz-6.6.74-gentoo-dist

This is what I ended up doing, and it worked. Please let me know if I can provide any other input, and thank you again!

Independentsock (talk) 02:34, 17 February 2025 (UTC)

I'm glad you were able to understand the wiki page, and don't worry, I've only been contributing to the wiki for ~3 months and this is actually my first page created. So if there's any feedback or problems you had/have about Secure Boot/GRUB, let me know so that I can improve it.

I am working on a general solution to the scripts my_install_kernel and sign_file_for_grub. I need to do more testing, but things are looking good. I will let you know when I update the wiki with the new scripts.

Here's a tip: If you ever modify the kernel and your machine won't boot the newly modified kernel, you can select an older one from the GRUB menu.

FlyingBullets (talk) 00:12, 18 February 2025 (UTC)

I've updated the wiki with the new scripts, see if they work for you.

FlyingBullets (talk) 19:50, 18 February 2025 (UTC)