The state of secure boot with FreeBSD
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 24 Jan 2024 14:24:20 UTC
Hello everyone, I've been looking at configuring my FreeBSD UEFI laptop with ZFS on GELI with secure boot. Using efitools[0] from Linux in a Linux VM allowed me to generate keys that were programmed into the UEFI. The generated keys then worked fine for signing the EFI loader using uefisign(8) on my FreeBSD system. So far so good, but the crux is maintaining the secure boot chain between the loader and the root file system. One version I tried was applying the patch attached to this mail to my loader, whitelisting the GELI header hash of my root partition. This works, but I'm fairly sure that the loader could be manipulated with configuration files or the creation of extra unencrypted partitions on the drive for it to find and try to boot, making it far from an ideal solution. I found instructions on the FreeBSD Foundation's website[1] on how to embed the kernel into the loader. It could be due to user error, but when trying this, the loader simply found and booted my ZFS system instead of the embedded kernel. Looking at the code in stand/efi/loader/main.c seems to imply that ZFS will be tried before the embedded image. For verification, there are references to VERIEXEC in the loader and in src.conf(5), but I have not been able to find any FreeBSD documentation on how this is to be configured. Lastly, I'm aware of the FreeBSD secure boot wiki page[2], but it has not been updated in a few years so I don't know if it reflects the current secure boot situation. Its status matrix indicates that secure boot work for the loader has not been started. Does anyone know if secure boot work is ongoing? Are there patches for locking the loader down floating around out there? Are there instructions I have missed or alternatives to using the EFI loader provided in base? Thank you for reading! Best regards, Andreas Kempe [0]: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git [1]: https://freebsdfoundation.org/freebsd-uefi-secure-boot/ [2]: https://wiki.freebsd.org/SecureBoot