Fedora – How to use custom-signed shim for secure boot (Fedora)

fedorasecure-bootuefi

I'm not sure whether there's a guide for this but I'd like to know the detailed steps (step-by-step guide perhaps?) involved in achieving the following:

  1. Re-sign shim with a custom CA private key, but still let shim to use Fedora boot CA public key to verify the kernel components for Secure Boot.
  2. Replace Microsoft's key stored in the firmware with the corresponding custom CA public key whose private key was used to sign shim.

The main goal that I want to achieve is to replace the built-in Microsoft's CA certificate stored in the firmware, in order to forbid Microsoft-signed OS bootloaders from being executed, and still use the UEFI's secure boot functionality to boot up F19. The general overview seems to be outlined in this link, but I'm not able to find any detailed guide to do this.

Best Answer

I think you can follow below process :

  1. Generate keys for your system . A known good process to me is this
  2. Now you can sign your shim.efi with this signature. use pesign for signing as mentioned in the given link
  3. Now it should work, if not then you might have to sign other binaries with new signatures as well.

But I am afraid that removing MS certificate from shim.efi might break. You might be interested in reading this link for more details.

I have taken few points below for your reference :

Point#1

A lot of our users want to build their own kernels. Some even want to build their own distributions. Signing our bootloader and kernel is an impediment to that. We'll be providing all the tools we use for signing our binaries, but for obvious reasons we can't hand out our keys. There's three approaches here. The first is for a user to generate their own key and enrol it in their system firmware. We'll trust anything that's signed with a key that's present in the firmware. The second is to rebuild the shim loader with their own key installed and then pay $99 and sign that with Microsoft. That means that they'll be able to give copies to anyone else and let them install it without any fiddling. The third is to just disable secure boot entirely, at which point the machine should return to granting the same set of freedoms as it currently does.

Point#2 :

A system in custom mode should allow you to delete all existing keys and replace them with your own. After that it's just a matter of re-signing the Fedora bootloader (like I said, we'll be providing tools and documentation for that) and you'll have a computer that will boot Fedora but which will refuse to boot any Microsoft code. It may be a little more awkward for desktops because you may have to handle the Microsoft-signed UEFI drivers on your graphics and network cards, but this is also solvable. I'm looking at ways to implement a tool to allow you to automatically whitelist the installed drivers. Barring firmware backdoors, it's possible to configure secure boot such that your computer will only run software you trust. Freedom means being allowed to run the software you want to run, but it also means being able to choose the software you don't want to run.

Related Question