libreboot
/
lbwww
1
0
Fork 0
Code Packages Projects Releases Activity
lbwww/site/docs/linux/grub_hardening.md

14 KiB
Raw Permalink Blame History

The SeaBIOS first policy is now law, in Libreboot releases. The only exception is the x86 QEMU target. You can do this if building from source:

./build roms -p grub targetname

Where targetname is e.g. x200_8mb (use the correct one for your board).

Again: make sure GRUB works. Also: don't do this if you're using a non-Intel graphics card because only the Intel graphics have native video initialisation in Libreboot, and we rely on SeaBIOS to execute the VGA ROM for others.

(it is assumed that you know to add the VGA ROM in CBFS if needed, if using a dGPU, or that you're using a graphics card on a desktop so SeaBIOS will use that automatically)

GPG keys

First, generate a GPG keypair to use for signing. Option RSA (sign only) is ok.

WARNING: GRUB does not read ASCII armored keys. When attempting to trust ... a key filename it will print error: bad signature on the screen.

mkdir --mode 0700 keys
gpg --homedir keys --gen-key
gpg --homedir keys --export-secret-keys --armor > boot.secret.key # backup
gpg --homedir keys --export > boot.key

Now that we have a key, we can sign some files with it. We must sign:

  • a kernel
  • (if we have one) an initramfs
  • (if we wish to transfer control to it) an on-disk grub.cfg
  • grubtest.cfg (so that you can go back to grubtest.cfg after signature checking is enforced. You can always get back to grub.cfg by pressing ESC, but, afterwards, grubtest.cfg is not signed and it will not load.

Suppose that we have a pair of my.kernel and my.initramfs and an on-disk libreboot_grub.cfg. We will sign them by running the following commands:

gpg --homedir keys --detach-sign my.initramfs
gpg --homedir keys --detach-sign my.kernel
gpg --homedir keys --detach-sign libreboot_grub.cfg
gpg --homedir keys --detach-sign my.grubtest.cfg

Of course, some further modifications to my.grubtest.cfg will be required. We need to trust the key and enable signature enforcement (put this before menu entries):

trust (cbfsdisk)/boot.key
set check_signatures=enforce

What remains now is to include the modifications into the libreboot image (ROM):

cbfstool my.rom add -n boot.key -f boot.key -t raw
cbfstool my.rom add -n grubtest.cfg -f my.grubtest.cfg -t raw
cbfstool my.rom add -n grubtest.cfg.sig -f my.grubtest.cfg.sig -t raw

Now, flash it. If it works, copy it over to grub.cfg in CBFS.