> On Oct 21, 2017, at 5:51 AM, Didier Kryn <k...@in2p3.fr> wrote: > > Le 21/10/2017 à 09:58, Arnt Gulbrandsen a écrit : >> John Franklin writes: >>> That’s not an apology. Would you like to try again? >> >> I'm not Steve, but the occasion fits: >> >> Tobias, until I read your posting a couple of days ago I did not realise >> that UEFI/Secure Boot can be configured such that ONLY my kernels can be >> booted, not even fresh install media from the vendor. Thank you very much. > > Me neither. Who, in fact? There seems to be a lack of information on that > matter. Does anybody have some link to point us?
A generic guide to Secureboot and updating Secureboot keys in your uEFI
firmware:
https://www.rodsbooks.com/efi-bootloaders/secureboot.html
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
Ubuntu’s guide to signing things for Secureboot:
https://insights.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot/
Red Hat’s guide to signing kernels, kernel modules and installing MOKs in your
uEFI firmware:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-signing-kernel-modules-for-secure-boot
OpenSUSE’s version:
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.uefi.html
Between those four, you should be able to get a pretty good idea of how
Secureboot works and how to get shim to boot your own signed kernels, even your
own Devuan kernels.
And finally, writing your own .efi binary, which requires linking a C program
against a vast tree of dependencies a specific crt0 and static library:
https://www.rodsbooks.com/efi-programming/hello.html
jf
--
John Franklin
frank...@tux.org
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
