blob: a9e1fa887ee4890f04d9316565cc7093857b0ad4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
.. _secure_boot:
###########
Secure Boot
###########
Initial UEFI secure boot support is available (:vytask:`T861`). We utilize
``shim`` from Debian 12 (Bookworm) which is properly signed by the UEFI
SecureBoot key from Microsoft.
.. note:: There is yet no signed version of ``shim`` for VyOS, thus we
provide no signed image for secure boot yet. If you are interested in
secure boot you can build an image on your own.
To generate a custom ISO with your own secure boot keys, run the following
commands prior to your ISO image build:
.. code-block:: bash
cd vyos-build
openssl req -new -x509 -newkey rsa:4096 \
-keyout data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.key \
-outform DER -out MOK.der -days 36500 -subj "/CN=MyMOK/" -nodes
openssl x509 -inform der \
-in data/live-build-config/includes.chroot/var/lib/shim-signed/mok/MOK.der \
-out MOK.pem
************
Installation
************
As our version of ``shim`` is not signed by Microsoft we need to enroll the
previously generated :abbr:`MOK (Machine Owner Key)` to the system.
First of all you will need to disable UEFI secure boot for the installation.
.. figure:: /_static/images/uefi_secureboot_01.png
:alt: Disable UEFI secure boot
Proceed with the regular VyOS :ref:`installation <permanent_installation>` on
your system, but instead of the final ``reboot`` we will enroll the
:abbr:`MOK (Machine Owner Key)`.
.. code-block:: none
vyos@vyos:~$ install mok
input password:
input password again:
The requested ``input password`` can be user chosen and is only needed after
rebooting the system into MOK Manager to permanently install the keys.
With the next reboot, MOK Manager will automatically launch
.. figure:: /_static/images/uefi_secureboot_02.png
:alt: Disable UEFI secure boot
Select ``Enroll MOK``
.. figure:: /_static/images/uefi_secureboot_03.png
:alt: Disable UEFI secure boot
You can now view the key to be installed and ``continue`` with the Key installation
.. figure:: /_static/images/uefi_secureboot_04.png
:alt: Disable UEFI secure boot
.. figure:: /_static/images/uefi_secureboot_05.png
:alt: Disable UEFI secure boot
Now you will need the password previously defined
.. figure:: /_static/images/uefi_secureboot_06.png
:alt: Disable UEFI secure boot
Now reboot and re-enable UEFI secure boot.
.. figure:: /_static/images/uefi_secureboot_07.png
:alt: Disable UEFI secure boot
VyOS will now launch in UEFI secure boot mode. This can be double-checked by running
either one of the commands:
.. code-block:: none
vyos@vyos:~$ show secure-boot
SecureBoot enabled
.. code-block:: none
vyos@vyos:~$ show log kernel | match Secure
Oct 08 19:15:41 kernel: Secure boot enabled
.. code-block:: none
vyos@vyos:~$ show version
Version: VyOS 1.5-secureboot
Release train: current
Release flavor: generic
Built by: autobuild@vyos.net
Built on: Tue 08 Oct 2024 18:00 UTC
Build UUID: 5702ca38-e6f4-470f-b89e-ffc29baee474
Build commit ID: 9eb61d3b6cf426
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Secure Boot: enabled <-- UEFI secure boot indicator
Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: 1f6e7f5c-fb52-4c33-96c9-782fbea36436
Copyright: VyOS maintainers and contributors
************
Troubleshoot
************
In most of the cases if something goes wrong you will see the following error message
during system boot:
.. code-block:: none
error: bad shim signature
error: you need to load the kernel first
This means that the Machine Owner Key used to sign the Kernel is not trusted by your
UEFI. You need to install the MOK via ``install mok`` as stated above.
|
