Hello. Oscar pointed out to something interesting that I also want to
look at, but I'd like to answer your questions so you'll have a bit more
understanding on how it works.
On 17.07.2023 14:52, Source Code wrote:
Hello! I wanted to ask:
1. The Arch Linux Wiki has a section 3.2 Using a signed boot loader. Can
I skip the previous sections and skip subsection 3.2.1 PreLoader and go
straight to section 3.2.2 Shim?
You only need one of it. Either PreLoader or shim. Personally I use
shim. Both are signed with a key that your mobo can accept, so they both
could be launched in Secure Boot mode. Then both of them can load other
EFI binaries, GRUB2 in case of shim - as long as it's signed with a key
that a signed bootloader trusts itself (for shim you can point out a key
to trust with a MokManager.efi tool).
So the boot sequence in my case is this:
EFI -> shim -> MOK-signed GRUB2 with MOK-signed modules -> MOK-signed
Linux kernel
2. If I change the boot loader to grubx64.efi and then if I don't finish
section 3.2.2, will everything fail? Nothing will load? And if I leave
the boot loader (aka boot.efi, right?) and grubx64.efi, will it crash?
Normally you need to have a shimx64.efi in your NVRAM as a boot option
to start the system. You can keep grubx64.efi in your NVRAM as a boot
option as well and load it anytime with secure boot disabled. If you
switch to grubx64.efi with secure boot - you'll get an error that this
binary is untrusted. If you disable it - GRUB2 will load normally.
Beware that some EFI implementations can somehow remove it while messing
around with boot options via efibootmgr (I saw this a couple of times).
So have your USB bootable drive ready, just in case.
3. Section 3.2.2.1.2 shim with key has:
$ openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256
-days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt
$ openssl x509 -outform DER -in MOK.crt -out MOK.cer
Should I write "/CN=my Machine Owner Key/" like this? Or do you need to
write some sequence of characters? Tell me what to write?
Could be anything really. I have a "/CN=raxp-laptop MOK/" for example.
It doesn't matter. You only need a valid X.509 certificate to sign your
binaries.
P.S. If I make a mistake with any item, then everything will fly for me
and it will not be possible to recover?
Messing with signed bootloader should not harm your device at least, as
you don't manage hardware keys directly. Still I'd advise you to keep a
bootable USB stick so you can recover. In a worst-case scenario you
should be able to revert to GRUB2 to be bootable with secure boot disabled.
