🍰
PXE Boot
  • Overview
  • Install Raspberry Pi OS
    • Raspberry Pi 4 not booting
    • List of OSes for Raspberry Pi
  • Install PXE server on Raspberry Pi 4
    • NFS kernel options
    • Kernel w/ initramfs
    • Mount NFS manually
    • Buildroot cheat sheet
  • Install UEFI PXE server
    • Where to get grubx64.efi?
    • GRUB config
    • Test UEFI PXE in Virtual Box
  • Configuration variants
  • DHCP + TFTP on dnsmasq
  • When dnsmasq fails
  • The case without proxy DHCP
  • More about ISC DHCP Server
  • PXE Boot when UEFI Network not working
  • List of PXE error codes
  • Troubleshooting
    • Security Boot Fail
    • TFTP server
    • PXE-T01: File not found
    • PXE-E16: No offer received
    • PXE-E21: Remote boot cancelled
      • Update option ROM on the NIC
    • PXE-E23: Client received TFTP error from server
    • Invalid DOS header magic
    • Unable to fetch TFTP image: Invalid Parameter
    • EFI boot manager
  • Secure Boot and custom certificates
    • bzImage has invalid signature
  • Kaspersy Rescue Disk 18
  • Reference
  • About the author
Powered by GitBook
On this page
  • Packages to your system
  • Add to ESP partition
  • Sign the kernel
  • How to compile grubx64.efi

Was this helpful?

Secure Boot and custom certificates

PreviousEFI boot managerNextbzImage has invalid signature

Last updated 3 years ago

Was this helpful?

Let's say you have a laptop with Windows installed on it by its manufacturer (so called OEM version). You want to keep Secure Boot enabled, but you also want to boot some custom Linux from USB drive or through the network via PXE.

You need to sign a kernel, otherwise you get this error

You normally would follow instructions like this https://ubuntu.com/blog/how-to-sign-things-for-secure-boot, where new signature is installed by mokutil, but you are on Windows right now.

According to Eclypsium in https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ there is Kaspersky Rescue Disk 18 https://support.kaspersky.com/krd18 that bypasses Secure Boot. Official build is hardened with signatures, but hacky version still can be found online (https://usbtor.ru/viewtopic.php?p=65909). It will work only if you don't update your Windows (since somewhere like 2020), because UEFI Forum already have this bootloader in the revocation list (https://uefi.org/revocationlistfile)

30: {microsoft} {sha256} 81d8fb4c9e2e7a8225656b4b8273b7cba4b03ef2e9eb20e0a0291624eca1ba86

Probably a great article http://www.rodsbooks.com/efi-bootloaders/secureboot.html, but good God Roderick W. Smith, I fall asleep after each paragraph, I don't know which note is important, I read information and don't know how to apply it.

Packages to your system

  • sbsigntools

  • pesign

Add to ESP partition

  • public key (for MOK),

  • shimx64.efi (Secure boot solution from Matthew J. Garrett),

  • mmx64.efi (mm stands for MOK Manager),

  • grubx64.efi (GRUB 2)

Where to get this files?

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt \\
  -nodes -days 3650 -subj "/CN=Your Name/"
openssl x509 -in MOK.crt -out MOK.cer -outform DER
git clone https://github.com/rhboot/shim.git
cd shim
git submodule update
make

Following tutorial from https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-uefi.html

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=Ethogaming/"
openssl x509 -in MOK.crt -out MOK.cer -outform DER

openssl pkcs12 -export -inkey MOK.key -in MOK.crt \
-name kernel_cert -out cert.p12

certutil -d . -N

pk12util -d . -i cert.p12
pesign -n . -c kernel_cert -i bzImage -o vmlinuz.signed -s

Getting an error

pesign: could not parse signature list in EFI binary

Later I realized (https://github.com/rhboot/pesign/issues/64) that my kernel should have CONFIG_EFI_STUB enabled https://www.kernel.org/doc/html/latest/admin-guide/efi-stub.html

Finding another tutorials

  • https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools

  • https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF

  • https://ubuntu.com/blog/how-to-sign-things-for-secure-boot

And trying

openssl x509 -in MOK.cer -inform DER -outform PEM -out MOK.pem
sbsign --key MOK.key --cert MOK.pem --output bzImage.signed bzImage

And getting an error

Sign the kernel

sbsign --key ~/efitools/MOK.key --cert ~/efitools/MOK.crt \\
         --output vmlinuz-signed.efi vmlinuz.efi
warning: file-aligned section .text extends beyond end of file
warning: checksum areas are greater than image size. Invalid section table?

How to compile grubx64.efi

bug https://savannah.gnu.org/bugs/index.php?55636

https://github.com/rhboot/grub2/pull/82

https://bugzilla.redhat.com/show_bug.cgi?id=1809246

https://www.gnu.org/software/grub/grub-download.html

git clone https://git.savannah.gnu.org/git/grub.git

patch

https://lists.gnu.org/archive/html/grub-devel/2014-04/msg00091.html

Invalid DOS header magic
bzImage has invalid signature
Secure Boot Enabled