- #How to boot to usb secure boot install#
- #How to boot to usb secure boot update#
- #How to boot to usb secure boot password#
To enroll a key, use the mokutil command: sudo mokutil -import MOK.derįollow the prompts to enter a password that will be used to make sure you really do want to enroll the key in a minute. That makes it so it will be accepted as a valid signing key for any module the kernel wants to load, as well as a valid key should you want to build your own bootloader or kernels (provided that you don’t include that ‘1.3.6.1.16.1.2’ OID discussed earlier). Now, let’s enroll that key we just created in shim. You need both files to sign and just the public part (MOK.der) to enroll the key in shim. This command will create both the private and public part of the certificate to sign things. Then, we can start the fun part: creating the private and public keys. The identification itself does not matter much, but some of the later values are important: for example, we do want to make sure “1.3.6.1.16.1.2” is included in extendedKeyUsage, and it is that OID that will tell shim this is meant to be a module signing certificate. Then openssl would ask you for the values you want to set for the certificate identification.
#How to boot to usb secure boot update#
NsComment = "OpenSSL Generated Certificate"Įither update the values under “” or get rid of that section altogether (along with the “distinguished_name” field) and remove the “prompt” field. # This definition stops the following lines choking if HOME isn'tĭistinguished_name = req_distinguished_nameĪuthorityKeyIdentifier = keyid:always,issuerĮxtendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.16.1.2 Now, we needs to create a SSL certificate for module signing…įirst, let’s create some config to let openssl know what we want to create (let’s call it ‘openssl.cnf’): openssl can do it by running a few SSL commands. To begin with signing things for UEFI Secure Boot, you need to create a X509 certificate that can be imported in firmware either directly though the manufacturer firmware, or more easily, by way of shim.Ĭreating a certificate for use in UEFI Secure Boot is relatively simple. This means signing UEFI binaries and the kernel modules, which can be done with its own set of tools.īut first, more on the trust chain used for Secure Boot.
#How to boot to usb secure boot install#
The Secure Boot story in Ubuntu includes the fact that you might want to build your own kernel (but we do hope you can just use the generic kernel we ship in the archive), and that you may install your own kernel modules. People don’t generally change firmware or bootloader all that much, but what of rebuilding a kernel or adding extra modules provided by hardware manufacturers? In other words, not just the firmware and bootloader require signatures, the kernel and modules too. The whole concept of Secure Boot requires that there exists a trust chain, from the very first thing loaded by the hardware (the firmware code), all the way through to the last things loaded by the operating system as part of the kernel: the modules.
0 kommentar(er)
