The Wiki has moved to new hardware, and the old server died.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
howtos:security:enabling_secure_boot [2015/02/21 18:19 (UTC)]
turtleli created
howtos:security:enabling_secure_boot [2015/02/28 14:55 (UTC)] (current)
turtleli [Signing EFI Binaries] Add efilinux to list of bootloaders that allow unsigned kernels to run.
Line 6: Line 6:
   * How to enroll Secure Boot keys while booted into Slackware   * How to enroll Secure Boot keys while booted into Slackware
   * How to sign EFI binaries for use in Secure Boot mode.   * How to sign EFI binaries for use in Secure Boot mode.
-<​note ​warning>Make sure you can find and manipulate the Secure Boot settings with your system'​s UEFI firmware. That way, if you make a mistake, you can simply turn off Secure Boot to have a bootable system again.</​note>​ +<​note ​important>Make sure you can find and manipulate the Secure Boot settings with your system'​s UEFI firmware. That way, if you make a mistake, you can simply turn off Secure Boot to have a bootable system again.</​note>​ 
-<​note ​warning>Once you have changed your Secure Boot keys, signed your EFI binaries and have tested that Secure Boot is working, you should store your private keys in a safe location until the keys are required again. Anyone with access to your private keys can bypass the protection that Secure Boot offers.</​note>​+<​note ​important>Once you have changed your Secure Boot keys, signed your EFI binaries and have tested that Secure Boot is working, you should store your private keys in a safe location until the keys are required again. Anyone with access to your private keys can bypass the protection that Secure Boot offers.</​note>​
  
 ===== Secure Boot Keys and Signature Databases ===== ===== Secure Boot Keys and Signature Databases =====
Line 60: Line 60:
  
 ===== Signing EFI Binaries ===== ===== Signing EFI Binaries =====
-My recommendation (at the time of writing) is that you either use a boot manager with an EFI stub kernel, or directly boot an EFI stub kernel. ELILO and syslinux (and possibly GRUB) will allow unsigned kernels to run (or at least it does on my hardware and VM), which defeats the purpose of Secure Boot. If you do follow my recommendation,​ make sure you sign your kernel every time you change it.+My recommendation (at the time of writing) is that you either use a boot manager with an EFI stub kernel, or directly boot an EFI stub kernel. ELILO, efilinux ​and syslinux (and possibly GRUB but I do not know for sure) will allow unsigned kernels to run (or at least it does on my hardware and VM), which defeats the purpose of Secure Boot. If you do follow my recommendation,​ make sure you sign your kernel every time you change it.
  
 You will need to sign all EFI binaries, up to, and including your bootloader and/or EFI stub kernel. To sign an binary, run: You will need to sign all EFI binaries, up to, and including your bootloader and/or EFI stub kernel. To sign an binary, run:
Line 106: Line 106:
 <!-- Please do not modify anything below, except adding new tags.--> <!-- Please do not modify anything below, except adding new tags.-->
 <!-- You must remove the tag-word "​template"​ below before saving your new page --> <!-- You must remove the tag-word "​template"​ below before saving your new page -->
-{{tag>​security secure_boot uefi}}+{{tag>howtos ​security secure_boot uefi author_turtleli}}

In Other Languages
QR Code
QR Code howtos:security:enabling_secure_boot (generated for current page)