|
3 years ago -2 |
Linux Mint (but also Ubuntu) - How to enable UEFI Secure Boot with your own
Custom keys on PC with UEFI & HDD with GPT
Author: Naldi Stefano (linux22 at Mint Forum)
First release: April 2017
Version 1.4
Last update: 11 August 2020
_____________________________________
This tutorial replace my old one at https://community.linuxmint.com/tutorial/view/2360 because malfunctioning and not updatable anymore.
_____________________________________
Other tutorials concerning Linux Mint with Full Disk Encryption, directory /boot included:
GNU Free Documentation License
GNU GENERAL PUBLIC LICENSE
Disclaimer and acknowledgments
Useful links
How to enable UEFI Secure Boot with your own Custom keys
Step 1 - How to enable PC UEFI Secure Boot and put Secure Boot in Standard Mode
Step 2 - How to install Linux Mint FDE
Step 3 - How to enable PC UEFI Secure Boot, put Secure Boot in Custom Mode and Clear Secure Boot Data
Step 4 - How to create, enroll and activate your Secure Boot own Custom keys in your PC UEFI platform
Step 5 - How to sign and verify your booting files grubx64.efi and Bootx64.efi
Step 6 - Restart your PC UEFI with Secure Boot enabled in Custom Mode
Appendix A - How to set up your Custom keys and Microsoft keys together
Method 1 - Using the original Microsoft UEFI Secure Boot certificates of your PC UEFI platform
Method 2 - Using the original Microsoft UEFI Secure Boot certificates, downloaded from Microsoft repositories
Appendix B - How to run VirtualBox with Secure Boot enabled signing its modules with your own Custom keys
GNU Free Documentation License
Version 1.3, 3 November 2008
Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader
Copyright (C) 2019 2020 2021 Naldi Stefano.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
You should have received a copy of the "GNU Free Documentation License" along with this document.
If not, see < https://www.gnu.org/licenses/fdl.html >.
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Linux Mint with Full Disk Encryption, directory /boot included - PC with firmware UEFI & HDD with GPT partitioning scheme - Booting with EFI STUB loader
Copyright (C) 2019 2020 2021 Naldi Stefano
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the "GNU General Public License" along with this program.
If not, see < https://www.gnu.org/licenses/gpl.html >.
Disclaimer and acknolegments
I wrote this guide/tutorial with the hope that it will be useful for everyone who need a Linux installation with UEFI Secure Boot enabled. The solution here reported is EXPERIMENTAL and need a good experience with Linux and its installation. At the moment I have successfully experimented this solution with Linux Mint 18.X, 19.X and 20.X (Cinnamon and Mate) and Ubuntu from 18.04.X to 20.04.X, all 64 bit version.
This guide/tutorial comes with ABSOLUTELY NO WARRANTY.
This tutorial is devoted to a real and hard problem, dealing with UEFI Secure Boot while running a non Windows operating system. Almost every computer sold today has UEFI and Secure Boot capability but its default configuration is done for Windows operating systems, like 8.1 and 10.
Here I expose my solution for enabling UEFI Secure Boot on a computer running Linux Mint and also with Full Disk Encryption. This solution provides a full set of Custom Keys (PK, KEK and db) generated by the user (the commands are extracted from 'cryptboot' package, developed by Michal Krenek 'Mikos' on https://github.com/xmikos/cryptboot). With this configuration you can reach the full control of your computer but you will be unable to install a Windows o.s. like 8.1 or 10 while Secure Boot is enabled, unless you decide to reinstall the Microsoft keys (in this case see Appendix A).
My first advice, if you want to install this solution, is that you MUST be familiar with UEFI configuration and with Secure Boot behaviour. My second advice, before attemping to try and install this solution, is that you become familiar with your PC UEFI Firmware Secure Boot configuration parameters and learn how to set them correctly and eventually how to restore the original standard keys (usually there is a specific command that restore Secure Boot in Standard Mode).
I want to thank Michal Krenek (Mikos) for its 'cryptboot' software package (https://github.com/xmikos/cryptboot). In a few pages he has condensed all we need to BUILD and RUN a working UEFI Secure Boot Linux installation. Altought this package seems developed for ArchLinux we can find within it the rights commands and advices for almost every Linux distribution.
As I always state it is better to try this solution with a virtual machine but in this case the only one supporting UEFI Secure Boot emulation for Linux is QEMU/KVM. I have tested this solution with QEMU/KVM and firmware OVMF simulating UEFI with Secure Boot enabled. At the moment it seems working smoothly.
The solution here described require a lot of terminal commands. If the user make a mistake and commit a wrong command he can damage/cancel the software structure of your PC UEFI firmware and HDD. So, if you commit the commands listed in this guide/tutorial using 'Copy' and 'Paste' pay attention to do not alter them.
Useful links
The topic for this tutorial at the Mint Forum is:
https://forums.linuxmint.com/viewtopic.php?t=198077
You can download the latest version of this tutorial in pdf format from my cloud storage at the link below:
Hello vdbhb59, I have read your message.
Please read more carefully this tutorial page.
The content of this web page is only a preamble explaining the purpose of this tutorial and the links are useful for references concerning the topic.
The real tutorial is formatted as a pdf file because the space available for this web page is limited and my full tutorial does not fit within it.
All my tutorial are organized taking into account the space available on these web page. If the full tutorial does fit entirely in the web page, OK.
Otherwise I build a web page with only the preamble and provide a link to the full tutorial in pdf format.
Anyway you can also see that this and all my web pages and all my pdf tutorials do not contain any advertising nor promotions and all my tutorials are released under GPL license.
Regards.
linux22
This place is for tutorials, but all I can see is preambles and your advertising instead of the actual content of the tutorial here. More external links. Please understand your promotion should be on your personal space, whereas people looking here would be looking for the guide in content and not more links to visit.