UEFI Secure Boot

[6502]

Is it possible to run FreeBSD with Secure Boot? There is a module called Shim which is used to start Linux from Secure Boot. Can it (or similar) be used to load FreeBSD?

Somebody may ask why I need Secure Boot when the OS is open source. The main reason is to have auto-starting system with encrypted storage.

 

[T-Aoki]

I myself don't like current SecureBoot (AFAIK, no organization responsible to contract, audit and provide keys to sign off boot codes which are ASSURED TO BE USED ALL SecureBoot-capable hardwares like root CAs provide signed-off SSL keys), so I never attempted to test, but some resources are available.

 

[tingo]

Also: if the UEFi firmware on the machine supports (allows) use of MOK (Machine Owner Key) when Secure Boot is on varies from machine to machine. If you are able to enroll your own MOK but the firmware doesn't read it when Secure Boot is on (for whatever reason) you are back to square one, as the chances of getting either Microsoft or the vendor of the machine to sign your binaries are zero.

 

[6502]

If you have MOK, probably you can use it to sign the boot loader file of Windows. I am not sure for details but if you can change the default Microsoft key, it can be restored in some way. Nobody will expect that Microsoft will sign any file for end user. For similar reason exists Shim.

 

[RetroComputingCollector]

My home server works just fine with Secure Boot. I self-signed loader.efi, and then enrolled that key in the BIOS menu. It's really that simple!

 

[drhowarddrfine]

RetroComputingCollector Can you give details on the steps for doing all that?

 

[RetroComputingCollector]

cd /boot, sh /usr/share/examples/uefisign/uefikeys testcert, uefisign -c testcert.pem -k testcert.key -o signed-binary loader.efi

Then open your BIOS and follow whatever chain of clicks, then enroll loader.efi as a key

 

[SDK Chan]

I thought about secureboot some time ago, and the only point I can see is, it protects against booting a specific system, but if you have encryption in place during boot, what kind of difference would it make ?
Out of curiosity I am going to try out secureboot on FreeBSD.

EDIT:
The above commands worked for me.

 

[cracauer@]

I thought about secureboot some time ago, and the only point I can see is, it protects against booting a specific system, but if you have encryption in place during boot, what kind of difference would it make ?

The unencrypted early stages of the boot could be replaced by an adversary with versions that log your passphrase when you next boot the thing.

 

[SDK Chan]

The unencrypted early stages of the boot could be replaced by an adversary with versions that log your passphrase when you next boot the thing.

Sounds to me like a rootkit, but I think secureboot is a nice layer of extra protection during boot.

 

[Dani78]

Yes i agree, using TPM secure boot will prevent/deter social engineering hack once access to the physical system has been obtained.

 

[6502]

The unencrypted early stages of the boot could be replaced by an adversary with versions that log your passphrase when you next boot the thing.

Not only this. There is automatic mode when OS is loaded without passphrase - the files on unencrypted boot partition automatically download the key (for LUKS or BitLocker) and use it later in boot process. Without Secure boot they can be replaced with similar files which log the key.