Arch Linux

Qowy

Member

Registered: 2013-07-28

Posts: 6

UEFI Secureboot booting but still showing error

Hi,
I have a Thinkpad E530 and now wanted to re enable secureboot.
I am using systemd-boot

I got the PreLoader and HashTool made a new efi entry tried to boot, failed (as expected), added the hash of loader.efi and ../../vmlinuz

It boots fine now, however as soon as I select the efi entry that starts PreLoader.efi i get the error message "Image failed to verify with *ACCESS DENIED*" not once but twice (this was already the case before I added the hashes) but then continues to boot linux just fine.

For comparison starting the efi entry for systemd-boot directly results in the above message being displayed once and then returning to the efi boot menu (as expected)

Last edited by Qowy (2016-06-22 17:03:27)

GSF1200S

Member

Registered: 2008-12-24

Posts: 474

Re: UEFI Secureboot booting but still showing error

Hi,
I have a Thinkpad E530 and now wanted to re enable secureboot.
I am using systemd-boot

I got the PreLoader and HashTool made a new efi entry tried to boot, failed (as expected), added the hash of loader.efi and ../../vmlinuz

It boots fine now, however as soon as I select the efi entry that starts PreLoader.efi i get the error message "Image failed to verify with *ACCESS DENIED*" not once but twice (this was already the case before I added the hashes) but then continues to boot linux just fine.

For comparison starting the efi entry for systemd-boot directly results in the above message being displayed once and then returning to the efi boot menu (as expected)

I have a Thinkpad T530 and recently went looking to enable secureboot myself. The short of my research is- its prolly not worth it.

First, where did you get PreLoader and HashTool? If you used the ones from efitools, they arent signed by Microsoft. If you got the ones off the Linux Foundation website, they are microsoft signed, but if your computer came with Windows 7 I dont believe the right key is stored in the secureboot rom thingy

The problem is, PreLoader and HashTool is more about getting around secureboot for systems that cant turn it off. An attacker could modify HashTool to include the hash of their evil-modded init or kernel image, and suddenly youre hosed. On Arch, the only real way to get a meaningful secure boot is to:

1) create your own keys, grab KeyTool, use efibootmgr to add an entry to KeyTool, then add your personal keys to the secureboot rom.
2) combine the kernel, kernel command line, initramfs image, and intel-ucode image into one single efi file, then sign it with your key.
3) Sign your bootloader (grub, systemd-boot, etc) unless you use efibootmgr to give your UEFI a link directly to the kernel
4) use a script to automate this via a pacman hook.

Even if all this is done, now your firmware becomes a point of attack. Then there is a camera watching you type in your room, a USB keylogger, etc etc. Secure boot only takes away the low-hanging fruit.

If you really want to protect yourself from an evil maid attack, get a keychain USB drive for your car keys and put grub, /boot, and a keyfile for your luks partition on it. With the thumb drive in, the computer boots without passwords (no camera or usb keylogger will get your luks passphrase) normally. Without the thumb drive, there is no /boot partition anywhere so no way to software evil maid. Even this isnt undefeatable tho..

Since you have a Thinkpad Ill ask- do you have an SSD? More specifically, do you have an SED (self encrypting drive)? If so, you can pretty reasonably protect yourself from external evil maid attacks just by setting a user password (not user+master) for the harddrive (enabling harddrive encryption) and setting a supervisor password for the UEFI setup. Of course, this wont help you from malware that evil maid's your /boot files, but I mean we ARE running Linux here not Windows. I dont know of any malware ever having been found in the wild that managed to do something like that.

The point im making is, secureboot is a lot of work for a fairly nebulous reward. It can be a deterrent but their are other ways to more thoroughly secure your system.

Last edited by GSF1200S (2016-06-24 21:06:04)

Qowy

Member

Registered: 2013-07-28

Posts: 6

Re: UEFI Secureboot booting but still showing error

Thank you for extensive reply.
I think I am aware of what SecureBoot can and cannot do for me, I mainly wanted to do this for educational purposes in order to understand the whole EFI boot process (including features like Secure Boot) better.
For the moment I will probably stick with secure boot disabled. I got a SSD (two even one SATA and one mSATA) but they are to old to be self encrypting, but since this is only my test machine there are no real security concerns at the moment.

Right now I have to fix my EFI anyway (for some reason it decided to throw an EFI Security settings CRC error every time I try to reenable Intel virtualization, probably have to pull the cmos battery^^)

Thank you again for your effort, I might try self signing my bootloader /kernel etc at some point, if only to know how it is done