Could you please share me the steps you have taken to enable secure boot on the pve 7 host? And im also really interesting to see the scripts you've used to automatically sign the kernel at each upgrade or change.
Thanks in advance!
Hi,
In the end I purged the current installation, so I lost the script, but I can tell you how to work out the Secure Boot keys and the first signing, then you may just repeat the steps of signing and add it to a script.
To enable Secure Boot in PVE you need:
a. Keys and certificates
UEFI standards recommends NOT using the default keys. You should generate your own keys and add it in the UEFI. There are 3 keys you need: PK, KEK, DB. The PK is the Certification Authority, the KEK is the Key to validate the PK (IIRC) and the DB is the list of authorized keys that are able to boot. You should use Rod's Books script to generate those keys:
Rod's Books UEFI Keys Generator Script
Download it as root, use
to make it executable, and run it. It will ask for a CN (Common Name) and I usually input the hostname. Create a directory inside your EFI Boot partition and store all the '.key .csl .auth .cer .crt' files in it. That way you may access it through the UEFI and install the keys. You need to enable secure boot, put it in User Mode, clear all keys and enroll the new ones. Sometimes the PK isn't cleared, that's why you enroll the noPK file, to remove that protection, but that's rare.
b. Sign the right files
I don't know how to use it with GRUB, but if you find out which file it needs signed, just sign it. I use it with systemd-boot, and I just need to sign the kernel file and the 'systemd-bootx64.efi' file that resides in EFI/systemd/.
You need to install the following
IIRC correctly; might have mispelled it.
After that, you sign the kernel and the bootloader with the following command:
Code:
sbsign --key "path-to-DB.key" --certificate "path-to-DB.cer*" -output "path-to-new-file.signed" "path-to-original-file"
*depends on which you enrolled in the UEFI.
Breaking down, you call the 'sbsign' tool, point the DB.key and DB.cer file, tell the name of the new file "kernel.file.signed" and the file for it to sign, "kernel.file". It might throw some random errors, but it should be ok. You may use sbverify, to confirm. Just point it to the certificate and key and it will do you good.
After that, you just rename the kernel.file.signed to kernel.file and it's done. You should backup the kernel.file, as always.
Enable Secure Boot and you should be rolling.
In the script, use the sbverify on the new kernel / current kernel, process the output and decide if it needs signing. If it does, call the sbsign.
You can embbed the script into the zz-pve-* script that gets called after every update.
Hope this helps. And If I end up doing it again, I'll try to keep the script and upload it to github
Reference:
Arch Linux Wiki - Secure Boot Implementation
