Hi,
As a part of what we are doing in the project - and something we want to extend to all content built + signed + delivered via the project resources - I've been working on secureboot facilities and getting the infra around it online.
After a bit of hop, step and jump ( and lots of help from Peter Jones at Red Hat ), I've got a baseline test run complete today. This compose is based on a newer-than-GA kernel, so dont stress too far about that, the release media will contain the GA kernel.
You can find the tree here : http://buildlogs.centos.org/centos/7/os/x86_64-secureboot/
The tree itself is based on the last good tree we pushed on the 18th June.
Please test secureboot widely, its something new, its something we are doing differently than most of the other distro's out there at the moment ( but they will mostly all be doing it like this soon ).
This new process is using an EV Code Signing key, validated by Microsoft rather than the first-gen system ( where people would setup their own CA root and request validation ).
Feedback here and/or at bugs.centos.org,
thanks,
On Fri, Jun 20, 2014 at 5:44 PM, Karanbir Singh mail-lists@karan.org wrote:
Hi,
As a part of what we are doing in the project - and something we want to extend to all content built + signed + delivered via the project resources - I've been working on secureboot facilities and getting the infra around it online.
After a bit of hop, step and jump ( and lots of help from Peter Jones at Red Hat ), I've got a baseline test run complete today. This compose is based on a newer-than-GA kernel, so dont stress too far about that, the release media will contain the GA kernel.
You can find the tree here : http://buildlogs.centos.org/centos/7/os/x86_64-secureboot/
The tree itself is based on the last good tree we pushed on the 18th June.
Please test secureboot widely, its something new, its something we are doing differently than most of the other distro's out there at the moment ( but they will mostly all be doing it like this soon ).
This new process is using an EV Code Signing key, validated by Microsoft rather than the first-gen system ( where people would setup their own CA root and request validation ).
Feedback here and/or at bugs.centos.org,
A quick report - booting from boot.iso was successful with Secure Boot enabled and the installation finished with no apparent error.
Akemi
On 06/21/2014 05:07 AM, Akemi Yagi wrote:
A quick report - booting from boot.iso was successful with Secure Boot enabled and the installation finished with no apparent error.
thanks for testing, I also assume that the installed machine booted with secureboot enabled ?
- KB
On Sat, Jun 21, 2014 at 1:18 AM, Karanbir Singh mail-lists@karan.org wrote:
On 06/21/2014 05:07 AM, Akemi Yagi wrote:
A quick report - booting from boot.iso was successful with Secure Boot enabled and the installation finished with no apparent error.
thanks for testing, I also assume that the installed machine booted with secureboot enabled ?
Yes, Secure Boot was enabled all the time. I did a minimal install and it ran just fine after reboot.
Akemi
On 06/21/2014 01:45 PM, Akemi Yagi wrote:
On Sat, Jun 21, 2014 at 1:18 AM, Karanbir Singh mail-lists@karan.org wrote:
On 06/21/2014 05:07 AM, Akemi Yagi wrote:
A quick report - booting from boot.iso was successful with Secure Boot enabled and the installation finished with no apparent error.
thanks for testing, I also assume that the installed machine booted with secureboot enabled ?
Yes, Secure Boot was enabled all the time. I did a minimal install and it ran just fine after reboot.
I will work on merging the secureboot branch into the main distro on Monday in that case.
Could do with a bit more feedback though.
21.6.2014 3:44, Karanbir Singh kirjoitti:
Please test secureboot widely, its something new, its something we are doing differently than most of the other distro's out there at the moment ( but they will mostly all be doing it like this soon ).
I'm currently testing this boot.iso from the secureboot directory: 362807296 Jun 21 00:59 /tmp/boot.iso
My only secure boot capable computer is a lowly Acer Aspire XC-105 desktop computer. The settings are currently set like this:
System Boot State: User Secure Boot Mode State: Enabled Secure Boot: [Enabled] Secure Boot Mode: [Standard] Default Key Provisioning: [Enabled]
When I enter the boot menu with F12 and select my USB stick, I get a nasty "Invalid signature detected. Check Secure Boot Policy in Setup". RHEL7rc1 doesn't boot with these settings either. Disabling Secure Boot lets me boot from the USB stick, and the media check passes. Please advice.
I also made test installs in UEFI mode on two non-secure boot capable systems from that media as a sanity check. The systems were a VirtualBox VM and a Dell R320. These installs worked fine, but as mentioned, without secure boot.
On Sun, Jun 22, 2014 at 2:48 PM, Anssi Johansson centos@miuku.net wrote:
I'm currently testing this boot.iso from the secureboot directory: 362807296 Jun 21 00:59 /tmp/boot.iso
When I enter the boot menu with F12 and select my USB stick, I get a nasty "Invalid signature detected. Check Secure Boot Policy in Setup". RHEL7rc1 doesn't boot with these settings either. Disabling Secure Boot lets me boot from the USB stick, and the media check passes. Please advice.
How did you write to the USB stick? By using the dd command?
Just to be sure, the boot.iso file that worked for me has this hash value:
$ sha256sum boot.iso 4860e0deb8d8b6b02ce644bae208fc6973d94155beaa0885b8f865303d730067 boot.iso
Akemi
23.6.2014 1:01, Akemi Yagi kirjoitti:
On Sun, Jun 22, 2014 at 2:48 PM, Anssi Johansson centos@miuku.net wrote:
I'm currently testing this boot.iso from the secureboot directory: 362807296 Jun 21 00:59 /tmp/boot.iso
When I enter the boot menu with F12 and select my USB stick, I get a nasty "Invalid signature detected. Check Secure Boot Policy in Setup". RHEL7rc1 doesn't boot with these settings either. Disabling Secure Boot lets me boot from the USB stick, and the media check passes. Please advice.
How did you write to the USB stick? By using the dd command?
Just to be sure, the boot.iso file that worked for me has this hash value:
$ sha256sum boot.iso 4860e0deb8d8b6b02ce644bae208fc6973d94155beaa0885b8f865303d730067 boot.iso
Yes, that's what I have, and I indeed dd'ed it to the USB stick.
I now changed the Secure Boot Mode from Standard to Custom, and changed Default Key Provisioning from Enabled to Disabled. That gave me an option to Clear Secure Boot keys, which I did.
A consequence of that was that the System Boot State changed from User to Setup, and Secure Boot Mode State changed to Disabled. Secure Boot was still left Enabled.
THIS setting allowed me to boot from the USB sticks (C7 secureboot and RHEL7rc1). Perhaps this is actually the way it's supposed to work.
I have now successfully installed C7 on that system with Secure Boot enabled, and the system boots afterwards with Secure Boot still enabled.
Apologies for the noise, but perhaps this info is useful for someone who stumbles on this same problem.
On 06/23/2014 02:04 AM, Anssi Johansson wrote:
...]
I now changed the Secure Boot Mode from Standard to Custom, and changed Default Key Provisioning from Enabled to Disabled. That gave me an option to Clear Secure Boot keys, which I did.
A consequence of that was that the System Boot State changed from User to Setup, and Secure Boot Mode State changed to Disabled. Secure Boot was still left Enabled.
THIS setting allowed me to boot from the USB sticks (C7 secureboot and RHEL7rc1). Perhaps this is actually the way it's supposed to work.
I have now successfully installed C7 on that system with Secure Boot enabled, and the system boots afterwards with Secure Boot still enabled.
Apologies for the noise, but perhaps this info is useful for someone who stumbles on this same problem.
If this is the intended behaviour, I suggest to write it down in the ReleaseNotes and/or C7 FAQ.
On 06/22/2014 06:10 PM, Manuel Wolfshant wrote:
On 06/23/2014 02:04 AM, Anssi Johansson wrote:
I have now successfully installed C7 on that system with Secure Boot enabled, and the system boots afterwards with Secure Boot still enabled.
Apologies for the noise, but perhaps this info is useful for someone who stumbles on this same problem.
If this is the intended behaviour, I suggest to write it down in the ReleaseNotes and/or C7 FAQ.
I might even go so far as to recommend setting up a SecureBoot wiki page to detail various options with vendor or hardware based caveats based on this as well. That's going to be painful for someone new to linux.
On 06/21/2014 01:44 AM, Karanbir Singh wrote:
As a part of what we are doing in the project - and something we want to extend to all content built + signed + delivered via the project resources - I've been working on secureboot facilities and getting the infra around it online.
My High Availability strategy around the secureboot infra just too a hit, while it should have worked, the failover signing mechanism does not produce a close enough match for the shim to do its thing.
Pondering alternatives, am not happy with a SPOF for something of this nature.
-
Akemi Yagi -
Anssi Johansson -
Jim Perrin -
Karanbir Singh -
Manuel Wolfshant