Secure Boot #

New to Secure Boot? Read the broad overview to get the lay of the land.

Here you will find a handful of how-to guides related to Secure Boot key management and signing. These guides are focused on the deployment option called custom keys. You can provision custom keys using stprov, and may update the Secure Boot key hierarchy with signed updates at runtime via your own OS package.

When Secure Boot is enabled, you need to ensure that all EFI applications that UEFI needs to run are signed by a key in db (and not revoked by something in dbx). Most importantly, this means you need to sign stboot.uki.

When Secure Boot is enabled, you need to ensure that the kernel stboot kexec:s into is signed. In other words, the OS package kernel needs to be signed. The steps to sign the kernel are the same as for stboot.uki.

If you use a distribution’s kernel (e.g., Debian stable), an easy deployment option is to add the distribution’s Secure Boot key into db. You basically avoid having to re-sign the kernel with your own Secure Boot db key. Debian’s Secure Boot key can be found in the shim package, see “Finding Debian’s Secure Boot keys” in Debian Wiki.

When Secure Boot is enabled, kernel modules also need to be signed. This is mainly important to be aware of if you use kernel modules not included in the original kernel build. This could for example be modules developed by you or others. Kernel module signing is documented by the Linux kernel here.

Warning: The way Secure Boot keys interact with kexec and kernel modules depends on how the Linux kernel is configured (both the stboot kernel and the kernel stboot kexec:s into). Distributions often add their own out-of-tree patches on top of the mainline Linux kernel which makes this even harder to explain concisely. The above is documented based on Debian stable.

Want to know more about the kernel and Secure Boot subtleties? Start by reading these notes.

Next pages #

1. Generate keys
2. Sign variables
3. Update variables
4. Sign EFI applications

The above pages document both soft keys (i.e., private keys available in plaintext files) and keys stored on a hardware device (YubiKey 5). Choose what suits you best or adapt the guides for a different hardware device.