[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
howtos:security:enabling_secure_boot [2015/02/21 18:19 (UTC)] – created turtlelihowtos:security:enabling_secure_boot [2015/02/28 14:55 (UTC)] (current) – [Signing EFI Binaries] Add efilinux to list of bootloaders that allow unsigned kernels to run. turtleli
Line 6: Line 6:
   * How to enroll Secure Boot keys while booted into Slackware   * How to enroll Secure Boot keys while booted into Slackware
   * How to sign EFI binaries for use in Secure Boot mode.   * How to sign EFI binaries for use in Secure Boot mode.
-<note warning>Make sure you can find and manipulate the Secure Boot settings with your system's UEFI firmware. That way, if you make a mistake, you can simply turn off Secure Boot to have a bootable system again.</note> +<note important>Make sure you can find and manipulate the Secure Boot settings with your system's UEFI firmware. That way, if you make a mistake, you can simply turn off Secure Boot to have a bootable system again.</note> 
-<note warning>Once you have changed your Secure Boot keys, signed your EFI binaries and have tested that Secure Boot is working, you should store your private keys in a safe location until the keys are required again. Anyone with access to your private keys can bypass the protection that Secure Boot offers.</note>+<note important>Once you have changed your Secure Boot keys, signed your EFI binaries and have tested that Secure Boot is working, you should store your private keys in a safe location until the keys are required again. Anyone with access to your private keys can bypass the protection that Secure Boot offers.</note>
  
 ===== Secure Boot Keys and Signature Databases ===== ===== Secure Boot Keys and Signature Databases =====
Line 60: Line 60:
  
 ===== Signing EFI Binaries ===== ===== Signing EFI Binaries =====
-My recommendation (at the time of writing) is that you either use a boot manager with an EFI stub kernel, or directly boot an EFI stub kernel. ELILO and syslinux (and possibly GRUB) will allow unsigned kernels to run (or at least it does on my hardware and VM), which defeats the purpose of Secure Boot. If you do follow my recommendation, make sure you sign your kernel every time you change it.+My recommendation (at the time of writing) is that you either use a boot manager with an EFI stub kernel, or directly boot an EFI stub kernel. ELILO, efilinux and syslinux (and possibly GRUB but I do not know for sure) will allow unsigned kernels to run (or at least it does on my hardware and VM), which defeats the purpose of Secure Boot. If you do follow my recommendation, make sure you sign your kernel every time you change it.
  
 You will need to sign all EFI binaries, up to, and including your bootloader and/or EFI stub kernel. To sign an binary, run: You will need to sign all EFI binaries, up to, and including your bootloader and/or EFI stub kernel. To sign an binary, run:
Line 106: Line 106:
 <!-- Please do not modify anything below, except adding new tags.--> <!-- Please do not modify anything below, except adding new tags.-->
 <!-- You must remove the tag-word "template" below before saving your new page --> <!-- You must remove the tag-word "template" below before saving your new page -->
-{{tag>security secure_boot uefi}}+{{tag>howtos security secure_boot uefi author_turtleli}}
 howtos:security:enabling_secure_boot ()