Amazing tutorial Sameer!!! I am new in Linux and accidentally deleted all my PK, KEK and even cannot restore the DB defaults. This gives a great information. Please create a tutorial in creating keys for Linux (using StarLab Top MKIII).
very detailed video. Could you also share information if we can ship certificate in custom OS so that secure boot works out of the box like for any OS like RHEL, Debian etc.
Great Presentation, Thanks for positing it. It will help if you post such secure boot videos for NXP's i.MX6 or 8 processor. NXP has signing tool called Code Signing Tool which is automated process for signing the images.
Great video. Thanks. In your demo, you used functionality provided by uefi to verify OS image. Does this mean you already trust UEFI? Can we use emulated TPM chip or Intel Boot guard technology to verify UEFI in qemu enviroment?
This is just an example. In reality, you don't trust UEFI. Even UEFI signatures should be verified prior to firmware launch.Using TPM to verify qemu is an interesting one. I haven't tried that though.
And where are u uploading these key or going into EFI shell?.... is it your machine BIOS Setup? ... I wonder if my laptop has that. 😂 ... I mean I dint explored tha much... seen something about thee key... but not tht EFI shell option I guess. Sure will be checking on next boot of my system. 😀
I greatly enjoyed this video. If you could make one for installing Arch Linux that would help alot of people. Arch does not automate the process of signing and installing keys.
@@sameerpasha3910 Any specific process that gets manjaro installed on a secureboot system without having to keep secureboot in a disable state would command a lot of attention.
Does anyone know if there is a way to automate the secure boot in Linux ? It is quite a pain if you have to go through the manual steps on hundreds of machines in an enterprise environment
What about if you try to load a signed kernel when the secure boot is disabled , does it boot? The reason I am asking is that I am trying to load a kernel module for troubleshooting purposes, so I am wondering f disabling secure boot in the bios will be enough to load my kernel module despite that I have signed kernel
Interesting question. Kernel is a PECOFF file, and when signed by sbsign, the signatures get inserted at particular locations in the file. At execution time, if there is no "verifier" to look at those signatures, there should be be any problem and the execution should happen seamlessly. While I have not tried it, at least theoretically, a non-secure-boot system should be able to load a signed binary. Let me know if you find it otherwise.
Your diagram showed GRUB/bootloader, but I didn't see this in your demo. Does signing the bootloader use the same tools (sbsign) that you use to sign the kernel?
how can I use same concept to bind and verify chain of trust from one stage to another stage as shown in your block diagram. With UEFI verify Grub2 bootloader and then Grub2 verify Kenel Image?
My question is to achieve following task: step1: UEFI verify signed Grub2(UEFI verify -> signed Grub2) step2:Grub2 verify signed Linux Kernel and Application as shown in block diagram.(Grub2 verify -> signed Linux Kernel and other signed applications) However in tutorial UEFI directly verify signed Linux Kernel as you described.
@@chiragjethava1186 Thats for demo purpose. From EFI shell, you can browse and look for grub2 in your filesystem... and "execute" grub2.efi from efi shell itself. This will launch grub2 (after verifying signature, if you've enabled secure boot).
Hi Sameer, The video links which you have mentioned for "Use generated key to sign kernel" and "Generate RSA2048 key with X509 cert", is not valid, Please provide the correct video links. thank you
I was referring to my previous videos here: ruclips.net/video/Q35FGQsyDZI/видео.html ruclips.net/video/vhOXJYyyejE/видео.html ruclips.net/video/_O9e1dCG6Sk/видео.html
Hi, I've been trying find a legitimate way to boot into a Linux+Windows dual boot system. I also want to avoid any hackey way of manually signing things from UEFI. Is it possible to come up with a script that will use OpenSSL and sign things and update UEFI variables
Anybody knows How to download that Tianocore UEFI firmware which shows in video because the link which he shown in video it does not have any source code.?
@@chiragjethava1186 - Clone and build OVMF: git clone github.com/tianocore/edk2.git cd edk2 Enable secure boot here ./OvmfPkg/OvmfPkgX64.dsc Add this line to Conf/tools_def.txt -DSECURE_BOOT_ENABLE=TRUE -DDEBUG_ON_SERIAL_PORT=TRUE Make base tools: make -C BaseTools Install openssl if its not there, then nice OvmfPkg/build.sh -a X64 -n $(getconf _NPROCESSORS_ONLN) If successful, you should get the firmware at: Build/OvmfX64/DEBUG_GCC4?/FV/OVMF.fd
Yes you can. What is important is the (private-key) key used to sign and (public key) used to verify should be of the same pair, i.e. when you generate a key-pair, you get a private key + a public key. The same key pair should be used for signing/verification. It doesn't matter where or who signs the binary. Signing key is what is important.
Not sure if I got your question correct. This was demonstrated on Ubuntu. Here is the log: uname -a Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux And qemu-system-x86_64 --version QEMU emulator version 2.0.0 (Debian 2.0.0+dfsg-2ubuntu1.28), Copyright (c) 2003-2008 Fabrice Bellard
Thanks you for your immediate response. I mean i need to sign a generic Ubuntu 16.04 ISO image in a real system not in virtual system. How it can be done ? i hope i had conveyed the question correctly :)
Real or virtual, doesn't matter. You simply sign and verify, doesn't matter where. In case you want to sign the whole ISO, you can use method (4) from: ruclips.net/video/_O9e1dCG6Sk/видео.html&t= Alternately, you can unpack the ISO and sign individual files inside the ISO. Many open source tools (some mentioned in my video) can be used to sign contents of ISO. Once signed, you obviously need to re-pack the files/contents back to ISO appropriately.
Hi,In your mentioned link for signing the whole iso, method will be used detached signature.but in times of flashing iso image in usb how can add the detached signature because it is different file ? and for alternative method after unpacking the iso need to sign all files or some specific file need to sign?
A detached signature obviously needs additional logic (in verification code), to find the detached signature and verify. After unpacking ISO, you at least want to sign the kernel, boot-loader and initrd.
Once agian, this is a brilliant series, Sameer ! The demo made the concepts so much clear !
Thank you.
Thank you; very generous of you to illustrate Signature Verification for Linux Software. Keep up the good work!!! 👍
very helpful but the video volume was too low
Will try better next time :)
Amazing tutorial Sameer!!! I am new in Linux and accidentally deleted all my PK, KEK and even cannot restore the DB defaults. This gives a great information. Please create a tutorial in creating keys for Linux (using StarLab Top MKIII).
I don't know if its worth replying so late... please check my other video for that, at:
ruclips.net/video/Q35FGQsyDZI/видео.html
Excellent Stuff Sameer. Thank you for making this video. You made it so easy to understand this complex subject.
kudos on the great video presentation.
Excellent Sameer!! Very informative session.
Glad you liked it
Clear concise and to the point explanation. 👍🏻
Samee you breaking the car LOL!
Thank you for your efforts, excellent content 😊
thank you for the detailed explanation and the demo!
Great explanation, it’s helpful. Tysm
Great series.
Good explanation and demonstration
Glad you liked it
You got one more subscriber.
Great stuff, really understandable. 😀.
Good video and great easy demo
Very nice and lear video
very detailed video. Could you also share information if we can ship certificate in custom OS so that secure boot works out of the box like for any OS like RHEL, Debian etc.
Great Presentation, Thanks for positing it. It will help if you post such secure boot videos for NXP's i.MX6 or 8 processor. NXP has signing tool called Code Signing Tool which is automated process for signing the images.
I've tried to use a general purpose OS and firmware. Getting things to run n specific hardware will need some effort :).
Fantastic presentation. Thank you very much..
Great video. Thanks. In your demo, you used functionality provided by uefi to verify OS image. Does this mean you already trust UEFI? Can we use emulated TPM chip or Intel Boot guard technology to verify UEFI in qemu enviroment?
This is just an example. In reality, you don't trust UEFI. Even UEFI signatures should be verified prior to firmware launch.Using TPM to verify qemu is an interesting one. I haven't tried that though.
Thanks for the reply. very helpful.
This is wonderful !!! thanks .
Well explained!
And where are u uploading these key or going into EFI shell?.... is it your machine BIOS Setup? ... I wonder if my laptop has that. 😂 ... I mean I dint explored tha much... seen something about thee key... but not tht EFI shell option I guess. Sure will be checking on next boot of my system. 😀
Good demo of using UEFI to verify Kernel, but should UEFI verify GRUB first, then GRUB verifies Kernel?
very helpful ...
I greatly enjoyed this video. If you could make one for installing Arch Linux that would help alot of people. Arch does not automate the process of signing and installing keys.
Thank you.
I haven't explored arch linux for demo.
@@sameerpasha3910 Any specific process that gets manjaro installed on a secureboot system without having to keep secureboot in a disable state would command a lot of attention.
Does anyone know if there is a way to automate the secure boot in Linux ? It is quite a pain if you have to go through the manual steps on hundreds of machines in an enterprise environment
What about if you try to load a signed kernel when the secure boot is disabled , does it boot? The reason I am asking is that I am trying to load a kernel module for troubleshooting purposes, so I am wondering f disabling secure boot in the bios will be enough to load my kernel module despite that I have signed kernel
Interesting question.
Kernel is a PECOFF file, and when signed by sbsign, the signatures get inserted at particular locations in the file.
At execution time, if there is no "verifier" to look at those signatures, there should be be any problem and the execution should happen seamlessly.
While I have not tried it, at least theoretically, a non-secure-boot system should be able to load a signed binary.
Let me know if you find it otherwise.
thats grt indeed :) thanks
Glad to hear that, Welcome..!
Your diagram showed GRUB/bootloader, but I didn't see this in your demo. Does signing the bootloader use the same tools (sbsign) that you use to sign the kernel?
I have not shown GRUB/bootloader etc. Those will make presentation more complicated.
GRUB is usually PECOFF format, and can be signed using sbsign.
how can I use same concept to bind and verify chain of trust from one stage to another stage as shown in your block diagram. With UEFI verify Grub2 bootloader and then Grub2 verify Kenel Image?
I'm sorry, i didn't understand your question.
My question is to achieve following task:
step1: UEFI verify signed Grub2(UEFI verify -> signed Grub2)
step2:Grub2 verify signed Linux Kernel and Application as shown in block diagram.(Grub2 verify -> signed Linux Kernel and other signed applications)
However in tutorial UEFI directly verify signed Linux Kernel as you described.
@@chiragjethava1186 Thats for demo purpose. From EFI shell, you can browse and look for grub2 in your filesystem... and "execute" grub2.efi from efi shell itself. This will launch grub2 (after verifying signature, if you've enabled secure boot).
ok thanks for replied .
Helpful... How to get your previous videos?
Hi Sameer, The video links which you have mentioned for "Use generated key to sign kernel" and "Generate RSA2048 key with X509 cert", is not valid, Please provide the correct video links. thank you
I was referring to my previous videos here:
ruclips.net/video/Q35FGQsyDZI/видео.html
ruclips.net/video/vhOXJYyyejE/видео.html
ruclips.net/video/_O9e1dCG6Sk/видео.html
Now Ubuntu supports secure boot by default.
Is there any tool to automate adding keys in UEFI firmware
No volume?
Hi,
I've been trying find a legitimate way to boot into a Linux+Windows dual boot system.
I also want to avoid any hackey way of manually signing things from UEFI.
Is it possible to come up with a script that will use OpenSSL and sign things and update UEFI variables
Should be doable, but will need focussed effort :)
Do we need to build a kernel first and then sign our kernel?
Yes, of course. Or you could sign a pre-built kernel.
Hii I need one help I want the information about how u install qemu
I hope www.qemu.org/download/
Should help.
Anybody knows How to download that Tianocore UEFI firmware which shows in video because the link which he shown in video it does not have any source code.?
git clone github.com/tianocore/edk2.git I tried this just now, it works
So is there any setup we have to followed because I followed steps shown there but couldn't got it how to generate UEFI binary file.
@@chiragjethava1186 - Clone and build OVMF:
git clone github.com/tianocore/edk2.git
cd edk2
Enable secure boot here
./OvmfPkg/OvmfPkgX64.dsc
Add this line to Conf/tools_def.txt
-DSECURE_BOOT_ENABLE=TRUE -DDEBUG_ON_SERIAL_PORT=TRUE
Make base tools:
make -C BaseTools
Install openssl if its not there, then
nice OvmfPkg/build.sh -a X64 -n $(getconf _NPROCESSORS_ONLN)
If successful, you should get the firmware at:
Build/OvmfX64/DEBUG_GCC4?/FV/OVMF.fd
Audio is KEY for videos. Buy a better mic and do post processing. Seriously, the volume is basically non-existent.
Will take care of that in future.!
Real it is very helpful but i have doubts
Let me know. I'll see if I can help.
Can you please ,how to create bzimage_Unsigned.bin and bzImage_Signed.bin files
initrd.imz files
Those are linux kernel files/images. When you build a linux image, you will find bzimage as part of the build.
can we deploy one pc's signed kernel into another pc?
Yes you can. What is important is the (private-key) key used to sign and (public key) used to verify should be of the same pair, i.e. when you generate a key-pair, you get a private key + a public key. The same key pair should be used for signing/verification. It doesn't matter where or who signs the binary. Signing key is what is important.
Thanks for reply...
As you have used Qemu in this video, can you Please share a video or link for a generic ubuntu 16.04 kernel...
Not sure if I got your question correct.
This was demonstrated on Ubuntu. Here is the log:
uname -a
Linux ubuntu 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
And
qemu-system-x86_64 --version
QEMU emulator version 2.0.0 (Debian 2.0.0+dfsg-2ubuntu1.28), Copyright (c) 2003-2008 Fabrice Bellard
Thanks you for your immediate response. I mean i need to sign a generic Ubuntu 16.04 ISO image in a real system not in virtual system. How it can be done ? i hope i had conveyed the question correctly :)
Real or virtual, doesn't matter. You simply sign and verify, doesn't matter where.
In case you want to sign the whole ISO, you can use method (4) from:
ruclips.net/video/_O9e1dCG6Sk/видео.html&t=
Alternately, you can unpack the ISO and sign individual files inside the ISO. Many open source tools (some mentioned in my video) can be used to sign contents of ISO. Once signed, you obviously need to re-pack the files/contents back to ISO appropriately.
Hi,In your mentioned link for signing the whole iso, method will be used detached signature.but in times of flashing iso image in usb how can add the detached signature because it is different file ?
and for alternative method after unpacking the iso need to sign all files or some specific file need to sign?
A detached signature obviously needs additional logic (in verification code), to find the detached signature and verify. After unpacking ISO, you at least want to sign the kernel, boot-loader and initrd.
Your audio is not loud enough. Need to be twice as loud. Double.
Noted.
The sound is too low..
No proper sound.