How would I get a grubx64.efi binary signed with the Puppy private key?

[gyrog]

The grub2-efi in FrugalPup is a bit long in the tooth, version 2.03 (patched).
So I've started to look at options for making an upated version available.

The original was provided by @jamesbond3142, so I have never produced one myself.

I'm currently trying to use a debian grubx64.efi, with mixed success, but some of that could be my ancient uefi/bios.

I have been able to extract an unsigned grubx64.efi, and I can test using the curent mmx64.efi.
I've also looked at using a signed grubx64.efi and signed mmx64.efi pair.
I can remove the current signature and test with "Secure Boot" disabled.

But, either way, for release, the minimum requirement would be to get the grubx64.efi signed with the Puppy private key.

[gyrog]

It looks like the best approach is to replace only grubx64.efi, (and maybe grubia32.efi).

My currrent method:
Download latest grub-efi-amd64-bin_.....deb from debian (stable)
e.g. grub-efi-amd64-bin_2.06-13+deb12u1_amd64.deb
Extract 'usr/lib/grub/x86_64-efi/monolithic/gcdx64.efi' file as 'grubx64.efi'
Test it as is, unsigned, with "Secure Boot" disabled.
It identifies itself as "GNU GRUB version 2.06-13+deb12u1"
This works fine for me.

But it still needs to be signed before it could be released.

[dimkr]

But it still needs to be signed before it could be released.

Why sign it if it's self-signed anyway? A self-signed binary doesn't add much security, especially if the key is not protected and the signed binary can't be verified.

[gyrog]

In order for Puppy to boot in a "Secure Boot" enabled environment the grubx64.efi that FrugalPup installs needs to be signed, and the appropriate public key enrolled as a MOK.
From a Puppy users perspective it is not self-signing, it's the software publisher signing the released binary.

The original grubx64.efi was produced by "jamesbond" and signed with a "Puppy Linux" private key.
And FrugalPup installs a puppy.cer file which contains the public key which users can enroll with the MokManager (mmx64.efi).
I understand that "jamesbond" has passed the "Puppy Linux" private key onto the woof-ce community.
I'm trying to find out who is in possession of this private key, so I can get any replacement grubx64.efi signed with the same key as the original. Thus ensuring that booting Puppy using a new version of grub2 will not require users having to enroll a new MOK.

[dimkr]

"Secure Boot" doesn't give you any security unless the private key used to sign the boot loader is a well-protected secret, and this "Puppy key" is probably not protected to the same standard as Microsoft's key.

In addition, Puppy's kernels (and modules) are not signed, so there many many things to do to make Puppy support a meaningful form of "Secure Boot".

IMO instructing users to disable Secure Boot and ship an unsigned boot loader is both more honest and more practical for everyone (including developers, who have to do less work, and users, who might want to tinker with their system).

[CollaboratorGCM]

I think gyrog has a good point as it provide consistency for user and their PC...especially since so many have MS/APPLE PC with PUPs being an add-on to their existing environment. This seems consistent with FATDOG's approach over the years! The consistency being promoted has no obvious downside while adding a layer that doesn't maintain the 'outlier' approach of the past; obstinate to this change. This means, too, that the WoofCE PUPs would be equally comfortable in either a BIOS/UEFI environment with or without Secure-boot enabled. *Further* it would be of benefit if GRUB2 is moved from GRUB2.04 to GRUB 2.06+

[dimkr]

equally comfortable

If Secure Boot is enabled but the boot loader is not signed, you need to disable it.

If Secure Boot is enabled and the boot loader is self-signed, you need to enroll the key. (And, some users will get a false impression of security because the kernel is not signed and we have no idea if they key has leaked.)

It's equally uncomfortable.

[gyrog]

Is there anyone who can answer the actual question?
If so, please do.

[jamesbond3142]

@gyrog, the signing certificate for Puppy was created in 2020, with 10 years lifetime. It will expire in 2030. Drop me an email (PM me in the forum) and I'm happy to pass a copy to you, but I think it's better if you create yourself.

The only requirement is that you keep this certificate to yourself (don't share it to someone unless you trust them fully that they won't misuse the cert), and consistently use the same cert to sign multiple grubx64 binaries over the cert's lifetme (so people who have used earlier version of your signed grubx64 doesn't need to re-enter the key again when they use the updated one).

[gyrog]

@jamesbond3142,

1. Is there any chance you could produce another signed grub2?
2. Is it only the grub2 binary that has to be signed by the MOK private key?
3. If a new grub2 binary is released along with a new MOK, would that also work?
   If 3) is true, then the private key could be discarded once the released grub2 was accepted?

Hmm, just realised that 3) will work, but the new MOK would need to be "enrolled"

I was also thinking of using an unsigned grub2 binary from debian, and signing it, to see how that went: Comment?
I've been using such a debian grub2 v2.06 for a while now wiith "secure boot" disabled.

[jamesbond3142]

@jamesbond3142,

1. Is there any chance you could produce another signed grub2?

It's unlikely at the moment.

2. Is it only the grub2 binary that has to be signed by the MOK private key?

Yes and no.

3. If a new grub2 binary is released along with a  new MOK, would that also work?

Yes

   If 3) is true, then the private key could be discarded once the released grub2 was accepted?

No, you should keep the private key for future signing.

Hmm, just realised that 3) will work, but the new MOK would need to be "enrolled"

Correct.

I was also thinking of using an unsigned grub2 binary from debian, and signing it, to see how that went: Comment? I've been using such a debian grub2 v2.06 for a while now wiith "secure boot" disabled.

Drop me an email. There are things that I would rather not discuss here.