Hello. Oscar pointed out to something interesting that I also want to look at, but I'd like to answer your questions so you'll have a bit more understanding on how it works. On 17.07.2023 14:52, Source Code wrote:
Hello! I wanted to ask: 1. The Arch Linux Wiki has a section 3.2 Using a signed boot loader. Can I skip the previous sections and skip subsection 3.2.1 PreLoader and go straight to section 3.2.2 Shim?
You only need one of it. Either PreLoader or shim. Personally I use shim. Both are signed with a key that your mobo can accept, so they both could be launched in Secure Boot mode. Then both of them can load other EFI binaries, GRUB2 in case of shim - as long as it's signed with a key that a signed bootloader trusts itself (for shim you can point out a key to trust with a MokManager.efi tool). So the boot sequence in my case is this: EFI -> shim -> MOK-signed GRUB2 with MOK-signed modules -> MOK-signed Linux kernel
2. If I change the boot loader to grubx64.efi and then if I don't finish section 3.2.2, will everything fail? Nothing will load? And if I leave the boot loader (aka boot.efi, right?) and grubx64.efi, will it crash?
Normally you need to have a shimx64.efi in your NVRAM as a boot option to start the system. You can keep grubx64.efi in your NVRAM as a boot option as well and load it anytime with secure boot disabled. If you switch to grubx64.efi with secure boot - you'll get an error that this binary is untrusted. If you disable it - GRUB2 will load normally. Beware that some EFI implementations can somehow remove it while messing around with boot options via efibootmgr (I saw this a couple of times). So have your USB bootable drive ready, just in case.
3. Section 3.2.2.1.2 shim with key has: $ openssl req -newkey rsa:4096 -nodes -keyout MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=my Machine Owner Key/" -out MOK.crt $ openssl x509 -outform DER -in MOK.crt -out MOK.cer
Should I write "/CN=my Machine Owner Key/" like this? Or do you need to write some sequence of characters? Tell me what to write?
Could be anything really. I have a "/CN=raxp-laptop MOK/" for example. It doesn't matter. You only need a valid X.509 certificate to sign your binaries.
P.S. If I make a mistake with any item, then everything will fly for me and it will not be possible to recover?
Messing with signed bootloader should not harm your device at least, as you don't manage hardware keys directly. Still I'd advise you to keep a bootable USB stick so you can recover. In a worst-case scenario you should be able to revert to GRUB2 to be bootable with secure boot disabled.