-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How would I get a grubx64.efi binary signed with the Puppy private key? #4184
Comments
It looks like the best approach is to replace only grubx64.efi, (and maybe grubia32.efi). My currrent method: But it still needs to be signed before it could be released. |
Why sign it if it's self-signed anyway? A self-signed binary doesn't add much security, especially if the key is not protected and the signed binary can't be verified. |
In order for Puppy to boot in a "Secure Boot" enabled environment the grubx64.efi that FrugalPup installs needs to be signed, and the appropriate public key enrolled as a MOK. The original grubx64.efi was produced by "jamesbond" and signed with a "Puppy Linux" private key. |
"Secure Boot" doesn't give you any security unless the private key used to sign the boot loader is a well-protected secret, and this "Puppy key" is probably not protected to the same standard as Microsoft's key. In addition, Puppy's kernels (and modules) are not signed, so there many many things to do to make Puppy support a meaningful form of "Secure Boot". IMO instructing users to disable Secure Boot and ship an unsigned boot loader is both more honest and more practical for everyone (including developers, who have to do less work, and users, who might want to tinker with their system). |
I think gyrog has a good point as it provide consistency for user and their PC...especially since so many have MS/APPLE PC with PUPs being an add-on to their existing environment.
This seems consistent with FATDOG's approach over the years!
The consistency being promoted has no obvious downside while adding a layer that doesn't maintain the 'outlier' approach of the past; obstinate to this change.
This means, too, that the WoofCE PUPs would be equally comfortable in either a BIOS/UEFI environment with or without Secure-boot enabled.
*Further* it would be of benefit if GRUB2 is moved from GRUB2.04 to GRUB 2.06+
|
If Secure Boot is enabled but the boot loader is not signed, you need to disable it. If Secure Boot is enabled and the boot loader is self-signed, you need to enroll the key. (And, some users will get a false impression of security because the kernel is not signed and we have no idea if they key has leaked.) It's equally uncomfortable. |
Is there anyone who can answer the actual question? |
@gyrog, the signing certificate for Puppy was created in 2020, with 10 years lifetime. It will expire in 2030. Drop me an email (PM me in the forum) and I'm happy to pass a copy to you, but I think it's better if you create yourself. The only requirement is that you keep this certificate to yourself (don't share it to someone unless you trust them fully that they won't misuse the cert), and consistently use the same cert to sign multiple grubx64 binaries over the cert's lifetme (so people who have used earlier version of your signed grubx64 doesn't need to re-enter the key again when they use the updated one). |
Hmm, just realised that 3) will work, but the new MOK would need to be "enrolled" I was also thinking of using an unsigned grub2 binary from debian, and signing it, to see how that went: Comment? |
It's unlikely at the moment.
Yes and no.
Yes
No, you should keep the private key for future signing.
Correct.
Drop me an email. There are things that I would rather not discuss here. |
The grub2-efi in FrugalPup is a bit long in the tooth, version 2.03 (patched).
So I've started to look at options for making an upated version available.
The original was provided by @jamesbond3142, so I have never produced one myself.
I'm currently trying to use a debian grubx64.efi, with mixed success, but some of that could be my ancient uefi/bios.
I have been able to extract an unsigned grubx64.efi, and I can test using the curent mmx64.efi.
I've also looked at using a signed grubx64.efi and signed mmx64.efi pair.
I can remove the current signature and test with "Secure Boot" disabled.
But, either way, for release, the minimum requirement would be to get the grubx64.efi signed with the Puppy private key.
The text was updated successfully, but these errors were encountered: