13

I'm using the default ubuntu approach with shim and grub2, combined with my own platform key (self-signing shim with sbsign) and an encrypted root partition, to secure boot my ubuntu installation. But this verifies only grubx64.efi and the kernel, but does not protect the initrd.img and grub.cfg files on the unencrypted boot partition from malicious modifications.

So how can I verify the initrd and the grub configuration, possibly using a sha256 hash, before using them to boot ? That verification could happen in shim, in grub or in some other tool I might use in addition to or instead of shim and/or grub.

The purpose of this question is to prevent from executing the kernel with a modified environment (kernel command line and initrd) in order to prevent from leaking the root partition encryption password to anywhere.

Did not find any methods to verify the boot configuration despite several days of reading web tutorials/blogs about secure boot, including Ubuntu and the Linux Foundation's PreLoader.efi, all of which explaining how the verification of executables including kernel modules works, but none of which mentions the grub.cfg and (shell scripts and config files inside the) initrd, so it looks like I'm the first one to ever ask for verification of non-binaries in the boot process. The best sources I ever found are that of Rod Smith.

What I did not try yet is to modify the source code of shim or grub, creating a fork, or directly contributing to them. Would that be the only way to go ?

Improve this question
7
  • Your cross post was from yesterday, a bit more patience would be appropriate, and cross posting certainly isn't ( BTW if you however above the downarrow you can see the reasons for downvotes: no research effort/ unclear/not useful) Commented Feb 7, 2016 at 9:05
  • @Anthon, where do you think is the appripriate place to ask this question ? I don't know, so I thought here is a better place than on SuperUser. And do you think I should delete the previous question and this one before asking at the appropriate place to prevent from being downvoted because of cross posting again ? Commented Feb 7, 2016 at 13:46
  • Cross posting is never ok, as you would know if you read the help. On this site it is a reason for closure (as you noticed), some patience is necessary as well this is a Q&A site, not some personal, or instant, help site. A few days waiting, especially during the weekend would be appropriate. And some more description of what you tried and what did not work would be appropriate as well. If you want this reopened here, delete the Q on superuser, indicate it clearly here (by editing your post) and then it will be in the queue to be reopened. Commented Feb 7, 2016 at 14:28
  • @Anthon, thank you for you comments. Deleted the question on SuperUser and explained the question here in more detail. Can I do better ? Commented Feb 8, 2016 at 7:02
  • Looks better, I vote to reopen, but be advised that it takes more than just my vote. Commented Feb 8, 2016 at 8:05

2 Answers 2

Reset to default
3

I found great article which describes such setup: https://ruderich.org/simon/notes/secure-boot-with-grub-and-signed-linux-and-initrd

tl;dr: Sign grub config and initrd with GPG, generate grub binary which will enforce checks and sign it with secureboot keys.

Package for ubuntu which implements similar idea: https://github.com/JohnstonJ/ubuntu-secure-boot

Improve this answer
0

Grub appears to support signature verification using detached signatures. I suspect that's your answer.

Improve this answer
4
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - From Review Commented Apr 29, 2016 at 17:55
  • 1
    Actually, it does. The original question was: "So how can I verify the initrd and the grub configuration, possibly using a sha256 hash, before using them to boot ? That verification could happen in shim, in grub or in some other tool I might use in addition to or instead of shim and/or grub." The answer is: "Grub appears to support signature verification using detached signatures." (Implicitly: "... so you could sign the initrd, generate a detached signature, and have Grub verify it.") Commented Apr 29, 2016 at 21:28
  • @Justin King-Lacroix, thank you for your answer, but I can't find detached signatures in gnu.org/software/grub/manual/grub.html - is that a feature of an inoffical grub fork ? Googling "detached signatures grub manual" did not return anything specific. Could you point me to that feature, please ? Commented May 12, 2016 at 10:53
  • Unfortunately, I don't have a manual reference; I found this looking through the source. Look for the "verify" operation. Commented Jun 18, 2016 at 5:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.