Status of Secure Boot support

philip1 · January 14, 2022, 7:12am

It appears that ClearLinux .iso will not boot in Secure Boot mode.

In 2018 it was said that Secure Boot was on the to-do list for Clear Linux. What is the current plan?

github.com/clearlinux/distribution

Secure Boot support

opened 07:12AM - 14 Oct 18 UTC

jox98

enhancement

**Is your feature request related to a problem? Please describe.** Not really. … **Describe the solution you'd like** I'm using clearlinux as bare-metal hyper-visor booting in UEFI mode. It would be usefull for those use case to have to ability to boot in Secure Boot mode. **Describe alternatives you've considered** Alternative: stay with UEFI since it's working :) **Additional context** If I boot my box with enabled secure boot I end up at the UEFI setup - unable to start clearlinux. Without Secure UEFI all is as it should be.

Thank you,
P

pixelgeek · January 19, 2022, 7:27pm

Hi Philip,
It’s still on our list, but not actively being worked right now.

Chris

mek · February 21, 2024, 12:16am

@pixelgeek / @btwarden what is the status of secure boot?
Is there some documentation on how?
For the iso it might be nice, but how to set it up for an installed clear linux.

the only thing I found was something for projectacrn
https://projectacrn.github.io/1.6.1/tutorials/enable_laag_secure_boot.html

pixelgeek · February 21, 2024, 9:00pm

I haven’t heard it discussed in a while now. I can ask the question offline and get a formal response if @btwarden or @arjan don’t chime in here.

mek · February 21, 2024, 10:21pm

It might be a requirement for TPM2 Luks autounlock, which is quite important for us.

mek · February 26, 2024, 10:04am

@pixelgeek did you hear more? @btwarden @arjan?

pixelgeek · February 27, 2024, 1:19am

I’ll update on Thursday, if no-one else comments before.

mek · February 27, 2024, 5:56pm

thank you @pixelgeek

william.douglas · February 27, 2024, 8:05pm

What is the specific use case you are looking to have supported? If it is secure boot with your own system keys, that has worked in the past but isn’t something we validate. I do not have any documentation for how to set this up on Clear Linux either unfortunately.

mek · February 28, 2024, 9:47am

Hi @william.douglas,

I mentioned it above, it is about TPM2 / Systemd / LUKS
Getting LUKS2 auto unlock with TPM of the root partition to work, where it might be a requirement. @btwarden might know more if it is or not or how to find it out.

If secure boot is required, I would prefer not to add my own keys but have clear linux to be able to support it out of the box.

pixelgeek · February 29, 2024, 10:29pm

So, there’s a couple of approaches here: -
a) having a shim signed in a way that is compatible with the Microsoft signature that’s already embedded into most BIOSs. This is the approach that the larger Linux distros take to make it very easy for users to just install and be able to get the benefits of a secure boot. While we had looked at this option a long time ago, when we were more focused on the desktop experience, this is not an option we’re currently pursuing.
b) as William outlines above, and as the Project ACRN documentation spells out, it’s possible to enroll your own keys into the BIOS. This should work for Clear Linux, although we don’t have any documentation, or do any testing for this scenario. If any community folks want to take a look at it and see if they can get it working and the steps written down, I’d be happy to make sure it gets into our documentation afterwards.

Rgds,
Chris