Secure boot with using own UEFI keys?

solene · November 13, 2023, 11:08am

Hi, now I have a laptop with dasharo coreboot on it but not heads, I wondered if secure boot could be achieved. It seems not from the FAQ, but I found some instructions on Alpine Linux, I’m really not familiar with this area, but that seems feasible at first glance by generating our own keys + signing the kernel?

https://wiki.alpinelinux.org/wiki/UEFI_Secure_Boot#Generating_own_UEFI_keys

apparatus · November 13, 2023, 11:12am

github.com/QubesOS/qubes-issues

Secure boot support

opened 12:57PM - 04 Oct 18 UTC

jasperweiss

T: enhancement help wanted C: other security P: default

According the secure boot specification, users can enroll their own keys for sec…ure boot. If the QOS bootloader were signed, users could manually enroll the signing key within the UEFI. That would be a better anti evil maid system since it doesn't require the use of potentially untrusted USB keys. Since dom0 doesn't contain any 3rd party applications, we can enforce code signing on anything that runs within it. [This](https://blog.invisiblethings.org/2011/09/07/anti-evil-maid.html) blog post mentions secure boot being problematic due to running CA's etc but providing the user with a public key they can enroll manually would be doable. Edit: I'm aware the developers are generally not very fond of secure boot. Could anyone explain why? Alternatively a TPM could be used to unseal the drive encryption key. > Pre-OS firmware components are hashed (measured) Measurements are initiated by startup firmware (Static CRTM) Measurements are stored in a secure location (TPM PCRs) Secrets (encryption keys) are encrypted by the TPM and bounded to PCR measurements (sealed) Can only be decrypted (unsealed) with same PCR measurements stored in the TPM This chain guarantees that firmware hasn’t been tampered with

renehoj · November 13, 2023, 11:22am

aronowski has attempted this

github.com/QubesOS/qubes-issues

Sign boot images

opened 03:19AM - 12 May 23 UTC

marmarek

T: enhancement C: builder C: Xen security P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) #…## The problem you're addressing (if any) "UEFI Secure Boot" support will require several changes in the system. This ticket is a subtask about changes to the packaging. ### The solution you'd like 1. Sign grubx64.efi with a dedicated key. 2. Build unified xen.efi using latest "xen-hypervisor" and "kernel" packages (make it a new package with a version being combination of both). Configure it the way to allow dom0 command line via xen.efi parameters (if this isn't supported mode, it will require a xen patch). 3. Sign resulting xen.efi too. 4. Make grub to load xen.efi and give it dom0 command line like it would do via separate `module2` command. Ship all of the above as separate package(s), alternative to default boot packages. They may conflict with standard ones (forcing replacing them), or co-exist under different file names. The latter is probably friendlier to the user. ### The value to a user, and who that user might be This ticket is **NOT** about full UEFI Secure Boot support (for that we have #4371). It is only about preparing initial build and configuration infrastructure for it.

solene · November 13, 2023, 11:27am

Thanks both for you!

renehoj · November 13, 2023, 11:35am

If you have the NV4x you should be able to use Heads at some point in the near future, there is a Dasharo release planned.

solene · November 13, 2023, 12:32pm

Pretty neat! I’ll need to read more about heads, I’m not sure I fully understand how it works

frank_sullivan · November 13, 2023, 8:46pm

This is a good article breaking down the different secure/verified boot approaches and how they work.

HardcodedNonce · November 14, 2023, 3:58pm

I am using this Laptop and i can confirm that Dasharo, HEADS and measured boot works well on 4.1. However measured boot != secureboot. To shrink this gap i plan on using the nitrokeys FIDO2 feature to achieve the same security goals as secure boot.

aronowski · November 15, 2023, 4:53pm

Should have pinged me here! I’d immediately post something regarding this topic.

But yes, as posted in that GitHub issue, I’ve been having some trouble with the Xen Unified Image and got stuck here. If one wants to try their luck, however, a good start would be this guide I wrote some time ago, how to get a bit of experience with the UEFI Secure Boot ecosystem on Fedora - with proper RPM recompilation, rather than manual binary signing.

However, for Qubes OS I wanted to first make sure the Xen UKI works in the first place, and then prepare the infrastructure to integrate it further into the Qubes build system.

@solene, please give it a try and tell me, what you think about it.