Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/JohnstonJ/ubuntu-secure-boot

Self-signed UEFI- and GRUB-based secure boot system for Ubuntu.
https://github.com/JohnstonJ/ubuntu-secure-boot

Last synced: 3 months ago
JSON representation

Self-signed UEFI- and GRUB-based secure boot system for Ubuntu.

Host: GitHub
URL: https://github.com/JohnstonJ/ubuntu-secure-boot
Owner: JohnstonJ
License: mit
Created: 2016-03-07T07:13:36.000Z (over 8 years ago)
Default Branch: master
Last Pushed: 2020-02-03T22:04:50.000Z (almost 5 years ago)
Last Synced: 2024-06-18T08:33:26.308Z (5 months ago)
Language: Shell
Size: 25.4 KB
Stars: 24
Watchers: 3
Forks: 10
Open Issues: 5
Metadata Files:
- Readme: README
- License: LICENSE

Awesome Lists containing this project

awesome-starz - JohnstonJ/ubuntu-secure-boot - Self-signed UEFI- and GRUB-based secure boot system for Ubuntu. (Shell)

README

        ubuntu-secure-boot package

--------------------------

The stock Ubuntu 15.10 installation only implements secure boot just enough

to get a Microsoft-signed shim in place.  It does nothing to actually secure

the boot process.  This package can help users do so.

Assumptions: (1) 64-bit computer booting via EFI, (2) full disk encryption

is used.  While this package will install without full disk encryption, it

does nothing to secure the booted operating system beyond signing the kernel

and initramfs.  Private keys are stored within the /etc directory, so this

must be secured as well.  Note that the /boot partition may remain

unencrypted, as one purpose of this package is to secure it.

After installing, you will need to run make-secure-boot-keys.  Then, you will

need to enable secure boot in your system firmware and import the generated

keys into the configuration.

Build instructions

------------------

1.  Install debhelper if needed:

    apt-get install debhelper

2.  Build the package:

    dpkg-buildpackage

Install instructions

--------------------

1.  Remove shim-related packages:

    apt-get purge shim-signed

    apt-get purge shim

2.  Install the package as normal:

    dpkg -i ubuntu-secure-boot__amd64.deb

    If prompted about missing dependencies, install them as normal using

    apt-get.

3.  Generate key pairs and sign your current boot files:

    make-secure-boot-keys

Digital signatures will be maintained whenever you install new kernels or

update initramfs.

Features of ubuntu-secure-boot

------------------------------

* Self-signed bootloader files: take control over your boot process by

  stripping Canonical / Microsoft signatures from your boot files and signing

  everything yourself.

* Summary of files that are digitally signed and verified during the boot

  process are:

  * GRUB itself (self-signed)

  * GRUB configuration (self-signed)

  * GRUB modules and other external files (self-signed)

  * Linux kernel (self-signed)

  * Linux initramfs / initrd (self-signed)

  * Linux kernel modules (using existing Canonical signatures)

* Self-signed private keys are stored in /etc/ubuntu-secure-boot/keys and

  protected by a passphrase.

* UEFI Secure Boot self-signed key pairs are generated and used to sign the

  self-contained GRUB .efi image.  They can be imported into a UEFI firmware

  to take full control over the secure boot process.

* The secure GRUB image is added as a boot option in EFI firmware.

* Digital signature support in GRUB is enabled to check signatures on any boot

  file that is loaded from disk.  The risk of loading an unsigned file from

  GRUB is eliminated (e.g. an unsigned kernel).

* GRUB is now deployed as a stand-alone .efi image that contains a memdisk

  with the full configuration and all loadable modules.  This eliminates the

  risk of tampering with the GRUB configuration.

* GRUB is automatically locked down with a password so that users cannot tamper

  with boot settings or use advanced boot options.

* Unsigned GRUB files in /boot remaining from the original GRUB packages are

  completely wiped (but restored upon uninstall of this package).

* Newly-installed kernels are automatically signed whenever they are installed.

  Existing Canonical .efi signatures in the linux-signed-image-* packages are

  stripped and replaced with your signature.

* The initramfs is automatically re-signed whenever update-initramfs is run.

* Linux kernel module signing enforcement is automatically enabled by default.

  This can be controlled from /etc/default/grub.d/ubuntu-secure-boot.cfg.