{"id":13681506,"url":"https://github.com/JohnstonJ/ubuntu-secure-boot","last_synced_at":"2025-04-30T03:31:39.426Z","repository":{"id":99787413,"uuid":"53303880","full_name":"JohnstonJ/ubuntu-secure-boot","owner":"JohnstonJ","description":"Self-signed UEFI- and GRUB-based secure boot system for Ubuntu.","archived":false,"fork":false,"pushed_at":"2020-02-03T22:04:50.000Z","size":26,"stargazers_count":23,"open_issues_count":5,"forks_count":10,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-12T00:36:45.348Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JohnstonJ.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-03-07T07:13:36.000Z","updated_at":"2024-08-12T19:21:47.000Z","dependencies_parsed_at":null,"dependency_job_id":"d47c3b8a-8493-4924-82e2-04286453e425","html_url":"https://github.com/JohnstonJ/ubuntu-secure-boot","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JohnstonJ%2Fubuntu-secure-boot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JohnstonJ%2Fubuntu-secure-boot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JohnstonJ%2Fubuntu-secure-boot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JohnstonJ%2Fubuntu-secure-boot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JohnstonJ","download_url":"https://codeload.github.com/JohnstonJ/ubuntu-secure-boot/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251635342,"owners_count":21619206,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:31.668Z","updated_at":"2025-04-30T03:31:39.182Z","avatar_url":"https://github.com/JohnstonJ.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"ubuntu-secure-boot package\n--------------------------\n\nThe stock Ubuntu 15.10 installation only implements secure boot just enough\nto get a Microsoft-signed shim in place.  It does nothing to actually secure\nthe boot process.  This package can help users do so.\n\nAssumptions: (1) 64-bit computer booting via EFI, (2) full disk encryption\nis used.  While this package will install without full disk encryption, it\ndoes nothing to secure the booted operating system beyond signing the kernel\nand initramfs.  Private keys are stored within the /etc directory, so this\nmust be secured as well.  Note that the /boot partition may remain\nunencrypted, as one purpose of this package is to secure it.\n\nAfter installing, you will need to run make-secure-boot-keys.  Then, you will\nneed to enable secure boot in your system firmware and import the generated\nkeys into the configuration.\n\nBuild instructions\n------------------\n\n1.  Install debhelper if needed:\n\n    apt-get install debhelper\n\n2.  Build the package:\n\n    dpkg-buildpackage\n\nInstall instructions\n--------------------\n\n1.  Remove shim-related packages:\n\n    apt-get purge shim-signed\n    apt-get purge shim\n\n2.  Install the package as normal:\n\n    dpkg -i ubuntu-secure-boot_\u003cversion\u003e_amd64.deb\n\n    If prompted about missing dependencies, install them as normal using\n    apt-get.\n\n3.  Generate key pairs and sign your current boot files:\n\n    make-secure-boot-keys\n\nDigital signatures will be maintained whenever you install new kernels or\nupdate initramfs.\n\nFeatures of ubuntu-secure-boot\n------------------------------\n\n* Self-signed bootloader files: take control over your boot process by\n  stripping Canonical / Microsoft signatures from your boot files and signing\n  everything yourself.\n\n* Summary of files that are digitally signed and verified during the boot\n  process are:\n  * GRUB itself (self-signed)\n  * GRUB configuration (self-signed)\n  * GRUB modules and other external files (self-signed)\n  * Linux kernel (self-signed)\n  * Linux initramfs / initrd (self-signed)\n  * Linux kernel modules (using existing Canonical signatures)\n\n* Self-signed private keys are stored in /etc/ubuntu-secure-boot/keys and\n  protected by a passphrase.\n\n* UEFI Secure Boot self-signed key pairs are generated and used to sign the\n  self-contained GRUB .efi image.  They can be imported into a UEFI firmware\n  to take full control over the secure boot process.\n\n* The secure GRUB image is added as a boot option in EFI firmware.\n\n* Digital signature support in GRUB is enabled to check signatures on any boot\n  file that is loaded from disk.  The risk of loading an unsigned file from\n  GRUB is eliminated (e.g. an unsigned kernel).\n\n* GRUB is now deployed as a stand-alone .efi image that contains a memdisk\n  with the full configuration and all loadable modules.  This eliminates the\n  risk of tampering with the GRUB configuration.\n\n* GRUB is automatically locked down with a password so that users cannot tamper\n  with boot settings or use advanced boot options.\n\n* Unsigned GRUB files in /boot remaining from the original GRUB packages are\n  completely wiped (but restored upon uninstall of this package).\n\n* Newly-installed kernels are automatically signed whenever they are installed.\n  Existing Canonical .efi signatures in the linux-signed-image-* packages are\n  stripped and replaced with your signature.\n\n* The initramfs is automatically re-signed whenever update-initramfs is run.\n\n* Linux kernel module signing enforcement is automatically enabled by default.\n  This can be controlled from /etc/default/grub.d/ubuntu-secure-boot.cfg.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJohnstonJ%2Fubuntu-secure-boot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FJohnstonJ%2Fubuntu-secure-boot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FJohnstonJ%2Fubuntu-secure-boot/lists"}