Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/JohnstonJ/ubuntu-secure-boot
Self-signed UEFI- and GRUB-based secure boot system for Ubuntu.
https://github.com/JohnstonJ/ubuntu-secure-boot
Last synced: about 1 month ago
JSON representation
Self-signed UEFI- and GRUB-based secure boot system for Ubuntu.
- Host: GitHub
- URL: https://github.com/JohnstonJ/ubuntu-secure-boot
- Owner: JohnstonJ
- License: mit
- Created: 2016-03-07T07:13:36.000Z (almost 9 years ago)
- Default Branch: master
- Last Pushed: 2020-02-03T22:04:50.000Z (almost 5 years ago)
- Last Synced: 2024-08-02T13:32:31.197Z (4 months ago)
- Language: Shell
- Size: 25.4 KB
- Stars: 24
- Watchers: 3
- Forks: 10
- Open Issues: 5
-
Metadata Files:
- Readme: README
- License: LICENSE
Awesome Lists containing this project
- awesome-starz - JohnstonJ/ubuntu-secure-boot - Self-signed UEFI- and GRUB-based secure boot system for Ubuntu. (Shell)
README
ubuntu-secure-boot package
--------------------------The stock Ubuntu 15.10 installation only implements secure boot just enough
to get a Microsoft-signed shim in place. It does nothing to actually secure
the boot process. This package can help users do so.Assumptions: (1) 64-bit computer booting via EFI, (2) full disk encryption
is used. While this package will install without full disk encryption, it
does nothing to secure the booted operating system beyond signing the kernel
and initramfs. Private keys are stored within the /etc directory, so this
must be secured as well. Note that the /boot partition may remain
unencrypted, as one purpose of this package is to secure it.After installing, you will need to run make-secure-boot-keys. Then, you will
need to enable secure boot in your system firmware and import the generated
keys into the configuration.Build instructions
------------------1. Install debhelper if needed:
apt-get install debhelper
2. Build the package:
dpkg-buildpackage
Install instructions
--------------------1. Remove shim-related packages:
apt-get purge shim-signed
apt-get purge shim2. Install the package as normal:
dpkg -i ubuntu-secure-boot__amd64.deb
If prompted about missing dependencies, install them as normal using
apt-get.3. Generate key pairs and sign your current boot files:
make-secure-boot-keys
Digital signatures will be maintained whenever you install new kernels or
update initramfs.Features of ubuntu-secure-boot
------------------------------* Self-signed bootloader files: take control over your boot process by
stripping Canonical / Microsoft signatures from your boot files and signing
everything yourself.* Summary of files that are digitally signed and verified during the boot
process are:
* GRUB itself (self-signed)
* GRUB configuration (self-signed)
* GRUB modules and other external files (self-signed)
* Linux kernel (self-signed)
* Linux initramfs / initrd (self-signed)
* Linux kernel modules (using existing Canonical signatures)* Self-signed private keys are stored in /etc/ubuntu-secure-boot/keys and
protected by a passphrase.* UEFI Secure Boot self-signed key pairs are generated and used to sign the
self-contained GRUB .efi image. They can be imported into a UEFI firmware
to take full control over the secure boot process.* The secure GRUB image is added as a boot option in EFI firmware.
* Digital signature support in GRUB is enabled to check signatures on any boot
file that is loaded from disk. The risk of loading an unsigned file from
GRUB is eliminated (e.g. an unsigned kernel).* GRUB is now deployed as a stand-alone .efi image that contains a memdisk
with the full configuration and all loadable modules. This eliminates the
risk of tampering with the GRUB configuration.* GRUB is automatically locked down with a password so that users cannot tamper
with boot settings or use advanced boot options.* Unsigned GRUB files in /boot remaining from the original GRUB packages are
completely wiped (but restored upon uninstall of this package).* Newly-installed kernels are automatically signed whenever they are installed.
Existing Canonical .efi signatures in the linux-signed-image-* packages are
stripped and replaced with your signature.* The initramfs is automatically re-signed whenever update-initramfs is run.
* Linux kernel module signing enforcement is automatically enabled by default.
This can be controlled from /etc/default/grub.d/ubuntu-secure-boot.cfg.