[SOLVED] Sign Arch installation media for Secure Boot (personal keys)

Cvlc · 2022-08-08 09:05:37

Hi,

I've set up Secure Boot with my own keys, I would like to be able to boot an Arch installation media without disabling Secure Boot.

I know that this is not supported when using Microsoft's keys, but it seems that it should be straightforward to sign the EFI binary from the USB thumb with my own keys. However I cannot mount the drive with write access :

$ sudo mount /dev/sda1 /mnt/
mount: /mnt: WARNING: source write-protected, mounted read-only.

$ sudo mount -o remount,rw /mnt/
mount: /mnt: cannot remount /dev/sda1 read-write, is write-protected.
       dmesg(1) may have more information after failed mount system call.

How can I mount the thumb drive with write access to be able to sign /EFI/BOOT/BOOTx64.EFI ?

Thanks !

Last edited by Cvlc (2022-09-14 11:55:36)

nl6720 · 2022-08-08 12:47:21

ISO9660 is read only, so you can't mount it for writing. You'll need to repack the ISO.

Install libisoburn and mtools.

First extract the boot loader files and the El Torito boot images:

$ osirrox -indev archlinux-2022.08.05-x86_64.iso -extract_boot_images ./ -extract EFI/BOOT/BOOTx64.EFI BOOTx64.EFI -extract EFI/BOOT/BOOTIA32.EFI BOOTIA32.EFI

mkarchiso uses xorrisofs option "-rational-rock" that removes write permissions from files (and also makes them owned by root, but that's not an issue here). Make the boot loader files writable so that you can modify them:

$ chmod +w BOOT*.EFI

Sign the EFI binaries:

$ sbsign --key db.key --cert db.crt --output BOOTx64.EFI BOOTx64.EFI
$ sbsign --key db.key --cert db.crt --output BOOTIA32.EFI BOOTIA32.EFI

Copy the signed files to the extracted El Torito UEFI boot image (mkarchiso adds at least 1 MiB extra to the image size, so the size increase will not be an issue):

$ mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI BOOTIA32.EFI ::/EFI/BOOT/

Repack the ISO using the modified El Torito UEFI boot image and add the signed boot loader files to ISO9660:

$ xorriso -indev archlinux-2022.08.05-x86_64.iso -outdev archlinux-2022.08.05-x86_64-Secure_Boot.iso -boot_image any replay -append_partition 2 0xef eltorito_img2_uefi.img -map BOOTx64.EFI /EFI/BOOT/BOOTx64.EFI -map BOOTIA32.EFI /EFI/BOOT/BOOTIA32.EFI

Edit: fixed xorriso command order.

Last edited by nl6720 (2022-08-08 12:54:37)

Cvlc · 2022-08-08 13:34:49

Thanks !

I had gotten as far as the Archiso article but I was stuck.

I'll try that out right away. Wouldn't that be worth a paragraph in the wiki ?

Thanks !

nl6720 · 2022-08-08 14:04:21

Getting GRUB to work with Secure Boot is apparently not so straightforward.
When trying to boot a boot menu entry from GRUB, I got:

error: shim_lock protocol not found.
error: you need to load the kernel first.

After creating new GRUB EFI binaries using --disable-shim-lock, I got:

error: verification requested but nobody cares:
/arch/boot/x86_64/vmlinuz-linux.
error: you need to load the kernel first.

Then I remembered that I forgot to sign the kernel. Oops!

$ osirrox -indev archlinux-2022.08.05-x86_64.iso -extract arch/boot/x86_64/vmlinuz-linux vmlinuz-linux
$ chmod +w vmlinuz-linux
$ sbsign --key db.key --cert db.crt --output vmlinuz-linux vmlinuz-linux
$ mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI BOOTIA32.EFI ::/EFI/BOOT/
$ xorriso -indev archlinux-2022.08.05-x86_64.iso -outdev archlinux-2022.08.05-x86_64-Secure_Boot.iso -boot_image any replay -append_partition 2 0xef eltorito_img2_uefi.img -map BOOTx64.EFI /EFI/BOOT/BOOTx64.EFI -map BOOTIA32.EFI /EFI/BOOT/BOOTIA32.EFI -map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux

And.. nothing changed:

error: verification requested but nobody cares:
/arch/boot/x86_64/vmlinuz-linux.
error: you need to load the kernel first.

GRUB...

Last edited by nl6720 (2022-08-08 14:05:45)

Cvlc · 2022-08-08 14:19:43

Yep, got to the same point !

I was about to try again (I have to admit I don't quite understand all the steps, so I thought I missed something)

PS: "not as straightforward" made me laugh and feel very ignorant Certainly didn't feel straightforward... !

Last edited by Cvlc (2022-08-08 14:21:38)

nl6720 · 2022-08-08 15:13:11

For a simpler way to change the files on the installation medium, create it following https://wiki.archlinux.org/title/USB_fl … NU/Linux_4.
The flash drive will be writable and you can simply sign/replace any files you like.

Cvlc · 2022-08-08 22:31:31

Indeed it's a lot easier.... !

However (unsurprisingly), I end up with the same error from Grub....

error: shim_lock protocol not found.
error: you need to load the kernel first.

nl6720 · 2022-08-10 08:23:01

With some advice from Foxboron and tpowa, I think I got it to work.

Create an installation medium following https://wiki.archlinux.org/title/USB_fl … NU/Linux_4.

Create standalone GRUB using the --disable-shim-lock option and preloading the "tpm" module (apparently it's a trick to pull in most other modules):

$ cat <<'EOF' > grub-embed.cfg
if ! [ -d "$cmdpath" ]; then
    if regexp --set=1:isodevice '^(\([^)]+\))\/?[Ee][Ff][Ii]\/[Bb][Oo][Oo][Tt]\/?$' "$cmdpath"; then
        cmdpath="${isodevice}/EFI/BOOT"
    fi
fi
configfile "${cmdpath}/grub.cfg"
EOF

$ grub-mkstandalone -O x86_64-efi \
	--modules="part_gpt part_msdos fat iso9660 tpm" \
	--locales="en@quot" \
	--themes="" \
	--sbat=/usr/share/grub/sbat.csv \
	--disable-shim-lock \
	-o "BOOTx64.EFI" "boot/grub/grub.cfg=grub-embed.cfg"

$ grub-mkstandalone -O i386-efi \
	--modules="part_gpt part_msdos fat iso9660 tpm" \
	--locales="en@quot" \
	--themes="" \
	--sbat=/usr/share/grub/sbat.csv \
	--disable-shim-lock \
	-o "BOOTIA32.EFI" "boot/grub/grub.cfg=grub-embed.cfg"

Sign the files and place them on the drive:

$ sbsign --key db.key --cert db.crt --output /mnt/EFI/BOOT/BOOTx64.EFI BOOTx64.EFI
$ sbsign --key db.key --cert db.crt --output /mnt/EFI/BOOT/BOOTIA32.EFI BOOTIA32.EFI
$ sbsign --key db.key --cert db.crt --output /mnt/arch/boot/x86_64/vmlinuz-linux /mnt/arch/boot/x86_64/vmlinuz-linux

I don't know why, but using

--modules="$(basename -s .mod /usr/lib/grub/x86_64-efi/*.mod | tr '\n' ' ')"

didn't work for me. GRUB gave en error on boot

error: variable `prefix' isn't set

Maybe some module is undesired.

nl6720 · 2022-09-03 07:08:18

The GRUB EFI binaries in archlinux-2022.09.03-x86_64.iso can now be signed without issue.
I added instructions to the wiki: Unified Extensible Firmware Interface/Secure Boot#Sign the official ISO with custom keys.

Cvlc · 2022-09-03 07:22:46

Wow incredible work, thanks very much.

I haven't had access to the computer for weeks now but can't wait to try it out. I'll report back once I do.

Thanks again!

Cvlc · 2022-09-14 11:54:55

works perfectly, thanks very much!

I'll try to make a script that can automatically update an arch thumb drive to the latest release and sign it. I'll post it here if I manage to do something decent.

Last edited by Cvlc (2022-09-14 11:55:19)

Arch Linux

#1 2022-08-08 09:05:37

[SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#2 2022-08-08 12:47:21

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#3 2022-08-08 13:34:49

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#4 2022-08-08 14:04:21

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#5 2022-08-08 14:19:43

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#6 2022-08-08 15:13:11

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#7 2022-08-08 22:31:31

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#8 2022-08-10 08:23:01

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#9 2022-09-03 07:08:18

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#10 2022-09-03 07:22:46

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

#11 2022-09-14 11:54:55

Re: [SOLVED] Sign Arch installation media for Secure Boot (personal keys)

Board footer