https://www.auul.pri.ee/wiki/index.php?action=history&feed=atom&title=UEFI_Secure_Boot_kasutamine_virtuaalse_riistvaraga_OVMF 2026-05-03T18:24:19Z Selle lehekülje redigeerimiste ajalugu MediaWiki 1.39.13 https://www.auul.pri.ee/wiki/index.php?title=UEFI_Secure_Boot_kasutamine_virtuaalse_riistvaraga_OVMF&diff=749&oldid=prev 2023-09-03T15:55:42Z

<p><span dir="auto"><span class="autocomment">Kernel Lockdown</span></span></p> <table style="background-color: #fff; color: #202122;" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="et"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">←Vanem redaktsioon</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Redaktsioon: 3. september 2023, kell 18:55</td> </tr><tr> <td colspan="2" class="diff-lineno">280. rida:</td> <td colspan="2" class="diff-lineno">280. rida:</td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 2: 1/Operation not permitted</div></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 2: 1/Operation not permitted</div></td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 3: 1/Operation not permitted</div></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 3: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># dmesg -T | tail -n 4</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>[Sun Sep 3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>[Sun Sep 3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>[Sun Sep 3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>[Sun Sep 3 18:17:01 2023] Lockdown: blktrace: debugfs access is restricted; see man kernel_lockdown.7</div></td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td> </tr> </table>

Imre https://www.auul.pri.ee/wiki/index.php?title=UEFI_Secure_Boot_kasutamine_virtuaalse_riistvaraga_OVMF&diff=748&oldid=prev 2023-09-03T15:38:20Z

<p></p> <table style="background-color: #fff; color: #202122;" data-mw="interface"> <col class="diff-marker" /> <col class="diff-content" /> <col class="diff-marker" /> <col class="diff-content" /> <tr class="diff-title" lang="et"> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">←Vanem redaktsioon</td> <td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Redaktsioon: 3. september 2023, kell 18:38</td> </tr><tr> <td colspan="2" class="diff-lineno">259. rida:</td> <td colspan="2" class="diff-lineno">259. rida:</td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1</div></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1</div></td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0</div></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>===2023 sügis märkused===</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>====Kernel Lockdown====</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Osutub, et Ubuntu v. 20.04, Debian v. 11 jt käitumisele on iseloomulik, et SB enabled režiimis rakendataks automaatselt 'kernel lockdown'. See avaldub nt selliselt</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># mokutil --sb-state</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>SecureBoot enabled</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div># blktrace -a discard -d /dev/vda -o - | blkparse -i -</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thread 1 failed open /sys/kernel/debug/block/vda/trace1: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thread 0 failed open /sys/kernel/debug/block/vda/trace0: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thread 3 failed open /sys/kernel/debug/block/vda/trace3: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thread 2 failed open /sys/kernel/debug/block/vda/trace2: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 0: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 1: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 2: 1/Operation not permitted</div></td> </tr> <tr> <td colspan="2" class="diff-empty">&#160;</td> <td class="diff-marker">+</td> <td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>FAILED to start thread on CPU 3: 1/Operation not permitted</div></td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td> </tr> <tr> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td> <td class="diff-marker">&#160;</td> <td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td> </tr> </table>

Imre https://www.auul.pri.ee/wiki/index.php?title=UEFI_Secure_Boot_kasutamine_virtuaalse_riistvaraga_OVMF&diff=746&oldid=prev 2023-09-03T15:32:53Z

<p>Uus lehekülg: &#039;===Sissejuhatus=== UEFI Secure Boot ... ===Tööpõhimõte=== Kui arvutil on Secure Boot UEFI haldusliideses välja lülitatud, siiski saab * operatsioonisüsteemi seest mokutil abil tegeleda võtmetega * käivitades efishellist MokManager.efi rakendust tegeleda võtmetega Need käsud grub proptis töötavad sarnaselt nagu linux ja initrd, aga kasutavad &#039;EFI handover protocol&#039; protokolli grub&gt; linuxefi ... grub&gt; initrdefi ... ===Käivitamine=== Tundub, et Secure B...&#039;</p> <p><b>Uus lehekülg</b></p><div>===Sissejuhatus===<br /> <br /> UEFI Secure Boot ...<br /> <br /> ===Tööpõhimõte===<br /> <br /> Kui arvutil on Secure Boot UEFI haldusliideses välja lülitatud, siiski saab<br /> <br /> * operatsioonisüsteemi seest mokutil abil tegeleda võtmetega<br /> * käivitades efishellist MokManager.efi rakendust tegeleda võtmetega<br /> <br /> Need käsud grub proptis töötavad sarnaselt nagu linux ja initrd, aga kasutavad 'EFI handover protocol' protokolli<br /> <br /> grub&gt; linuxefi ...<br /> grub&gt; initrdefi ...<br /> <br /> ===Käivitamine===<br /> <br /> Tundub, et Secure Boot võimelise OVMF saab 2016 sügisel Debian v. 9 Stretch paketihaldusest<br /> <br /> # apt-get install ovmf qemu-system-x86 xterm<br /> <br /> fail<br /> <br /> /usr/share/qemu/OVMF.fd<br /> <br /> Käivitamiseks sobib öelda<br /> <br /> # qemu-system-x86_64 -enable-kvm -pflash /var/tmp/o/OVMF.fd<br /> <br /> ja seejärel efi shellis öelda 'exit' ning jõutakse Setup keskkonda.<br /> <br /> ===QEMU===<br /> <br /> PK jt sertifikaatide OVMF.fd tõmmisesse lisamiseks tuleb serdid tekitada (või kopeerida valmis serdid, nt Canonicali oma)<br /> <br /> # TODO<br /> <br /> kävitada uefi keskkond<br /> <br /> # qemu-system-x86_64 --enable-kvm -net none -m 384 -pflash /usr/share/qemu/OVMF.fd -hda fat:/home/sb/fat<br /> <br /> Kiire ad-hoc virtuaalse arvuti juurutamiseks sobib öelda nt<br /> <br /> # qemu-system-x86_64 --enable-kvm -m 1536 \<br /> -drive file=/usr/share/qemu/OVMF.fd,if=pflash \<br /> -drive file=/dev/system/root_ubu1604,if=ide \<br /> -drive file=ubuntu-16.04-server-amd64.iso,if=ide,media=cdrom \<br /> -net nic -net tap,ifname=tap0,script=no,downscript=no<br /> <br /> Kasulikud lisamaterjalid<br /> <br /> * https://wiki.archlinux.org/index.php/QEMU<br /> * https://help.ubuntu.com/community/Installation/QemuEmulator<br /> * https://wiki.debian.org/QEMU<br /> <br /> ===Signeerimine===<br /> <br /> # apt-get install sbsigntool<br /> <br /> failisüsteemi tekivad<br /> <br /> * sbverify<br /> * TODO<br /> <br /> UEFI muutujate esitamine<br /> <br /> &lt;pre&gt;<br /> # efi-readvar<br /> Variable PK, length 1448<br /> PK: List 0, type X509<br /> Signature 0, size 1420, owner f5a96b31-dba0-4faa-a42a-7a0c9832768e<br /> Subject:<br /> O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 PK Key<br /> Issuer:<br /> C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA<br /> Variable KEK, length 4310<br /> KEK: List 0, type X509<br /> Signature 0, size 1421, owner f5a96b31-dba0-4faa-a42a-7a0c9832768e<br /> Subject:<br /> O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 KEK key<br /> Issuer:<br /> C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA<br /> KEK: List 1, type X509<br /> Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b<br /> Subject:<br /> C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011<br /> Issuer:<br /> C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root<br /> KEK: List 2, type X509<br /> Signature 0, size 1273, owner 2879c886-57ee-45cc-b126-f92f24f906b9<br /> Subject:<br /> CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de<br /> Issuer:<br /> CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de<br /> Variable db, length 5915<br /> db: List 0, type X509<br /> Signature 0, size 1420, owner f5a96b31-dba0-4faa-a42a-7a0c9832768e<br /> Subject:<br /> O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 DB key<br /> Issuer:<br /> C=US, O=Hewlett-Packard Company, CN=Hewlett-Packard Printing Device Infrastructure CA<br /> db: List 1, type X509<br /> Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b<br /> Subject:<br /> C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011<br /> Issuer:<br /> C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root<br /> db: List 2, type X509<br /> Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b<br /> Subject:<br /> C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011<br /> Issuer:<br /> C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010<br /> db: List 3, type X509<br /> Signature 0, size 1296, owner 2879c886-57ee-45cc-b126-f92f24f906b9<br /> Subject:<br /> CN=SUSE Linux Enterprise Secure Boot Signkey, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de<br /> Issuer:<br /> CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team, emailAddress=build@suse.de<br /> Variable dbx, length 76<br /> dbx: List 0, type SHA256<br /> Signature 0, size 48, owner 00000000-0000-0000-0000-000000000000<br /> Hash:6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d<br /> Variable MokList has no entries<br /> &lt;/pre&gt;<br /> <br /> kus<br /> <br /> * PK - riistvara tootja sertifikaat (O=Hewlett-Packard Company, OU=Long Lived CodeSigning Certificate, CN=HP UEFI Secure Boot 2013 PK Key)<br /> * KEK - muu hulgas US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011<br /> * TODO<br /> <br /> Komplektide salvestamine<br /> <br /> # efi-readvar -v PK -o old_PK.esl<br /> # efi-readvar -v KEK -o old_KEK.esl<br /> # efi-readvar -v db -o old_db.esl<br /> # efi-readvar -v dbx -o old_dbx.esl<br /> # mokutil --export<br /> <br /> Komplektide kustutamine toimub UEFI Setup keskkonnast, tulemusena<br /> <br /> # efi-readvar <br /> Variable PK has no entries<br /> Variable KEK has no entries<br /> Variable db has no entries<br /> Variable dbx has no entries<br /> Variable MokList has no entries<br /> <br /> GRUB efi rakenduse signeerimine<br /> <br /> # mv /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/ubuntu/grubx64-orig.efi<br /> # sbsign --key PK.key --cert PK.crt --output /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/ubuntu/grubx64-orig.efi<br /> <br /> GRUB efi rakenduse kontrollimine<br /> <br /> # sbverify --cert /home/sb/fat/PK.crt /boot/efi/EFI/ubuntu/grubx64.efi <br /> Signature verification OK<br /> <br /> MOK (Machine's Own Key) ...<br /> <br /> .efi rakenduse signeerijate esitamiseks<br /> <br /> # sbverify --verbose /boot/efi/EFI/ubuntu/shimx64.efi <br /> warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?<br /> image signature issuers:<br /> - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011<br /> image signature certificates:<br /> - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher<br /> issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011<br /> - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011<br /> issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root<br /> certificate store:<br /> PKCS7 verification failed<br /> ...<br /> <br /> Signeeritud faili signatuuri salvestamine<br /> <br /> # sbattach --detach vmlinuz-4.8.0-22-generic.efi.signature vmlinuz-4.8.0-22-generic.efi.signed<br /> <br /> Kas secure boot on sisse lülitatud, saab küsida töötavas süsteemis<br /> <br /> # cat /proc/sys/kernel/secure_boot<br /> 1<br /> <br /> # cat /proc/sys/kernel/moksbstate_disabled<br /> 0<br /> <br /> # mokutil --sb-state<br /> SecureBoot enabled<br /> <br /> GRUB2 efi rakenduse signeerimine<br /> <br /> $ openssl genrsa -out test-key.rsa 2048<br /> $ openssl req -new -x509 -sha256 \<br /> -subj '/CN=test-key' -key test-key.rsa -out test-cert.pem<br /> $ openssl x509 -in test-cert.pem -inform PEM \<br /> -out test-cert.der -outform DER<br /> <br /> $ sbsign --key test-key.rsa --cert test-cert.pem \<br /> --output grubx64.efi /boot/efi/efi/ubuntu/grubx64.efi<br /> <br /> Ubuntu signeeritud grubx64.efi efi rakenduse moodustamine, tekib /boot/efi/EFI/ubuntu/grubx64.efi<br /> <br /> # grub-install --uefi-secure-boot<br /> <br /> ===MOK===<br /> <br /> MOK andmestikust sertifikaadi exportimine<br /> <br /> # mkdir /var/tmp/mok-export<br /> # cd /var/tmp/mok-export<br /> # mokutil --export<br /> # ls -ld<br /> 16806721 4 -rw-r--r-- 1 root root 1080 Dec 25 00:48 ./MOK-0001.der<br /> 16806724 4 -rw-r--r-- 1 root root 876 Dec 25 00:48 ./MOK-0002.der<br /> <br /> MOK andmestikku sertifikaadi importimine<br /> <br /> # mokutil --import sertifikaadinimi.der<br /> input password: xxxx<br /> input password again: xxxx<br /> <br /> Muudatuse kehtestamiseks tuleb arvutit rebootida ja kui shim.efi rakendus käivitab mok.efi rakendust (nagu ta ikka teeb), siis ta avastab, et laaditud on sertifikaat ja küsib, kas seda kasutada. Tegevus toimib konsoolil. Antud juhul vastata jaatavalt ja seejuures tuleb sisetada sama 'xxxx' parool.<br /> <br /> MOK andmestikus olevate sertifikaatide nimekirja küsimine<br /> <br /> &lt;pre&gt;<br /> # mokutil --list-enrolled | egrep -i 'SHA1|Issuer'<br /> SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0<br /> Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority<br /> SHA1 Fingerprint: 7e:68:65:1d:52:68:5f:7b:f5:8e:a0:1d:78:4d:2f:90:d3:f4:0f:0a<br /> Issuer: CN=Fedora Secure Boot CA<br /> CA Issuers - URI:https://fedoraproject.org/wiki/Features/SecureBoot<br /> &lt;/pre&gt;<br /> <br /> ===Misc===<br /> <br /> Ubuntu efitools paketis on huvitavaid efi rakendusi, nt KeyTool PK, KEK, DB, DBX ja MOK andmestike haldamiseks<br /> <br /> &lt;pre&gt;<br /> # dpkg -L efitools | egrep &quot;\.efi$&quot;<br /> /usr/share/efitools/efi/HelloWorld.efi<br /> /usr/share/efitools/efi/HashTool.efi<br /> /usr/share/efitools/efi/Loader.efi<br /> /usr/share/efitools/efi/UpdateVars.efi<br /> /usr/share/efitools/efi/PreLoader.efi<br /> /usr/share/efitools/efi/ReadVars.efi<br /> /usr/share/efitools/efi/LockDown.efi<br /> /usr/share/efitools/efi/KeyTool.efi<br /> /usr/share/efitools/efi/SetNull.efi<br /> &lt;/pre&gt;<br /> <br /> Siin ja seal soovitatakse lähtestada OVMF võtmete komplektid sedasi<br /> <br /> &lt;pre&gt;<br /> FS0:\&gt; EnrollDefaultKeys.efi<br /> info: SetupMode=1 SecureBoot=0 SecureBootEnable=0 CustomMode=0 VendorKeys=1<br /> info: SetupMode=0 SecureBoot=1 SecureBootEnable=1 CustomMode=0 VendorKeys=0<br /> &lt;/pre&gt;<br /> <br /> ===Kasulikud lisamaterjalid===<br /> <br /> * http://resources.infosecinstitute.com/uefi-and-tpm/<br /> * http://www.tianocore.org/ovmf/<br /> * https://wiki.ubuntu.com/UEFI/OVMF<br /> * https://wiki.ubuntu.com/SecurityTeam/SecureBoot<br /> * http://wiki.qemu.org/Features/PC_System_Flash<br /> * http://blog.system76.com/post/139138591598/howto-qemu-w-ubuntu-xenial-host-uefi-guest<br /> * https://prosauce.org/blog/2015/10/31/booting-linux-securely<br /> * https://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/0.1/html/UEFI_Secure_Boot_Guide/sect-UEFI_Secure_Boot_Guide-What_is_Secure_Boot-Microsoft_Implementation.html<br /> * http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/download/head:/canonicalmasterpubli-20121127224415-zwfgigzh3kstgk0g-3/canonical-master-public.der<br /> * http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot<br /> * https://www.suse.com/documentation/sled11/book_sle_admin/data/sec_uefi_secboot.html<br /> * https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot<br /> * http://www.linuxquestions.org/questions/slackware-14/slackware64-14-1-uefi-booting-with-secure-boot-enabled-4175532990/<br /> * https://www.hpe.com/h20195/V2/getpdf.aspx/4AA5-4496ENW.pdf<br /> * https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS<br /> * https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm<br /> * https://fedoraproject.org/wiki/Using_UEFI_with_QEMU<br /> * http://vfio.blogspot.com.ee/2014/09/ovmf-split-image-support.html<br /> * http://www.labbott.name/blog/2016/09/15/secure-ish-boot-with-qemu/<br /> * https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd<br /> * https://github.com/JohnstonJ/ubuntu-secure-boot<br /> * https://forums.virtualbox.org/viewtopic.php?f=7&amp;t=77363&amp;start=15 - tuuma mooduli juurutamise kohta hea thread<br /> * https://sourceware.org/systemtap/wiki/SecureBoot<br /> * http://www.linux-magazine.com/index.php/layout/set/print/Issues/2014/164/The-State-of-Secure-Boot/(tagID)/154</div>

Imre