UEFI Linux Secure Boot Kernel Signing and Verification demo

Рет қаралды 38,240

Sameer Pasha

Күн бұрын

Пікірлер: 90

@triatheletecameraman6226 3 жыл бұрын

Once agian, this is a brilliant series, Sameer ! The demo made the concepts so much clear !

@sameerpasha3910 3 жыл бұрын

Thank you.

@tarun2413 6 жыл бұрын

very helpful but the video volume was too low

@sameerpasha3910 6 жыл бұрын

Will try better next time :)

@chromebook2023 Жыл бұрын

Thank you; very generous of you to illustrate Signature Verification for Linux Software. Keep up the good work!!! 👍

@jehbosheva 4 жыл бұрын

Amazing tutorial Sameer!!! I am new in Linux and accidentally deleted all my PK, KEK and even cannot restore the DB defaults. This gives a great information. Please create a tutorial in creating keys for Linux (using StarLab Top MKIII).

@sameerpasha3910 3 жыл бұрын

I don't know if its worth replying so late... please check my other video for that, at: kzbin.info/www/bejne/h2SYd3qHqN53kKs

@ramnaraian8188 2 жыл бұрын

Excellent Sameer!! Very informative session.

@sameerpasha3910 2 жыл бұрын

Glad you liked it

@swetaghosh88 Жыл бұрын

very detailed video. Could you also share information if we can ship certificate in custom OS so that secure boot works out of the box like for any OS like RHEL, Debian etc.

@saravanans1825 3 жыл бұрын

Excellent Stuff Sameer. Thank you for making this video. You made it so easy to understand this complex subject.

@Nick-ui9dr Жыл бұрын

And where are u uploading these key or going into EFI shell?.... is it your machine BIOS Setup? ... I wonder if my laptop has that. 😂 ... I mean I dint explored tha much... seen something about thee key... but not tht EFI shell option I guess. Sure will be checking on next boot of my system. 😀

@deepikarajani9350 5 жыл бұрын

thank you for the detailed explanation and the demo!

@zoeb-vora 2 жыл бұрын

Clear concise and to the point explanation. 👍🏻

@LakshmanKamatham Жыл бұрын

Thank you for your efforts, excellent content 😊

@chenpaul99 5 жыл бұрын

Good demo of using UEFI to verify Kernel, but should UEFI verify GRUB first, then GRUB verifies Kernel?

@damianpodgorski6977 11 ай бұрын

Does anyone know if there is a way to automate the secure boot in Linux ? It is quite a pain if you have to go through the manual steps on hundreds of machines in an enterprise environment

@saadsheikh6827 9 ай бұрын

kudos on the great video presentation.

@augogogogo5863 6 жыл бұрын

Great video. Thanks. In your demo, you used functionality provided by uefi to verify OS image. Does this mean you already trust UEFI? Can we use emulated TPM chip or Intel Boot guard technology to verify UEFI in qemu enviroment?

@sameerpasha3910 6 жыл бұрын

This is just an example. In reality, you don't trust UEFI. Even UEFI signatures should be verified prior to firmware launch.Using TPM to verify qemu is an interesting one. I haven't tried that though.

@augogogogo5863 6 жыл бұрын

Thanks for the reply. very helpful.

@pallerlaraghuveer1962 4 жыл бұрын

Helpful... How to get your previous videos?

@chaitanyasaianil5317 3 жыл бұрын

Great explanation, it’s helpful. Tysm

@mrwhitebp Жыл бұрын

What about if you try to load a signed kernel when the secure boot is disabled , does it boot? The reason I am asking is that I am trying to load a kernel module for troubleshooting purposes, so I am wondering f disabling secure boot in the bios will be enough to load my kernel module despite that I have signed kernel

@sameerpasha3910 Жыл бұрын

Interesting question. Kernel is a PECOFF file, and when signed by sbsign, the signatures get inserted at particular locations in the file. At execution time, if there is no "verifier" to look at those signatures, there should be be any problem and the execution should happen seamlessly. While I have not tried it, at least theoretically, a non-secure-boot system should be able to load a signed binary. Let me know if you find it otherwise.

@Manoj_Ashokkumar 3 жыл бұрын

Good explanation and demonstration

@sameerpasha3910 3 жыл бұрын

Glad you liked it

@yunusbhaiji3891 2 жыл бұрын

Great Presentation, Thanks for positing it. It will help if you post such secure boot videos for NXP's i.MX6 or 8 processor. NXP has signing tool called Code Signing Tool which is automated process for signing the images.

@sameerpasha3910 2 жыл бұрын

I've tried to use a general purpose OS and firmware. Getting things to run n specific hardware will need some effort :).

@LakshminarayanaN1 6 жыл бұрын

Fantastic presentation. Thank you very much..

@adborden 4 жыл бұрын

Your diagram showed GRUB/bootloader, but I didn't see this in your demo. Does signing the bootloader use the same tools (sbsign) that you use to sign the kernel?

@sameerpasha3910 3 жыл бұрын

I have not shown GRUB/bootloader etc. Those will make presentation more complicated. GRUB is usually PECOFF format, and can be signed using sbsign.

@maswasembuze6488 6 жыл бұрын

Great stuff, really understandable. 😀.

@kumartceice 3 жыл бұрын

Good video and great easy demo

@antoniostorcke 3 жыл бұрын

I greatly enjoyed this video. If you could make one for installing Arch Linux that would help alot of people. Arch does not automate the process of signing and installing keys.

@sameerpasha3910 3 жыл бұрын

Thank you. I haven't explored arch linux for demo.

@antoniostorcke 3 жыл бұрын

@@sameerpasha3910 Any specific process that gets manjaro installed on a secureboot system without having to keep secureboot in a disable state would command a lot of attention.

@chiragjethava1186 6 жыл бұрын

how can I use same concept to bind and verify chain of trust from one stage to another stage as shown in your block diagram. With UEFI verify Grub2 bootloader and then Grub2 verify Kenel Image?

@sameerpasha3910 6 жыл бұрын

I'm sorry, i didn't understand your question.

@chiragjethava1186 6 жыл бұрын

My question is to achieve following task: step1: UEFI verify signed Grub2(UEFI verify -> signed Grub2) step2:Grub2 verify signed Linux Kernel and Application as shown in block diagram.(Grub2 verify -> signed Linux Kernel and other signed applications) However in tutorial UEFI directly verify signed Linux Kernel as you described.

@sameerpasha3910 6 жыл бұрын

@@chiragjethava1186 Thats for demo purpose. From EFI shell, you can browse and look for grub2 in your filesystem... and "execute" grub2.efi from efi shell itself. This will launch grub2 (after verifying signature, if you've enabled secure boot).

@chiragjethava1186 6 жыл бұрын

ok thanks for replied .

@mohithkumar4021 3 жыл бұрын

Is there any tool to automate adding keys in UEFI firmware

@lucilefievet6666 3 жыл бұрын

Very nice and lear video

@Sandeepan 2 жыл бұрын

Hi, I've been trying find a legitimate way to boot into a Linux+Windows dual boot system. I also want to avoid any hackey way of manually signing things from UEFI. Is it possible to come up with a script that will use OpenSSL and sign things and update UEFI variables

@sameerpasha3910 2 жыл бұрын

Should be doable, but will need focussed effort :)

@heenaparmar4752 3 жыл бұрын

Hii I need one help I want the information about how u install qemu

@sameerpasha3910 3 жыл бұрын

I hope www.qemu.org/download/ Should help.

@Ax4400 2 жыл бұрын

No volume?

@05srinivasan 7 жыл бұрын

As you have used Qemu in this video, can you Please share a video or link for a generic ubuntu 16.04 kernel...

@sameerpasha3910 7 жыл бұрын

Not sure if I got your question correct. This was demonstrated on Ubuntu. Here is the log: uname -a Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux And qemu-system-x86_64 --version QEMU emulator version 2.0.0 (Debian 2.0.0+dfsg-2ubuntu1.28), Copyright (c) 2003-2008 Fabrice Bellard

@05srinivasan 7 жыл бұрын

Thanks you for your immediate response. I mean i need to sign a generic Ubuntu 16.04 ISO image in a real system not in virtual system. How it can be done ? i hope i had conveyed the question correctly :)

@sameerpasha3910 7 жыл бұрын

Real or virtual, doesn't matter. You simply sign and verify, doesn't matter where. In case you want to sign the whole ISO, you can use method (4) from: kzbin.info/www/bejne/lYCclmSaeKxpic0&t= Alternately, you can unpack the ISO and sign individual files inside the ISO. Many open source tools (some mentioned in my video) can be used to sign contents of ISO. Once signed, you obviously need to re-pack the files/contents back to ISO appropriately.

@joydipdutta2058 7 жыл бұрын

Hi,In your mentioned link for signing the whole iso, method will be used detached signature.but in times of flashing iso image in usb how can add the detached signature because it is different file ? and for alternative method after unpacking the iso need to sign all files or some specific file need to sign?

@sameerpasha3910 7 жыл бұрын

A detached signature obviously needs additional logic (in verification code), to find the detached signature and verify. After unpacking ISO, you at least want to sign the kernel, boot-loader and initrd.

@selvalooks 6 жыл бұрын

This is wonderful !!! thanks .

@fujinclado4918 5 жыл бұрын

You got one more subscriber.

@Essence_f_Life 5 жыл бұрын

Do we need to build a kernel first and then sign our kernel?

@sameerpasha3910 5 жыл бұрын

Yes, of course. Or you could sign a pre-built kernel.

@05srinivasan 7 жыл бұрын

Hi Sameer, The video links which you have mentioned for "Use generated key to sign kernel" and "Generate RSA2048 key with X509 cert", is not valid, Please provide the correct video links. thank you

@sameerpasha3910 7 жыл бұрын

I was referring to my previous videos here: kzbin.info/www/bejne/h2SYd3qHqN53kKs kzbin.info/www/bejne/rJmyiX2Prt6YoKc kzbin.info/www/bejne/lYCclmSaeKxpic0

@alwanrosyidi2772 Жыл бұрын

Now Ubuntu supports secure boot by default.

@renuudayalakshmi7324 3 жыл бұрын

Can you please ,how to create bzimage_Unsigned.bin and bzImage_Signed.bin files initrd.imz files

@sameerpasha3910 3 жыл бұрын

Those are linux kernel files/images. When you build a linux image, you will find bzimage as part of the build.

@iampennochio 7 ай бұрын

Samee you breaking the car LOL!

@raghavkumar7779 3 жыл бұрын

Great series.

@chiragjethava1186 6 жыл бұрын

Anybody knows How to download that Tianocore UEFI firmware which shows in video because the link which he shown in video it does not have any source code.?

@sameerpasha3910 6 жыл бұрын

git clone github.com/tianocore/edk2.git I tried this just now, it works

@chiragjethava1186 6 жыл бұрын

So is there any setup we have to followed because I followed steps shown there but couldn't got it how to generate UEFI binary file.

@sameerpasha3910 6 жыл бұрын

@@chiragjethava1186 - Clone and build OVMF: git clone github.com/tianocore/edk2.git cd edk2 Enable secure boot here ./OvmfPkg/OvmfPkgX64.dsc Add this line to Conf/tools_def.txt -DSECURE_BOOT_ENABLE=TRUE -DDEBUG_ON_SERIAL_PORT=TRUE Make base tools: make -C BaseTools Install openssl if its not there, then nice OvmfPkg/build.sh -a X64 -n $(getconf _NPROCESSORS_ONLN) If successful, you should get the firmware at: Build/OvmfX64/DEBUG_GCC4?/FV/OVMF.fd

@rehanasuhana1938 6 жыл бұрын

very helpful ...

@joydipdutta2058 7 жыл бұрын

can we deploy one pc's signed kernel into another pc?

@sameerpasha3910 7 жыл бұрын

Yes you can. What is important is the (private-key) key used to sign and (public key) used to verify should be of the same pair, i.e. when you generate a key-pair, you get a private key + a public key. The same key pair should be used for signing/verification. It doesn't matter where or who signs the binary. Signing key is what is important.

@joydipdutta2058 7 жыл бұрын

Thanks for reply...