https://blog.bofh.it/debian/id_465

Md at debian.org

tales of a debian maintainer

Wed, 15 Feb 2023

I replaced grub with systemd-boot

To be able to investigate and work on the the measured boot features
I have switched from grub to systemd-boot (sd-boot).

This initial step is optional, but it is useful because this way /etc
/kernel/cmdline will become the new place where the kernel command
line can be configured:

. /etc/default/grub
echo "root=/dev/mapper/root $GRUB_CMDLINE_LINUX $GRUB_CMDLINE_LINUX_DEFAULT" > /etc/kernel/cmdline

Do not forget to set the correct root file system there, because
initramfs-tools does not support discovering it at boot time using
the Discoverable Partitions Specification.

The installation has not been automated yet out of an abundance of
caution (but we will work on it soon), so after installing the
package I had to run bootctl to install sd-boot in the ESP and enable
it in the UEFI boot sequence and then I created boot loader entries
for the kernels already installed on the system:

apt install systemd-boot

bootctl install
for kernel in /boot/vmlinuz-*; do
  kernel-install add "${kernel#*/vmlinuz-}" "$kernel"
done

I like to show the boot menu by default, at least until I will be
more familiar with sd-boot:

bootctl set-timeout 4

Since other UEFI binaries can be easily chainloaded, I am also going
to keep around grub for a while, just to be sure:

cat <<END > /boot/efi/loader/entries/grub.conf
title Grub
linux /EFI/debian/grubx64.efi
END

At this point sd-boot works, but I still had to enable secure boot.
So far sd-boot has not been signed with a Debian key known to the
shim bootloader, so I needed to create a Machine Owner Key (MOK),
enroll it in UEFI and then use it to sign everything.

I dislike the complexity of mokutil and the other related programs,
so after removing it and the boot shim I have decided to use sbctl
instead. With it I easily created new keys, enrolled them in the EFI
key store and then signed everything:

sbctl create-keys
sbctl enroll-keys
for file in /boot/efi/*/*/linux /boot/efi/EFI/*/*.efi; do
  ./sbctl sign -s $file
done

Since there is no sbctl package yet I need to make sure that also the
kernels installed in the future will be automatically signed, so I
have created a trivial script in /etc/kernel/install.d/ which
automatically runs sbctl sign -s or sbctl remove-file.

The Debian wiki SecureBoot page documents how do do this with mokutil
and sbsigntool, but I think that sbctl is much friendlier.

As a bonus, I have also added to the boot menu the excellent
Debian-based GRML live distribution. Since sd-boot is not capable of
loopback-mounting CD-ROM images like grub, I first had to extract the
kernel and initramfs and copied them to the ESP:

mount -o loop /boot/grml/grml64-full_2022.11.iso /mnt/
mkdir /boot/efi/grml/
cp /mnt/boot/grml64full/* /boot/efi/grml/
umount /mnt/

cat <<END > /boot/efi/loader/entries/grml.conf
title GRML
linux /grml/vmlinuz
initrd /grml/initrd.img
options boot=live bootid=grml64full202211 findiso=/grml/grml64-full_2022.11.iso live-media-path=/live/grml64-full net.ifnames=0
END

As expected, after a reboot bootctl reports the new security
features:

System:
      Firmware: UEFI 2.70 (Lenovo 0.4496)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 252.5-2
     Features:  Boot counting
                Menu timeout control
                One-shot menu timeout control
                Default entry control
                One-shot entry control
                Support for XBOOTLDR partition
                Support for passing random seed to OS
                Load drop-in drivers
                Support Type #1 sort-key field
                Support @saved pseudo-entry
                Support Type #1 devicetree field
                Boot loader sets ESP information
          ESP: /dev/disk/by-partuuid/1b767f8e-70fa-5a48-b444-cfe5c272d66e
         File: +-/EFI/systemd/systemd-bootx64.efi

...

Relevant documentation:

  * systemd-boot(7)
  * systemd-cryptenroll(1)
  * sbctl
  * Boot Loader Specification
  * Unified Kernel Image (UKI)

Posted at 14:45:42 CET | # | Comment this post

About

This is the blog of Marco d'Itri.

S  M  T  W  T  F  S
      1  2  3  4  5
6  7  8  9  10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28              

See also:

  * https://www.linux.it/~md/
  * https://people.debian.org/~md/
  * Me on Mastodon
  * Me on Github
  * Me on Twitter
  * Me on LinkedIn
  * My Amazon wish list

My blogroll:

  * Persone
      + ipazia
      + rosalucsemblog
      + Candide
      + equilibrio dinamico
      + In minoranza
      + Ultimo viene il nome
      + The Night Manager
      + L'orologiaio miope
      + L'edipeo enciclopedico
      + Notiziole di .mau.
      + We think too much, and feel too little
      + Boldly Open
  * Technology
      + John R. Levine
      + A Few Thoughts on Cryptographic Engineering
      + Cryptography Dispatches
      + Stories by Aliaksandr Valialkin
      + Stories by Jon Masters
      + Computer Architecture - Thoughts from Jon Masters
      + pagetable.com
      + SemiAccurate
      + Ken Shirriff's blog
  * Culture
      + Charlie's Diary
      + BusinessTown
  * Electronics
      + Dangerous Prototypes
      + Hack a Day
  * Networking
      + RIPE Labs
      + Dyn Research
      + ReissBlog
      + NETWORK FUN-TIMES
      + Namex Bits
      + DNS Reactions
      + Honest Networker
      + IETF Memes
      + Osservatorio Censura
  * Stuff
      + Boing Boing
      + LiarTownUSA
  * Comics
      + xkcd.com
      + The Perry Bible Fellowship
      + Saturday Morning Breakfast Cereal
      + Oglaf!
      + Abstruse Goose
      + AmazingSuperPowers
      + System32Comics
      + SPACE AVALANCHE
      + Mike Organisciak
      + Jeroom
      + Wumo.com
      + Scarfolk Council

 XML   ATOM 
W3C HTML 4.01
W3C CSS 2.0     

Powered by Bryar.pm.