0

I'm trying to figure out if buildroot can generate a Secure Boot capable system. Secure boot requires a properly signed kernel. The target hardware is an x86-64/AMD64 processor with TPM 2.0 support.

Secure boot can be done with Linux distros like Ubuntu.

I've searched the Buildroot manual and did a bunch of Google searches - haven't found anything definitive.

Has anyone tried this?

Improve this question
3
  • 1
    A "late generation Intel processor" 32-bit? I don't think so. And Secure Boot is a UEFI feature. What exactly are you trying to do and why?
    – ChanganAuto
    Commented Feb 2 at 0:34
  • This question should include more details and clarify the problem. We need more specifics. Intel and AMD have not manufactured a 32-bit only processor for close to a decade. Their newer products have 64-bit UEFI kernels which make booting to 32-bit operating systems more challenging based on which operating system you are talking about. The information you have provided is not detailed enough to answer your question.
    – Ramhound
    Commented Feb 2 at 1:12
  • @Ramhound - added more information. Let me know if more is needed.
    – Craig S. Anderson
    Commented Feb 2 at 17:59

1 Answer 1

Reset to default
1

You can get a signed kernel by signing the kernel. It doesn't really matter how it was built as long as you can insert the extra step to sign it after. Any Authenticode signing tool will work, for example:

  • signtool
  • osslsigncode
  • pesign

However, keep in mind that typical PCs only come with one or two approved signers (Microsoft and sometimes Canonical).

Everything else has to go through a proxy mechanism; either you submit every single kernel for Microsoft to sign (unrealistic), or you use Red Hat's shim (which is already signed) to chain-load your kernel, or of course you install your own Secure Boot keys as a "trusted signer" in your EFI firmware, which is only possible by going through the firmware settings interface.

So if you fully control the target hardware, you could generate your own KEK/PK/db keypairs and install them, then just have the build process run signtool (using the db key) on vmlinuz or any other .efi executable involved.

(The Arch Linux Wiki instructions may be relevant. The keypairs are self-signed X.509 certificates for "Code signing" usage – they don't have to come from a commercial CA.)

If you are not in full control of the hardware, then you will need to involve Shim in your boot process, which means getting "someone else's" copy of a signed Shimx64.efi that is already Microsoft-signed (such as the Fedora/RedHat one) and having it start your vmlinuz.efi or your grubx64.efi. You will not be able to achieve completely seamless Secure Boot like what you have with Ubuntu (who has a version of Shim that will only "seamlessly" boot kernels signed by Ubuntu); there will be at least one step to have Shim enroll your SB signing key as a "MOK".

(It's Shim that implements "MOKs" (Machine Owner Keys); UEFI itself has no such concept.)

Improve this answer

Not the answer you're looking for? Browse other questions tagged .