2

As the title suggests, I'm trying to set up a system that uses PXE boot to boot into CentOS7 with custom signing keys. This process is adapted from several guides but the gist of it is that I use grub to load a grub.cfg, linux kernel and initramfs.gz (which contains the filesystem) from a tftpserver. These are verified with GPG signatures.

However then I got the error that my linux kernel is not signed correctly, while it is signed with my own db key for secure boot. The key should be installed correctly in UEFI, as the grub EFI binary is also signed and should also be verified by secureboot. Furthermore, I've also checked whether the GPG verification succeeded with the grub command line, which it did.

After this, I read some articles online and came to the conclusion that I should use shim as a first stage bootloader (and also sign that with the same DB key). So copied it from a Centos vm and pointed the DHCP server to shim. The issue persists as it gives the same error message, but now it also gives a location:

error: ../../grub-core/loader/i386/efi/linux.c:215:/vmlinuz has invalid signature.

I can't seem to find the file which is responsible in grub, as it is probably a different version. My search led me to this redhat article.

However the article is behind a paywall......I'm not asking access to the article (I'm not sure whether it is allowed) as it may be a completely different problem. I also tried to build shim on my own, providing the DER encrypted key during the build process, but that seems to change nothing.

I'm also new to shim and I'm not sure whether the usage of the machine operator key (MOK) is mandatatory, or whether it is sufficient to just sign it with the DB key.

Does any of you have any pointers for me? Thank you

Improve this question

2 Answers 2

Reset to default
1

I'm also trying to build a PXE environment, where I want to boot CentOS, Clonezilla-live, and other OS over PXE with the clients having secure boot enabled.

I used this guide https://docs.centos.org/en-US/8-docs/advanced-install/assembly_preparing-for-a-network-install/

so when I boot CentOS is works just fine when I try to boot clonezilla, it gives: /Tftppath/clonezilla/vmlinuz has invalid signature

I want to better understand the process of self signing shim, grub and the kernels so I can secure boot various OSs.

Could you please detail a little bit more the process you followed? thanks!!

Improve this answer
1
  • If you have a new question, please ask it by clicking the Ask Question button. Include a link to this question if it helps provide context. - From Review
    – Toby Speight
    Commented Oct 20, 2022 at 16:16
0

I solved it. So my issue was that I didn't understand how I could deploy the shim key manually, as most methods utilize the mokmanager on their own system. This method doesn't work well with PXE, as you want to boot from another system. After trying different things as well as looking into the shim source code, I found this page on the arch wiki, which is about secureboot. This page initially didn't catch my attention as it doesn't mention PXE. I wanted to use shim with a key to allow for easier updating. There is one sentence there that says you can just copy the DER-encoded public key to a FAT filesystem, usually the EFI partition is used.

So, in the end I used the shim binary I copied from the PXE server system which then used the public key stored in the EFI partition to verify the linux kernel and grub binary. It might also be necessary to check whether you can boot a kernel with a Microsoft/Windows/CentOS signature, so you can remove it if you want full control.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .