diff options
| author | Daniil Baturin <daniil@vyos.io> | 2026-05-06 14:08:24 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-05-06 14:08:24 +0100 |
| commit | dfea790b36ddab4c6661436c8eed3cea7af5bd3a (patch) | |
| tree | c1a9a432839a7ce7aecc4072750d476ae6186248 /docs/installation/md-secure-boot.md | |
| parent | 4b36114e053ee11d0cb264a1e4cfe4692d78f194 (diff) | |
| download | vyos-documentation-dfea790b36ddab4c6661436c8eed3cea7af5bd3a.tar.gz vyos-documentation-dfea790b36ddab4c6661436c8eed3cea7af5bd3a.zip | |
Revert "Add incremental RST-to-MyST swap mechanism (#1857)" (#1892)
This reverts commit 4b36114e053ee11d0cb264a1e4cfe4692d78f194.
Diffstat (limited to 'docs/installation/md-secure-boot.md')
| -rw-r--r-- | docs/installation/md-secure-boot.md | 194 |
1 files changed, 0 insertions, 194 deletions
diff --git a/docs/installation/md-secure-boot.md b/docs/installation/md-secure-boot.md deleted file mode 100644 index ecbc432d..00000000 --- a/docs/installation/md-secure-boot.md +++ /dev/null @@ -1,194 +0,0 @@ ---- -lastproofread: '2026-01-26' ---- - -(secure-boot)= - -# Secure Boot - -Initial UEFI Secure Boot support is available ({vytask}`T861`). VyOS uses -`shim` from Debian 12 (Bookworm), which is properly signed by the UEFI -Secure Boot key from Microsoft. - -:::{note} -There is yet no signed version of `shim` for VyOS, thus we -provide no signed image for secure boot yet. If you are interested in -secure boot you can build an image on your own. -::: - -To generate a custom ISO with your own secure boot keys, run the following -commands prior to your ISO image build: - -```bash -cd vyos-build -CA_DIR="data/certificates" -SHIM_CERT_NAME="vyos-dev-2025-shim" -VYOS_KERNEL_CERT_NAME="vyos-dev-2025-linux" - -openssl req -new -x509 -newkey rsa:4096 -keyout ${CA_DIR}/${SHIM_CERT_NAME}.key -out ${CA_DIR}/${SHIM_CERT_NAME}.der \ - -outform DER -days 36500 -subj "/CN=VyOS Networks Secure Boot CA/" -nodes -openssl x509 -inform der -in ${CA_DIR}/${SHIM_CERT_NAME}.der -out ${CA_DIR}/${SHIM_CERT_NAME}.pem - -openssl req -newkey rsa:4096 -sha256 -nodes -keyout ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.key \ - -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -outform PEM -days 3650 \ - -subj "/CN=VyOS Networks Secure Boot Signer 2025 - linux/" -openssl x509 -req -in ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.csr -CA ${CA_DIR}/${SHIM_CERT_NAME}.pem \ - -CAkey ${CA_DIR}/${SHIM_CERT_NAME}.key -CAcreateserial -out ${CA_DIR}/${VYOS_KERNEL_CERT_NAME}.pem -days 3650 -sha256 -``` - - -## Installation - -As our version of `shim` is not signed by Microsoft we need to enroll the -previously generated {abbr}`MOK (Machine Owner Key)` to the system. - -First, disable UEFI Secure Boot for the installation. - -:::{figure} /_static/images/uefi_secureboot_01.webp -:alt: Disable UEFI secure boot -::: - -Proceed with the standard VyOS {ref}`installation <permanent_installation>` on -your system. Instead of the final `reboot` command, enroll the -{abbr}`MOK (Machine Owner Key)`. - -```none -vyos@vyos:~$ install mok -input password: -input password again: -``` - -You can set the `input password` to any value you choose. You'll need this -password after reboot when MOK Manager launches to permanently install the keys. - -With the next reboot, MOK Manager will automatically launch - -:::{figure} /_static/images/uefi_secureboot_02.webp -:alt: Disable UEFI secure boot -::: - -Select `Enroll MOK` - -:::{figure} /_static/images/uefi_secureboot_03.webp -:alt: Disable UEFI secure boot -::: - -You can now view the key to be installed and continue with key installation. - -:::{figure} /_static/images/uefi_secureboot_04.webp -:alt: Disable UEFI secure boot -::: - -:::{figure} /_static/images/uefi_secureboot_05.webp -:alt: Disable UEFI secure boot -::: - -Now you need to enter the password you defined previously. - -:::{figure} /_static/images/uefi_secureboot_06.webp -:alt: Disable UEFI secure boot -::: - -Now reboot and re-enable UEFI Secure Boot. - -:::{figure} /_static/images/uefi_secureboot_07.webp -:alt: Disable UEFI secure boot -::: - -VyOS will now launch in UEFI Secure Boot mode. You can verify this by running -one of the following commands: - -```none -vyos@vyos:~$ show secure-boot -SecureBoot enabled -``` - -```none -vyos@vyos:~$ show log kernel | match Secure -Oct 08 19:15:41 kernel: Secure boot enabled -``` - -```none -vyos@vyos:~$ show version -Version: VyOS 1.5-secureboot -Release train: current -Release flavor: generic - -Built by: autobuild@vyos.net -Built on: Tue 08 Oct 2024 18:00 UTC -Build UUID: 5702ca38-e6f4-470f-b89e-ffc29baee474 -Build commit ID: 9eb61d3b6cf426 - -Architecture: x86_64 -Boot via: installed image -System type: KVM guest -Secure Boot: enabled <-- UEFI secure boot indicator - -Hardware vendor: QEMU -Hardware model: Standard PC (i440FX + PIIX, 1996) -Hardware S/N: -Hardware UUID: 1f6e7f5c-fb52-4c33-96c9-782fbea36436 - -Copyright: VyOS maintainers and contributors -``` - - -## Image Update - -:::{note} -Currently, there is no signed version of `shim` for VyOS. If you -want Secure Boot support, you can build a custom image with your own keys. -::: - -During image installation, you install your {abbr}`MOK (Machine Owner Key)` -into the UEFI variables to add trust to this key. After you re-enable Secure -Boot in UEFI, you can only boot into your signed image. - -You can no longer boot into a CI-generated rolling release because those -are not signed by a trusted party ({vytask}`T861` work in progress). This -also means you must sign all successor builds with the same key; otherwise, -you'll see this error: - -```none -error: bad shim signature -error: you need to load the kernel first -``` - - -## Linux Kernel - -In addition to Secure Boot support, VyOS uses ephemeral key signing of Linux -Kernel modules for an extra security layer in both Secure and non-Secure boot -images. - -<https://patchwork.kernel.org/project/linux-integrity/patch/20210218220011.67625-5-nayna@linux.ibm.com/> - -When the CI system builds a Kernel package and required third-party modules, -it generates a temporary (ephemeral) key pair for signing the modules. The -public key is embedded in the Kernel binary to verify loaded modules. - -After the Kernel CI build completes, the generated key is discarded, meaning -we can no longer sign additional modules with that key. The Kernel configuration -also includes the option `CONFIG_MODULE_SIG_FORCE=y`, which enforces signature -verification for all modules. If you try to load an unsigned module, you'll -get this error: - -`insmod: ERROR: could not insert module malicious.ko: Key was rejected by -service` - -This prevents loading any malicious code after the image is assembled into the -Kernel as a module. You can disable this behavior on custom builds if needed. - -## Troubleshoot - -In most cases, if something goes wrong during system boot, you'll see this -error message: - -```none -error: bad shim signature -error: you need to load the kernel first -``` - -This error means the Machine Owner Key used to sign the Kernel is not trusted -by your UEFI. Install the MOK using the `install mok` command as described -above. |
