maximbaz / arch-secure-boot Goto Github PK
View Code? Open in Web Editor NEWUEFI Secure Boot for Arch Linux + btrfs snapshot recovery
License: ISC License
UEFI Secure Boot for Arch Linux + btrfs snapshot recovery
License: ISC License
Hi Maximbaz,
Above all I would like to thank you for this great tool !
I have some suggestions if you would like to make this project more popular. I was thinking about why people don't use secure boot while it's available in every machine sold nowadays. And came to the conclusion that most people are just afraid when they hear "private keys", "public keys" or encryption in general :)
But your tool is good enough to remove thinking about those "scary" things from people minds.
So my proposals are:
Improve documentation. It just does not provide enough information how this tool works. While at the same time you wrote a great post with all of the details. So please attach this information to the readme --> Antynea/grub-btrfs#92 (comment)
Not everobody uses snapper. Personally I have very bad experience with it. So make the tool conditional - with or without snapper.
And getting to the problem that I have personally. I know you might have no idea why it is happening to me but, hey - it's worth asking. When I enter my Lenovo IdeaPad uefi I just don't see any other entries except of linux-secure-boot. And I have no way to choose anything else while at the same time all the images on /efi are created and in place:
root@i5 ~# ll /efi/EFI/arch/
total 107M
-rwxr-xr-x 1 root root 1008K Jul 30 19:50 secure-boot-linux-efi-shell.efi
-rwxr-xr-x 1 root root 39M Jul 30 19:50 secure-boot-linux-recovery-lts.efi
-rwxr-xr-x 1 root root 44M Jul 30 19:50 secure-boot-linux-recovery.efi
-rwxr-xr-x 1 root root 23M Jul 30 19:50 secure-boot-linux.efi
Big thanks for you work once again !
Any ideas ?
Hey it's been a while :)
After a kernel upgrade, I'm unable to boot and get the following error:
Nov 01 14:15:38 laptop bootctl[563]: No ESP found, not initializing random seed.
Nov 01 14:15:38 laptop systemd-pcrphase[564]: Extended PCR index 11 with 'sysinit' (banks sha1, sha256).
Nov 01 14:15:40 laptop apparmor.systemd[357]: Restarting AppArmor
Nov 01 14:15:40 laptop apparmor.systemd[357]: Reloading AppArmor profiles
Nov 01 14:15:40 laptop systemd-fsck[366]: fsck.fat 4.2 (2021-01-31)
Nov 01 14:15:40 laptop systemd-fsck[366]: /dev/sda2: 11 files, 40218/140690 clusters
Nov 01 14:15:40 laptop mount[497]: mount: /efi: unknown filesystem type 'vfat'.
Nov 01 14:15:40 laptop mount[497]: dmesg(1) may have more information after failed mount system call.
I've had this issue a few times now, I'm not sure where it comes from to be honest, but I thought I would write it here in case you have any clue what's going on.
To fix this error I have to boot into a livecd and run arch-secure-boot generate-efi
.
Here are the pacman logs that caused the issue:
[2023-10-30T19:16:44+0100] [PACMAN] Running '/usr/bin/pacman -S -y -u --config /etc/pacman.conf --'
[2023-10-30T19:16:44+0100] [PACMAN] synchronizing package lists
[2023-10-30T19:16:45+0100] [PACMAN] starting full system upgrade
[2023-10-30T19:16:56+0100] [ALPM] running '05-snap-pac-pre.hook'...
[2023-10-30T19:16:57+0100] [ALPM-SCRIPTLET] ==> root: 574
[2023-10-30T19:16:57+0100] [ALPM] running '60-mkinitcpio-remove.hook'...
[2023-10-30T19:16:57+0100] [ALPM] transaction started
[2023-10-30T19:16:57+0100] [ALPM] upgraded bash (5.1.016-4 -> 5.2.015-5)
[2023-10-30T19:16:57+0100] [ALPM] upgraded containerd (1.7.7-1 -> 1.7.8-1)
[2023-10-30T19:16:57+0100] [ALPM] upgraded krb5 (1.20.1-1 -> 1.20.1-2)
[2023-10-30T19:16:57+0100] [ALPM] upgraded libnghttp2 (1.57.0-1 -> 1.58.0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded docker (1:24.0.6-1 -> 1:24.0.7-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded fzf (0.42.0-1 -> 0.43.0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded gpgme (1.23.0-1 -> 1.23.1-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded libyuv (r2322+3aebf69d-1 -> r2426+464c51a0-1)
[2023-10-30T19:16:58+0100] [ALPM] upgraded libavif (1.0.1-3 -> 1.0.1-4)
[2023-10-30T19:16:58+0100] [ALPM] upgraded linux-firmware-whence (20230804.7be2766d-2 -> 20230918.3672ccab-1)
[2023-10-30T19:16:59+0100] [ALPM] upgraded linux-firmware (20230804.7be2766d-2 -> 20230918.3672ccab-1)
[2023-10-30T19:17:00+0100] [ALPM] upgraded shadow (4.14.1-1 -> 4.14.2-1)
[2023-10-30T19:17:02+0100] [ALPM] upgraded linux-hardened (6.5.8.hardened1-1 -> 6.5.9.hardened1-1)
[2023-10-30T19:17:07+0100] [ALPM] upgraded linux-hardened-headers (6.5.8.hardened1-1 -> 6.5.9.hardened1-1)
[2023-10-30T19:17:08+0100] [ALPM] upgraded restic (0.16.0-1 -> 0.16.1-1)
[2023-10-30T19:17:08+0100] [ALPM] transaction completed
[2023-10-30T19:17:09+0100] [ALPM] running '20-systemd-sysusers.hook'...
[2023-10-30T19:17:09+0100] [ALPM] running '30-systemd-daemon-reload.hook'...
[2023-10-30T19:17:09+0100] [ALPM] running '30-systemd-tmpfiles.hook'...
[2023-10-30T19:17:10+0100] [ALPM] running '30-systemd-udev-reload.hook'...
[2023-10-30T19:17:11+0100] [ALPM] running '30-systemd-update.hook'...
[2023-10-30T19:17:11+0100] [ALPM] running '60-depmod.hook'...
[2023-10-30T19:17:13+0100] [ALPM] running '90-mkinitcpio-install.hook'...
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-hardened.preset: 'default'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Using default configuration file: '/etc/mkinitcpio.conf'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux-hardened -g /boot/initramfs-linux-hardened.img --microcode /boot/intel-ucode.img
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] ==> Starting build: '6.5.9-hardened1-1-hardened'
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] -> Running build hook: [consolefont]
[2023-10-30T19:17:13+0100] [ALPM-SCRIPTLET] -> Running build hook: [keymap]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET] -> Running build hook: [udev]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET] -> Running build hook: [autodetect]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2023-10-30T19:17:14+0100] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2023-10-30T19:17:16+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'xhci_pci'
[2023-10-30T19:17:17+0100] [ALPM-SCRIPTLET] -> Running build hook: [plymouth]
[2023-10-30T19:17:18+0100] [ALPM-SCRIPTLET] -> Running build hook: [encrypt]
[2023-10-30T19:17:20+0100] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2023-10-30T19:17:20+0100] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2023-10-30T19:17:22+0100] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2023-10-30T19:17:22+0100] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-hardened.img'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Image generation successful
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Building image from preset: /etc/mkinitcpio.d/linux-hardened.preset: 'fallback'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Using default configuration file: '/etc/mkinitcpio.conf'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux-hardened -g /boot/initramfs-linux-hardened-fallback.img -S autodetect --microcode /boot/intel-ucode.img
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] ==> Starting build: '6.5.9-hardened1-1-hardened'
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] -> Running build hook: [consolefont]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] -> Running build hook: [keymap]
[2023-10-30T19:17:23+0100] [ALPM-SCRIPTLET] -> Running build hook: [udev]
[2023-10-30T19:17:24+0100] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2023-10-30T19:17:24+0100] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2023-10-30T19:17:25+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'aic94xx'
[2023-10-30T19:17:25+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'bfa'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qed'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qla1280'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'qla2xxx'
[2023-10-30T19:17:26+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'wd719x'
[2023-10-30T19:17:27+0100] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for module: 'xhci_pci'
[2023-10-30T19:17:30+0100] [ALPM-SCRIPTLET] -> Running build hook: [plymouth]
[2023-10-30T19:17:31+0100] [ALPM-SCRIPTLET] -> Running build hook: [encrypt]
[2023-10-30T19:17:33+0100] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2023-10-30T19:17:34+0100] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2023-10-30T19:17:39+0100] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2023-10-30T19:17:40+0100] [ALPM-SCRIPTLET] ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-hardened-fallback.img'
[2023-10-30T19:17:41+0100] [ALPM-SCRIPTLET] ==> Image generation successful
[2023-10-30T19:17:42+0100] [ALPM] running 'gdk-pixbuf-query-loaders.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'post-20-dash-symlink.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'texinfo-install.hook'...
[2023-10-30T19:17:42+0100] [ALPM] running 'zz-snap-pac-post.hook'...
[2023-10-30T19:17:42+0100] [ALPM-SCRIPTLET] ==> root: 575
[2023-10-30T19:17:42+0100] [ALPM] running 'zzz-arch-secure-boot-generate-snapshots.hook'...
It seems that for some reason the 95-arch-secure-boot-generate-efi hook is not being triggered. Therefore the signed UKI is not being updated and the system becomes unbootable. I'm not sure why it becomes unbootable though, might be due to systemd, I found the following in my kernel logs:
Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'crypto_user'
Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'dm-multipath'
Nov 01 14:15:37 laptop systemd-modules-load[288]: Failed to find module 'pkcs8_key_parser'
I'm wondering if Operation = Upgrade
in the pacman hook is enough. Here's how dracut-hook from the AUR does it:
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/dracut/*
Target = usr/lib/systemd/systemd
[Action]
Description = Updating initramfs...
When = PostTransaction
Exec = /usr/share/libalpm/scripts/dracut-install
NeedsTargets
We can see that they use both Operation = Install
and Operation = Upgrade
, and that they also trigger the hook when systemd is being updated.
#21 might be related
Let me know what you think :)
Hi, in order for nvidia to work on grub or systemd the wiki tell us to add nvidia-drm.modeset=1:
sudo sed -i 's/\(GRUB_CMDLINE_LINUX_DEFAULT=".*\)"/\1 nvidia-drm.modeset=1"/' /etc/default/grub
is this required/ possible with arch-secure-boot?
Thank you
Currently the pacman hook will re-sign all the EFI binaries if a single one of them is updated.
It would be nice to only sign what has been updated.
alpm-hooks provides a NeedsTargets
which according to the man page does the following:
Causes the list of matched trigger targets to be passed to the running hook on stdin.
Currently the hook looks like this :
Instead we could do something like this :
Exec = /usr/bin/arch-secure-boot generate-efi --from-stdin
Or maybe just the standard trailing -
.
That way generate-efi
would be able to sign only the updated EFI image, instead of signing them all.
To consider: an update of *-ucode.img
must trigger the recreation of $NAME-unsigned.efi
+ signing it
problem : initial-setup failed with "cat: '/boot/*-ucode.img': No such file or directory"
OS: Arch Linux
Kernel: x86_64 Linux 5.14.8-arch1-1
full output :
➜ ~ arch-secure-boot initial-setup
Generating Secure Boot keys...
Generating a RSA private key
.........................................................................................................++++
........................++++
writing new private key to 'PK.key'
-----
Generating a RSA private key
...............................................................................................................................++++
.......................................................++++
writing new private key to 'KEK.key'
-----
Generating a RSA private key
..................................++++
.....++++
writing new private key to 'db.key'
-----
Generating EFI images...
cat: '/boot/*-ucode.img': No such file or directory
== Command ==
/usr/bin/arch-secure-boot generate-efi
== Config ==
ESP=/boot/efi
EFI=/EFI/arch
KERNEL=linux
NAME=secure-boot-linux
CMDLINE=/proc/cmdline
== Command ==
/usr/bin/arch-secure-boot initial-setup
== Config ==
ESP=/boot/efi
EFI=/EFI/arch
KERNEL=linux
NAME=secure-boot-linux
CMDLINE=/proc/cmdline
Hello Maxim,
I would like to know if excluding /usr/lib/modules
from the root snapshots is necessary to use arch-secure-boot
, ensuring the ability to boot from snapshots and maintain consistency between the kernel and their modules versions across all snapshots.
Additionally, I would like to ask if there are any other BTRFS subvolumes that need to be created to facilitate booting from snapshots using UKI?
Apologies if my questions aren't exactly specific to your project, and thank you in advance for your answers.
https://aur.archlinux.org/packages/arch-secure-boot
This says linux-lts
as a dependency
but I use linux
and I do not want to use another (and less than 6.2 because I need the ntfs3 update) kernel
Can I use arch-secure-boot
with linux/linux-mainline/linux-zen, etc.?
After upgrading to systemd 254 I was unable to boot anymore.
The following lines are new when doing generate-efi
:
objcopy: secure-boot-linux-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-unsigned.efi:.cmdline: section below image base
objcopy: secure-boot-linux-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-unsigned.efi:.initrd: section below image base
objcopy: secure-boot-linux-recovery-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-recovery-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-recovery-unsigned.efi:.initrd: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.osrel: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.linux: section below image base
objcopy: secure-boot-linux-lts-recovery-unsigned.efi:.initrd: section below image base
It has probably to do with /usr/lib/systemd/boot/efi/linuxx64.efi.stub
but I do not know what currently. I created this issue as more users are probably going to stumble on this. I just downgraded systemd using pacman -U /var/cache/pacman/pkg/systemd-253.7-1-x86_64.pkg.tar.zst
and run generate-efi again
I'm seeing signing errors when the hook runs:
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
==> Using default configuration file: '/etc/mkinitcpio.conf'
-> -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img
==> Starting build: '6.9.1-arch1-1'
-> Running build hook: [systemd]
-> Running build hook: [autodetect]
-> Running build hook: [microcode]
-> Running build hook: [modconf]
-> Running build hook: [kms]
-> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: 'xhci_pci'
-> Running build hook: [sd-vconsole]
-> Running build hook: [block]
-> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: 'qat_420xx'
-> Running build hook: [filesystems]
-> Running build hook: [fsck]
==> WARNING: Possibly missing '/bin/sh' for script: /usr/bin/fsck.btrfs
==> Generating module dependencies
==> Decompressing zstd-compressed firmware files
-> Fixing firmware file symlinks
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux.img'
-> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
-> Running post hook: [sbctl]
Signing /boot/vmlinuz-linux
couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1
couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory
repeats for every image, both linux and linux-lts, regular and fallback.
Configuration hasn't changed for weeks, I have just been upgrading daily.
Any idea what the problem might be?
Thanks for creating this resource I am seriously excited to possibly drop a lot of grub cruft I have been dealing with. My one issue that I am wondering if you have experience with is a system that also boots into windows. This style of booting from uefi directly is new to me and I am wondering how this would work. Does the windows side just work by creating its own uefi entry and there is no overlap, or would I have to get the same private key generated from scripts embedded into the windows filesystem somehow?
if you aren’t familiar with this then no worries, just seeing if it’s possible to know about this before diving in.
Would it make sense to add arch-secure-boot itself to 95-arch-secure-boot-generate-efi.hook ? Though I don't know how it would behave when arch-secure-boot is being installed for the first time.
People that have a broken install because of #17 must run arch-secure-boot generate-efi
manually after they have upgraded arch-secure-boot
package
Hey Maxim, for some time now I've been reading a lot about backups. Considering I'm using arch-secure-boot
which comes with a snapper dependency, I've been wondering how that could interact with my backup strategy.
Initially, my plan was as follow:
I haven't done the last two items yet, I'm not sure I want to trust btrfs for my backups, there are multiple examples on the internet of people having issues with it. However I have to admit that its incremental backup feature using btrfs send | btrfs receive
is very appealing.
I'm looking for ideas, what do you do ? Do you use snapper only to boot into a previous state of your system or do you also use btrfs features for your backups ? What's your take on using btrfs as a backup utility ?
PS: sorry for hijacking your issue tracker for something unrelated :-)
Hey, thanks for this amazing tool ! This is a very small issue, it doesn't have any impact but I thought I would still let you know.
When using a hardened kernel, the recovery EFI image of the LTS kernel will be named secure-boot-linux-hardened-recovery-lts.efi
which is a bit confusing because this not a hardened version.
Maybe instead of using $NAME-recovery-lts-unsigned.efi
you could hardcode linux-recovery-lts-unsigned.efi
? It would require to change the loop logic though.
arch-secure-boot/arch-secure-boot
Lines 85 to 93 in 4b55a33
Hello,
I follow your great dotfiles and wanted to ask you, if you could add support for AMD ucode as well.
Something like that would probably be enough:
https://github.com/gdamjan/secure-boot/blob/master/secure-boot#L17
Thanks for all your great projects!
This is something present in grub-btrfs but I'd prefer a simpler tool because grub is too much of a black hole.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.