Fedora and Secure Boot Signing
A lot of work has recently been going on in terms of Secure Boot support on Fedora. Recently we’ve set up builders with a special configuration for signing appropriate packages, provisioned keys onto hardware cryptographic devices to keep them safe in the event of an intrusion, and started building packages with our production signing keys.
The next step will be to have
shim signed by the UEFI signing
service. But there’s still much that can be done before we cross that
threshold, and we could use help from those that have appropriate
hardware to test with. Today, Fedora-signed packages for
grub2 have been built, and they’ve got updates filed in Bodhi for
Fedora 18: here for shim and here for grub2. Sometime soon - most likely
tomorrow - we’ll build a kernel that will be signed by the production
keys as well. You can tell if it’s a signed kernel by viewing the build
log. Look for this:
- ’[’ -x /usr/bin/pesign -a x86_64 == x86_64 ‘]’
- ’[’ -e /var/run/pesign/socket ‘]’
- /usr/bin/pesign-client -t ‘OpenSC Card (Fedora Signer)’ -c ‘/CN=Fedora Secure Boot Signer’ -i gcdx64.efi.orig -o gcdx64.efi -s
If the “-t” argument to pesign-client says “OpenSC Card (Fedora Signer)”, then it’s the correct build. I’ll post an update here with the relevant kernel build as well.
Once that happens, those of you who already have Fedora 18 test composes installed using UEFI on hardware that supports secure boot can help test.
The test procedure
First, ensure that your machine is in “setup” mode - that is, Secure Boot is disabled, and no keys are enrolled. Once you’ve done that, install the updated shim, grub2, and kernel packages, and then it’s time to install some new keys. Download this utility into /boot/efi/EFI/fedora/ . Now you’ll need to run this utility from your UEFI firmware. Unfortunately how to do that will vary across many systems, so you’re on your own figuring that out. Once you’ve run it, reboot the machine one more time so that the settings are live.
Now the machine should be booting in Secure Boot mode signed with the Fedora keys.