Secure Boot

Support for security such as Firewalls and securing linux
Post Reply
chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Secure Boot

Post by chassap1 » 2017/10/24 14:27:57

We are new to secure boot. We are going to be using an AMI Bios on an Intel Atom processor that supports it. Once we enable it in the BIOS, is there a nice simple list of instructions that can tell us how to create keys and sign CentOS 7 for use?

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Secure Boot

Post by avij » 2017/10/24 14:40:42

You don't need to do anything. CentOS 7 installation .iso images are Secure Boot ready.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Secure Boot

Post by TrevorH » 2017/10/24 15:36:56

CentOS already has signed boot code.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Re: Secure Boot

Post by chassap1 » 2017/10/24 15:53:09

But don't you need to create your own keys to be used in the BIOS and in signing.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Secure Boot

Post by avij » 2017/10/24 16:29:02

No, the booting bits in CentOS are signed by a Microsoft key, and that key is likely already included in your firmware.

(Microsoft? Huh?)

chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Re: Secure Boot

Post by chassap1 » 2017/10/24 19:43:38

Unfortunately, our customer's requirements are they shall provide the keys.

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Secure Boot

Post by avij » 2017/10/24 20:22:58

Then you would need to re-sign shim, grub2 and kernel with the customer's key, create new installation .iso images and install the customer's key into each and every device you plan to use. Way too complicated, and for zero benefit. And unsupported on this forum.

chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Re: Secure Boot

Post by chassap1 » 2017/11/07 21:34:46

it shouldn't be too bad. we would be loading the keys into the BIOS. and when deploying the OS, we will be making a clone of the original hard drive and using that image for subsequent systems.

I don't think we plan on rebuilding the kernel, so can you sign a file that is already signed?

Post Reply