The Uncoöperative Organization

Programming and other human stuff.

Fedora and Secure Boot Signing

Recent work

A lot of work has recently been going on in terms of Secure Boot support on Fedora. Recently we’ve set up builders with a special configuration for signing appropriate packages, provisioned keys onto hardware cryptographic devices to keep them safe in the event of an intrusion, and started building packages with our production signing keys.

What’s next

The next step will be to have shim signed by the UEFI signing service. But there’s still much that can be done before we cross that threshold, and we could use help from those that have appropriate hardware to test with. Today, Fedora-signed packages for shim and grub2 have been built, and they’ve got updates filed in Bodhi for Fedora 18: here for shim and here for grub2. Sometime soon – most likely tomorrow – we’ll build a kernel that will be signed by the production keys as well. You can tell if it’s a signed kernel by viewing the build log. Look for this:

+ ‘[’ -x /usr/bin/pesign -a x86_64 == x86_64 ‘]’
+ ‘[’ -e /var/run/pesign/socket ‘]’
+ /usr/bin/pesign-client -t ‘OpenSC Card (Fedora Signer)’ -c
‘/CN=Fedora Secure Boot Signer’ -i gcdx64.efi.orig -o gcdx64.efi -s

If the “-t” argument to pesign-client says “OpenSC Card (Fedora Signer)”, then it’s the correct build. I’ll post an update here with the relevant kernel build as well.

Once that happens, those of you who already have Fedora 18 test composes installed using UEFI on hardware that supports secure boot can help test.

The test procedure

First, ensure that your machine is in “setup” mode – that is, Secure Boot is disabled, and no keys are enrolled. Once you’ve done that, install the updated shim, grub2, and kernel packages, and then it’s time to install some new keys. Download this utility into /boot/efi/EFI/fedora/ . Now you’ll need to run this utility from your UEFI firmware. Unfortunately how to do that will vary across many systems, so you’re on your own figuring that out. Once you’ve run it, reboot the machine one more time so that the settings are live.

Now the machine should be booting in Secure Boot mode signed with the Fedora keys.