(Custom) Secure Boot for Centos 9 Stream

Support for security such as Firewalls and securing linux
Post Reply
marksch
Posts: 3
Joined: 2023/10/24 22:04:21

(Custom) Secure Boot for Centos 9 Stream

Post by marksch » 2023/10/24 22:41:45

Dear CentOS Forum,

I am attempting to setup CentOS Stream 9 with secure boot on my laptop. I am failing terribly with this. These are the 2 situations I am dealing with. I am hoping that someone here can help me or point me to a valuable tutorial to solve this problem.

Situation 1: I am using a USB stick to install CentOS Stream 9 on my new laptop. I cannot get the install to start due to a secure boot error. I have dd'ed the image several times and verified the image with the information from the official website. It just does not work. I am using the latest official image from the website. I can install Windows 11 without any secure boot errors. As far as my research goes, CentOS and Secure Boot should not be an issue. (is this different for stream?) Although I could find some other people with the same problem without a solution, there doesn't seem to be a solution for this on the internet except for accepting, that some systems just do not seem to support secure boot with CentOS.

Situation 2: I have now installed CentOS Stream 9 Minimal Install, while disabling secure boot. Now I am attempting to sign my system with a custom key, as my factory keys do not seem to work with this installation. I followed this tutorial for rhel: https://access.redhat.com/documentation ... the-kernel Everything worked except for the secure boot. I am still running into the secure boot error at boot. My Key is imported and my kernel, modules and efi files should all be signed with my key. I signed BOOTX64 and shimx64.efi, which is supposed to be loaded according to bootctl. I also signed some others, but cannot get it to work.

I am pretty hopeless now to get my CentOS Stream 9 System to work with Secure Boot. I am suspecting, that I might also have to sign initramfs, which is not further described in the above tutorial. I could not find any information on how to do this, as pesign does not work on initramfs and sbsigntools are not available for centos. There is one tutorial signing the initramfs with gpg, but the tutorial does not provide information on how to generate the gpg keys and how to import them into efi.

Has anyone here achieved this before? Could someone please help me or point me into the right direction?

with kind regards,
Mark Sch

User avatar
jlehtone
Posts: 4553
Joined: 2007/12/11 08:17:33
Location: Finland

Re: (Custom) Secure Boot for Centos 9 Stream

Post by jlehtone » 2023/10/25 06:44:34

Frankly, I would not use CentOS Stream unless I had to; it is for development, not for "production".

The tutorial that you point, does say:
RHEL includes:
* Signed boot loaders
* Signed kernels
* Signed kernel modules
and tells how to sign the latter two. (The assumption is that one does have the RHEL signed boot loaders.)


https://bugzilla.redhat.com/show_bug.cgi?id=2027505 stated that secure boot is functional in CentOS Stream 9.
If that is no longer true, then it is an issue that you should report to Red Hat.

BShT
Posts: 587
Joined: 2019/10/09 12:31:40

Re: (Custom) Secure Boot for Centos 9 Stream

Post by BShT » 2023/10/25 11:59:09

I had some problems using ISOs larger than 8Gb, I had to use a 16Gb pen drive and the installation was unsuccessful, I could only install in legacy mode, when I found a version that fit on an 8Gb pen drive, I was able to install it without any problems, then I just updated

My notebook is an Acer A315

marksch
Posts: 3
Joined: 2023/10/24 22:04:21

Re: (Custom) Secure Boot for Centos 9 Stream

Post by marksch » 2023/10/26 00:24:23

Thanks for the responses!

Today I poked around a little bit more. As expected my Google Search did not bring any more results, which were useful in this case. I tried three more things, which seemed promising to me.

a) I removed the CentOS Certificates from my efi files, so that now only my custom certificate is now on those files. Although my certificate seems to be in the efi db, I cannot boot to those efi files with secure boot.

b) This brought me to another idea. What if Secure Boot worked, before Microsoft published another revocation list update in 2022 or 2023? There has been 3 updates to the revocation list since. Unfortunately I was not able to downgrade my dbx database using fwupd or dbxtool to test this assumption. I am not sure if this is even possible.

c) I tested to boot rhel 9 with secure boot, which is successful without any issues.

@BShT Thanks for this information. Unfortunately this is not an option for me, as I would rather not use an image, which is not from the official website. I couldn't find any smaller image there. Do you have a link for me?

@jlehtone Thanks for your points. I am not planning to use CentOS Stream in production. I just expect to install a bunch of third party software and would prefer to have some secure boot security beforehand. I might file a bug report. I found the same post and couldn't believe it. Thank you again for your comment.

Perhaps Secure Boot is broken for Centos 9 Stream. But, I couldn't find my efi sha's in the revocation lists. So I cannot backup my claim. I will file a bug report anyways.

marksch
Posts: 3
Joined: 2023/10/24 22:04:21

Re: (Custom) Secure Boot for Centos 9 Stream

Post by marksch » 2023/10/26 00:35:22

I now have verification of this. I further poked around with dbxtool. This tool gives an error if you try to import a dbx update, where your efis are included.

I get an error for https://uefi.org/revocationlistfile/archive Release Date: March 14, 2023.

Conclusion:

This means, that with an updated dbx list you will not be able to boot CentOS Stream 9 with secure boot. My laptop was newly bought, so I assume it already has the latest revocation lists built in. This means I cannot boot CentOS Stream 9. If I ever find a way to downgrade my system ( although this might be dangerous) I will continue this post.

I'd be happy if someone could assist with this.

This is the Bug Report: https://issues.redhat.com/browse/CS-1782

I hope I am not reporting any false information.


Post Reply