# Impossible to Secure Boot

## blt

I tried to follow  this guide to setup my brand new Gentoo install with Secure Boot as Sakaki is EOL (and anyways designed to be used with some homemade scripts to automatize almost everything), I am more on a learning approach as I am a new Gentoo user.

Everything is working correctly from the guide apart from the last piece when I enforce the check_signatures, my UEFI refuses to boot and I am stuck to UEFI boot list.

I am wondering if this if the issue is coming from the fact that the initrd is signed by gpg instead of sbsigntools (used to sign bootloader and kernel) as I don't see how my UEFI would use the Secure Boot keys to validate the initrd signed by GPG..

But maybe the issue is even earlier as it seems it is just when my UEFI tries to load GRUB, so I am wondering if Grub is even able to try to load the initrd so my assumption above may be discarded.

Any idea on where to start to troubleshoot this issue ? as I don't really know where to look for as my issue is so early into the boot process..

Many thanks

----------

## alamahant

For secure boot 

you need

shim64.efi

Get it from 

sys-boot/shim

Actually i just installed it and it provides these binaries

```

eqf sys-boot/shim

 * Searching for shim in sys-boot ...

 * Contents of sys-boot/shim-15.5-r1:

/usr

/usr/share

/usr/share/shim

/usr/share/shim/BOOTIA32.EFI

/usr/share/shim/BOOTX64.EFI

/usr/share/shim/mmia32.efi

/usr/share/shim/mmx64.efi

```

So

maybe copy

/usr/share/shim/BOOTX64.EFI ##and

/usr/share/shim/mmx64.efi

to 

/boot/efi/EFI/gentoo/

and use 

efibootmgr

to create an efi entry.

```

efibootmgr -c -d </dev/esp-disk> -p <esp-partition-number> -L "gentoo" -l "\EFI\gentoo\BOOTX64.EFI"

```

----------

## blt

Thanks for your suggestion, I installed shim and tried to recreate grub.cfg but same issue and was about to ask you if I would need to add shim somewhere but I just saw your edits.

Will try your suggestion tomorrow morning and I let you know, thanks again

----------

## alamahant

I used this to get all the necessary files

[url]

https://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/s/shim-x64-15-8.x86_64.rpm

[/url]

I extracted it.

Copied the shimx64.efi to /boot/efi/EFI/gentoo

Added a new efibootmgr entry and booted in.

It worked.

I dont know if I do foolish things but it seems to work.

```

efibootmgr -v

BootCurrent: 0000

Timeout: 0 seconds

BootOrder: 0000,0001,0002,0003,0004,0005,0006,0007,0008,0009

Boot0000* gen   HD(1,GPT,5f713193-1e02-42f6-8135-113b790a3cf9,0x800,0x64000)/File(\EFI\gen\shimx64.efi)

```

----------

## pietinger

Maybe this can help: https://forums.gentoo.org/viewtopic-t-1112966.html

----------

## GDH-gentoo

I think that some clarification is in order.

The methods described in the document linked in the OP, in Sakaki's guide, and in pietinger's guide, involve replacing the UEFI firmware's platform key, key exchange key, and the keys in the database used for verifying signed binaries. This requires a cooperative (i.e. not crappy) firmware.

The UEFI shim is kind of a workaround, it operates in a different way. The keys used by the firmware are left alone, and a separate set of keys (the machine owner keys) are created and used to sign the binaries. This is only useful if the shim itself is signed (usually with a Microsoft-approved key). Gentoo's sys-boot/shim package appears to just download Fedora's RPM and extract some of its (already compiled) files. I believe that the signed shim in the RPM is the file named shimx64-fedora.efi, and that the file named shimx64.efi is unsigned. I expect the unsigned shim not to work when secure boot is enabled in the firmware, and if it isn't, then, well, one can just boot the bootloader or stub kernel and not bother with the shim. I see no point in installing and booting the unsigned shim if one is going to have secure boot turned off anyway.

In any case, I believe that the only binary that the UEFI firmware verifies (with the keys in the database) is just the one it hands control to: bootloader, stub kernel or shim. If the shim is used, it can then verify the bootloader or stub kernel using a machine owner key. If a bootloader is used, whether the kernel and initramfs are subsequently verified or not, and how, is bootloader-specific. The (optional) verification that GRUB can do is described in its manual (info grub).Last edited by GDH-gentoo on Thu Mar 25, 2021 6:49 pm; edited 3 times in total

----------

## pietinger

 *GDH-gentoo wrote:*   

> I think that some clarification is in order.

 

Great explanation. May I add one point:

In this documentation https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html the setting of new keys is done by "efi-updatevar". This doesnt work with some mainboards (like mine gigabyte) ... and more bad: You didnt see it; the mainboard just dont accept it without giving you an error !

In this case you MUST do it in UEFI-BIOS by yourself (as described in my guide; this should/must work with every mainboard).

----------

## The Main Man

How is the situation with secure boot this days ?

I'm thinking about switching to uefi and secure boot, and I probably will very soon, but I'm wondering how that really works with Gentoo.

Anyone here using it for a long time ?

----------

## pietinger

 *The Main Man wrote:*   

> Anyone here using it for a long time ?

 

Yes. I am using it on my desktop and my notebook since last year. No problems so far. I wrote a guide for that (link is in my first post of this thread).

----------

## The Main Man

Sorry for late reply, it seems complicated, I mean I don't mind complicated but sometimes I ask myself why bother, usually there's no answer to that question.

Anyway, I'm sure it works, but I'll pass, thanks for the guide though.

----------

## Marlo

I have worked through all these instructions.  Shim does not work; signing grub does not work; signing initrd does not work either.

Only Sakaki's guide works and the gentoo's "signed kernel module support" works fine. (although the scripts don't work anymore).

 Together with some kernel options (CONFIG_SECURITY_LOCKDOWN_LSM) I have: 

signed kernel

signed modules

and a locked kernel

The whole security chain is in place.

I use this together with rEFInd and can access two gentoo installations, one Tumbleweed and 2 windows installations in secure boot.

```

Linux tux 5.14.14-gentoo-101-kspp-lock #1 SMP Wed Oct 20 23:05:48 CEST 2021 x86_64 AMD Ryzen 5 3600 6-Core Processor AuthenticAMD GNU/Linux

Secure boot enabled

Loaded X.509 cert 'Gentoo-Module-Signing-Key: 8745bfa72fa26b7f68b5165ab85f274cf2d026ab'

000869b0  03 12 d7 02 9d ed 1d bf  6f 77 5f 23 ca 91 85 23  |........ow_#...#|

000869c0  9b 41 9b 14 21 f1 de 33  94 62 c7 a8 19 be db c3  |.A..!..3.b......|

000869d0  12 aa 5a ed dd 30 37 b2  c1 33 ac 83 92 7d 0e 92  |..Z..07..3...}..|

000869e0  96 27 67 26 8e e1 5b 39  b1 7a 52 76 db 18 e5 f6  |.'g&..[9.zRv....|

000869f0  13 dd d9 25 24 75 08 cf  4d 84 2c 51 56 c8 5d 47  |...%$u..M.,QV.]G|

00086a00  ae 4d b4 5d 4d ae b4 6d  23 54 9d 7a 85 bd 5c fd  |.M.]M..m#T.z..\.|

00086a10  b8 48 c5 27 0a fb 1c 00  00 02 00 00 00 00 00 00  |.H.'............|

00086a20  00 02 9f 7e 4d 6f 64 75  6c 65 20 73 69 67 6e 61  |...~Module signa|

00086a30  74 75 72 65 20 61 70 70  65 6e 64 65 64 7e 0a     |ture appended~.|

Kernel is locked down from Kernel configuration; see man kernel_lockdown.7

```

https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot_under_OpenRC

https://wiki.gentoo.org/wiki/Signed_kernel_module_support

man kernel_lockdown.7 --> https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html

Ma

----------

