DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th December 2015
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Port Guard
 
Join Date: Dec 2015
Location: London
Posts: 25
Default Secure Boot and OpenBSD

This guide only applies to systems installed and booting in UEFI mode.

This guide applies to amd64 machines, for i386 systems replace "bootx64.efi" with "bootia32.efi"

Follow the advice in this link to install a UEFI system:
https://blog.jasper.la/openbsd-uefi-bootloader-howto/

It is possible to boot OpenBSD with Secure Boot enabled by using the Linux Foundation's PreLoader & HashTool utilities.
http://www.linuxfoundation.org/news-...em-open-source

To implement this method, download the PreLoader.efi and HashTool.efi from here:
http://blog.hansenpartnership.com/li...stem-released/

Then rename the OpenBSD UEFI bootloader to "loader.efi":
Code:
# mount /dev/sd0i /mnt
# mv /mnt/efi/boot/BOOTX64.EFI /mnt/efi/boot/loader.efi
(this presumes that the EFI system partition is located at /dev/sd0i -- adjust if necessary)

Then copy over HashTool.efi & PreLoader.efi and rename the latter as the default UEFI loader:
Code:
# cp HashTool.efi /mnt/efi/boot
# cp PreLoader.efi /mnt/efi/boot/bootx64.efi
Now reboot the machine and enable Secure Boot.

When the system starts the PreLoader will detect an unauthorised image (the OpenBSD bootloader) and will offer to start the HashTool so that the loader.efi can be authorised.

Use the menu options in the HashTool to enrol the loader.efi and reboot again.

See https://askubuntu.com/questions/5947...ions-preloader

More information here:
http://www.rodsbooks.com/efi-bootloa...html#preloader

To revert the system, simply copy loader.efi back to bootx64.efi

Note that whenever the base system is upgraded, the bootloader should be copied back:
Code:
# mount /dev/sd0i /mnt
# cp /usr/mdec/BOOTX64.EFI /mnt/efi/boot/loader.efi
When the system is rebooted, the HashTool should load up again to enrol the new loader.efi

Last edited by Head_on_a_Stick; 14th December 2015 at 10:05 PM. Reason: Added architecture-specific information
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OEMs Allowed To Lock Secure Boot In Windows 10 Computers LeFrettchen News 12 23rd March 2015 02:48 AM
FreeBSD FreeBSD begins process to support secure boot J65nko News 0 1st July 2013 07:47 PM
Secure Boot complaint filed against Microsoft J65nko News 0 26th March 2013 10:30 PM
Grub Secure Boot shep News 0 2nd December 2012 02:01 AM
Windows 8 secure boot would 'exclude' Linux and BSD* J65nko News 6 24th September 2011 06:27 PM


All times are GMT. The time now is 04:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick