Wiki Mageia
Secure boot clarification
References and documents: try to enhance the lay out of the links and add a link to the Debian wiki
← Older revision Revision as of 22:10, 15 November 2024 (2 intermediate revisions by the same user not shown)Line 1: Line 1: −{{Multi language banner|[[User:Zeldas7777|english]] ;}}+{{Multi language banner|[[Secure boot clarification|english]] ;}} {{Draft}} {{Draft}} −= Secure boot clarification = −=== Overview ===+ += Overview = Secure boot was created to ensure the protection of the operating system (OS). The Linux community did not like the secure boot upgrade. The end user would have to disable secure boot then install Linux. The reason was because the computers did not have the TPM Linux distribution signatures installed in the computer before manufacturing the computers. The Linux distribution developers would have to sign the bootloader, kernel, and drivers. This also created the need for more documentation for computers without Linux distribution signatures to successfully install Linux distribution. This wiki entry will hopefully bring some clarity from users in the Linux community on the secure boot implementation, and it's impact on Linux. The purpose of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. The secure boot is for protecting the end user from any threats to security and/or privacy. The secure boot feature stops the OS from booting upon detection of invalid signatures. Secure boot was created to ensure the protection of the operating system (OS). The Linux community did not like the secure boot upgrade. The end user would have to disable secure boot then install Linux. The reason was because the computers did not have the TPM Linux distribution signatures installed in the computer before manufacturing the computers. The Linux distribution developers would have to sign the bootloader, kernel, and drivers. This also created the need for more documentation for computers without Linux distribution signatures to successfully install Linux distribution. This wiki entry will hopefully bring some clarity from users in the Linux community on the secure boot implementation, and it's impact on Linux. The purpose of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. The secure boot is for protecting the end user from any threats to security and/or privacy. The secure boot feature stops the OS from booting upon detection of invalid signatures. −=== Who this applies to ===+= Who this applies to = This wiki does not apply to your computer if it was manufactured before 2009. If your computer was manufactured in 2009 or later, You may have a Trusted Platform Module (TPM) chip. This wiki can apply to your computer. Computers with a TPM chip version 1.0 started to appear in 2009. This chip was soon updated to TPM version 1.1 in 2011. The next major update to TPM chips was version 2.0, which came out in 2014. This has been considered the new standard since 2016. The TPM chip does ensure the boot processes of your PC cannot be modified without your knowledge. If you would like to learn more about TPM, please check out the reference links below. This wiki does not apply to your computer if it was manufactured before 2009. If your computer was manufactured in 2009 or later, You may have a Trusted Platform Module (TPM) chip. This wiki can apply to your computer. Computers with a TPM chip version 1.0 started to appear in 2009. This chip was soon updated to TPM version 1.1 in 2011. The next major update to TPM chips was version 2.0, which came out in 2014. This has been considered the new standard since 2016. The TPM chip does ensure the boot processes of your PC cannot be modified without your knowledge. If you would like to learn more about TPM, please check out the reference links below. Line 18: Line 18: Wikipedia - https://en.wikipedia.org/wiki/Trusted_Platform_Module<br> Wikipedia - https://en.wikipedia.org/wiki/Trusted_Platform_Module<br> −=== Why the secure boot mode option was created ===+= Why the secure boot mode option was created = Extensible Firmware Interface (EFI) was developed in the mid 1990's. In 2004, Intel released the first open source Unified Extensible Firmware Interface (UEFI) implementation. Then EFI was transitioned to Unified Extensible Firmware Interface (UEFI) in 2005. There has been several root vulnerabilities found in the computer BIOS that were exposed that allowed the booting OS to be compromised. This left the OS kernel and hardware drivers exposed. Eventually, even more vulnerabilities to the system were discovered making it hard to keep OS secure and protected from exploits. It was clear that the time had come to improve upon the Unified Extensible Firmware Interface (UEFI) with emphasis on making the process even more secure. Then "Trusted Platform Module (TPM) was developed. This was not enough and TPM was updated to make secure boot mode possible. Secure boot was implemented in the BIOS using the TPM chip. This would allow authentication of the OS from signed bootloader, kernel, and drivers. This affected the Linux community because the time secure boot came out limited documentation was available at the time. This is why we have so many issues with secure boot. The Linux community has been working hard on this for years now to learn and implement secure boot on the OS. Extensible Firmware Interface (EFI) was developed in the mid 1990's. In 2004, Intel released the first open source Unified Extensible Firmware Interface (UEFI) implementation. Then EFI was transitioned to Unified Extensible Firmware Interface (UEFI) in 2005. There has been several root vulnerabilities found in the computer BIOS that were exposed that allowed the booting OS to be compromised. This left the OS kernel and hardware drivers exposed. Eventually, even more vulnerabilities to the system were discovered making it hard to keep OS secure and protected from exploits. It was clear that the time had come to improve upon the Unified Extensible Firmware Interface (UEFI) with emphasis on making the process even more secure. Then "Trusted Platform Module (TPM) was developed. This was not enough and TPM was updated to make secure boot mode possible. Secure boot was implemented in the BIOS using the TPM chip. This would allow authentication of the OS from signed bootloader, kernel, and drivers. This affected the Linux community because the time secure boot came out limited documentation was available at the time. This is why we have so many issues with secure boot. The Linux community has been working hard on this for years now to learn and implement secure boot on the OS. −=== The secure mode operation design ===+= The secure mode operation design = Secure boot mode is designed to authenticate the OS from a list of authorized operating systems in the TPM chip. By default, if a signature is in the "blocked" list, The computer will stop booting indicating that an invalid signature has been detected. Secure boot mode operation is meant to validate three areas while booting the OS. Authentication is performed by checking the bootloader, kernel, and kernel drivers on booting. If any of these areas fails authentication, the system will stop booting. This design creates a secure boot environment. If the bootloader, kernel, or its drivers are modified the signature is marked invalid and stops booting. The Invalid signatures are also installed when firmware updates the UEFI firmware. Any OS without a valid signature is also blocked. This presents a challenge during the development of an OS, but is required to maintain OS security. Secure boot mode is designed to authenticate the OS from a list of authorized operating systems in the TPM chip. By default, if a signature is in the "blocked" list, The computer will stop booting indicating that an invalid signature has been detected. Secure boot mode operation is meant to validate three areas while booting the OS. Authentication is performed by checking the bootloader, kernel, and kernel drivers on booting. If any of these areas fails authentication, the system will stop booting. This design creates a secure boot environment. If the bootloader, kernel, or its drivers are modified the signature is marked invalid and stops booting. The Invalid signatures are also installed when firmware updates the UEFI firmware. Any OS without a valid signature is also blocked. This presents a challenge during the development of an OS, but is required to maintain OS security. −=== The secure mode operation while booting ===+= The secure mode operation while booting = Secure mode authenticates the system from the installed signatures. Here is how the process works. Secure mode authenticates the system from the installed signatures. Here is how the process works. Line 35: Line 35: If everything is successful, the OS will boot as expected. If everything is successful, the OS will boot as expected. −=== CPU board manufacturer requirements ===+= CPU board manufacturer requirements = CPU board manufacturers are required to follow fair trade laws This means that no company can be biased and that all OS vendors share equal rights. All manufactures have a standard to follow that is strictly monitored. We have a few types of CPU boards on the market that must comply with personal data security. Here are the following types of CPU boards that allow secure boot to be disabled, those that do not allow it, or made optional for custom manufactured computers. CPU board manufacturers are required to follow fair trade laws This means that no company can be biased and that all OS vendors share equal rights. All manufactures have a standard to follow that is strictly monitored. We have a few types of CPU boards on the market that must comply with personal data security. Here are the following types of CPU boards that allow secure boot to be disabled, those that do not allow it, or made optional for custom manufactured computers. Line 45: Line 45: The documentation for the UEFI firmware is required to be made available to all OS vendors. This documentation shall have all commands required for UEFI firmware updates. The currently installed OS owns the updating of the firmware. If you have a dual-boot or multi-boot system, then each OS shares ownership rights. The documentation for the UEFI firmware is required to be made available to all OS vendors. This documentation shall have all commands required for UEFI firmware updates. The currently installed OS owns the updating of the firmware. If you have a dual-boot or multi-boot system, then each OS shares ownership rights. −=== The requirement to enable secure boot ===+= The requirement to enable secure boot = The requirements to successfully enable secure boot mode on an OS are: The requirements to successfully enable secure boot mode on an OS are: Line 55: Line 55: # Must have a TPM chip. # Must have a TPM chip. −=== References and documents ===+= References and documents = −Uefi.org documents in PDF file format+==Uefi.org documents in PDF file format== −Uefi Information - https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf+Uefi Information - [https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf UEFI Secure Boot in Modern Computer Security Solutions 2013.pdf] Microsoft KEK expiring because the certificate is expiring on 10/19/2026. This means there will be another secure boot update coming for current and new computers. Microsoft KEK expiring because the certificate is expiring on 10/19/2026. This means there will be another secure boot update coming for current and new computers. Here is the link to the PDF document: Here is the link to the PDF document: +[https://uefi.org/sites/default/files/resources/Evolving%20the%20Secure%20Boot%20Ecosystem_Flick%20and%20Sutherland.pdf Evolving the Secure Boot Ecosystem 9/12/2023] −Evolving the Secure Boot Ecosystem 9/12/2023 - https://uefi.org/sites/default/files/resources/Evolving%20the%20Secure%20Boot%20Ecosystem_Flick%20and%20Sutherland.pdf+==Other links== −To learn more about the UEFI and secure boot visit uefi.org website.+To learn more about the UEFI and secure boot visit [https://www.uefi.org the uefi.org website.] −https://www.uefi.org+[https://wiki.debian.org/SecureBoot Secure Boot in the Debian wiki] −=== Support history from the secure boot upgrade ===+= Support history from the secure boot upgrade = Visit this link to see recent issues related to secure boot. Visit this link to see recent issues related to secure boot. Line 76: Line 77: https://forums.mageia.org/en/search.php?keywords=secure+boot&fid%5B0%5D=7 https://forums.mageia.org/en/search.php?keywords=secure+boot&fid%5B0%5D=7 −=== Common issues with TPM ===+= Common issues with TPM = Dual or multi-boot is harder to work with when you want to boot Windows and Linux. This can be even harder for Windows, Linux, and another OS. If the Linux distro does not support secure boot enabled and you have the TPM on the computer, you would need to enable legacy mode and disable secure boot. This is the only way to dual or multi boot with Windows. This will slow down the boot process and disable all BIOS protection. This will also disable any hardware improved features until the OS has booted. Remember that, if you need this kind of environment, you will need to reinstall Windows and any other operating systems you wish to dual or multi boot. This method is not recommended as it will open a security risk of having malware infecting or modifying your computer. Dual or multi-boot is harder to work with when you want to boot Windows and Linux. This can be even harder for Windows, Linux, and another OS. If the Linux distro does not support secure boot enabled and you have the TPM on the computer, you would need to enable legacy mode and disable secure boot. This is the only way to dual or multi boot with Windows. This will slow down the boot process and disable all BIOS protection. This will also disable any hardware improved features until the OS has booted. Remember that, if you need this kind of environment, you will need to reinstall Windows and any other operating systems you wish to dual or multi boot. This method is not recommended as it will open a security risk of having malware infecting or modifying your computer. −=== Clarification conclusion ===+= Clarification conclusion = Again, this article will hopefully bring some clarity to the confusion caused by the secure boot updates and its impact on Linux. I hope you learned the importance of the secure boot and why we need it. We need to maintain stable and secure Linux distributions for all users. I will be creating a "How to" and linking it to this wiki when I am finished. Again, this article will hopefully bring some clarity to the confusion caused by the secure boot updates and its impact on Linux. I hope you learned the importance of the secure boot and why we need it. We need to maintain stable and secure Linux distributions for all users. I will be creating a "How to" and linking it to this wiki when I am finished. MarjaMageia wiki:Secure boot clarification
Marja deleted page Mageia wiki:Secure boot clarification wrong location
MarjaUser:Zeldas7777
Correct the redirect
← Older revision Revision as of 21:35, 15 November 2024 Line 1: Line 1: −#REDIRECT [[Mageia wiki:Secure boot clarification]]+#REDIRECT [[Secure boot clarification]] MarjaUser:Zeldas7777
Marja moved page User:Zeldas7777 to Mageia wiki:Secure boot clarification This page needs to be more visible, so more people will provide feedback or improvements
← Older revision Revision as of 21:33, 15 November 2024 (One intermediate revision by the same user not shown)Line 1: Line 1: {{Multi language banner|[[User:Zeldas7777|english]] ;}} {{Multi language banner|[[User:Zeldas7777|english]] ;}} + +{{Draft}} = Secure boot clarification = = Secure boot clarification = MarjaTemplate:Meertalige banner-nl
Marja deleted page Template:Meertalige banner-nl wrong page name
MarjaTalk:Becoming a Mageia Packager
SOP Freeing disk space
Freeing disk space on servers: Add log section
← Older revision Revision as of 18:54, 13 November 2024 Line 11: Line 11: == distrib == == distrib == This holds all RPMs and metadata for all supported releases. When this fills, nobody can build any more packages. One strategy to free space is to hard link identical RPMs between bootstrap and mirror for cauldron. Another is to remove obsolete and unsupported releases, although you must first ensure the files are available elsewhere in case we need to fulfill any obligations under the GPL (and other licenses) to provide source code (this responsibility may not actually apply, but you need to be sure about that before deleting). This holds all RPMs and metadata for all supported releases. When this fills, nobody can build any more packages. One strategy to free space is to hard link identical RPMs between bootstrap and mirror for cauldron. Another is to remove obsolete and unsupported releases, although you must first ensure the files are available elsewhere in case we need to fulfill any obligations under the GPL (and other licenses) to provide source code (this responsibility may not actually apply, but you need to be sure about that before deleting). + +== log == +If the log partition (/var/log/) is filling up, there are a few things that can be done to make space. Running '''journalctl --vacuum-size=500M''' (with an appropriate size) will make some room immediately by deleting enough older logs so the remainder fit in the given space. Permanently reducing journal log sizes can be done by changing /etc/systemd/journald.conf for the host in puppet. + +If other logs which are rotated by logrotate are getting too large, the logrorate settings may need to be tweaked. Logs are normally rotated monthly, so changing that to weekly will compress the log files much more often leaving more free space. This can be done by changing the logrotate settings for a service in puppet, possibly using a <% if @hostname == 'HOST' %> conditional. When changing the log rotation period, make sure to also change the number of logs to keep around (the ''rotate'' value); e.g. if changing from monthly to weekly, the maximum number will need to be increased by a factor of 4 to keep around the same log history available. == Expanding partitions == == Expanding partitions == DanfPushing updates
Add Errors section
← Older revision Revision as of 20:34, 12 November 2024 Line 99: Line 99: ''NOTE'': This process was developed in 2024 to ensure that users can stay abreast of backports changes. It may change in the future if ''mga-move-pkg'' is updated to automatically mail notifications to backports-announce by itself. ''NOTE'': This process was developed in 2024 to ensure that users can stay abreast of backports changes. It may change in the future if ''mga-move-pkg'' is updated to automatically mail notifications to backports-announce by itself. + +== Errors == + +If a problem occurs during the mga-move-pkg stage, then the program may abort without performing all its steps (including package move, update bug, send e-mail, etc.). If the problem was temporary, try just running the command again. If there is still an issue (you may need to read the e-mail sent to qa-reports@ml to see details) then you may need to manually update the advisory status files to continue. + +For example, if an error occurred during the package move stage, then the package(s) may have been moved but the status might not have been updated to reflect that. Subsequent invocations will then try to move a package that no longer exists in the updates_testing media where it's expected, causing an error every time. In this case, you will need to edit the appropriate file in /var/lib/mga-advisories/status/ to add a move line to indicate that the move has, indeed, taken place. [[Category:Sysadmin]] [[Category:Sysadmin]] [[Category:QA]] [[Category:QA]] DanfAuto inst
No X
← Older revision Revision as of 15:50, 11 November 2024 (One intermediate revision by the same user not shown)Line 2,696: Line 2,696: mv -f /etc/inittab1 /etc/inittab mv -f /etc/inittab1 /etc/inittab "</nowiki>}} "</nowiki>}} + +If you really want a minimal install without any Xorg related packaged installed, you'll have to use the following trick (works with mageia 9 and an updated grub2 package): +{{pre|<nowiki> 'rpmsrate_flags_chosen' => { + CAT_X => 0, + }, +</nowiki>}} ==== Default X ==== ==== Default X ==== BcornecAuto inst
No X
← Older revision Revision as of 15:50, 11 November 2024 (3 intermediate revisions by the same user not shown)Line 2,453: Line 2,453: * [[#default_packages|default_packages]] * [[#default_packages|default_packages]] * [[#nomouseprobe|nomouseprobe]] * [[#nomouseprobe|nomouseprobe]] + +=== skipped_packages === + +The <b>skipped_packages</b> option is used to prevent the installation of the packages listed in this array in a regular expression form. + +==== Syntax ==== + +* The <b>skipped_packages</b> option has the following general syntax: +{{pre|<nowiki> 'skipped_packages' => [ + '/^package1-/', + '/^package2-/, + ]</nowiki>}} + +==== Descriptions ==== + +* <b>package#</b> is the name of the package you DON'T want to install. + +==== Examples ==== + +* Simple example +{{pre|<nowiki> 'skipped_packages' => [ + '/^kernel-desktop-/', + ]</nowiki>}} + +This will avoid the installation of the desktop kernels (typically on a server install). + +==== Related Options ==== +* [[#default_packages|default_packages]] option === superuser === === superuser === Line 2,659: Line 2,687: ==== No X ==== ==== No X ==== −For those of you who are not installing or do not want X, you can one of those solutions:+For those of you who are not installing or do not want X, you can choose one of those solutions: * make sure that the 'X' => {...}, is not present in the {{file|auto_inst.cfg}} file. And also, make sure that you do not install any packages which have {{prog|xorg*}} as a dependancy. * make sure that the 'X' => {...}, is not present in the {{file|auto_inst.cfg}} file. And also, make sure that you do not install any packages which have {{prog|xorg*}} as a dependancy. * you can use the following and not worry about which packages are installed: {{pre|<nowiki> 'X' => { 'disabled' => 1 },</nowiki>}} Please note, that even though you may have installed the {{prog|xorg*}} packages, window manager packages, and /or X based applications, X will not be configured correctly. So don't forget and type startx at the command prompt ! * you can use the following and not worry about which packages are installed: {{pre|<nowiki> 'X' => { 'disabled' => 1 },</nowiki>}} Please note, that even though you may have installed the {{prog|xorg*}} packages, window manager packages, and /or X based applications, X will not be configured correctly. So don't forget and type startx at the command prompt ! Line 2,668: Line 2,696: mv -f /etc/inittab1 /etc/inittab mv -f /etc/inittab1 /etc/inittab "</nowiki>}} "</nowiki>}} + +If you really want a minimal install without any Xorg related packaged installed, you'll have to use the following trick (works with mageia 9 and an updated grub2 package): +{{pre|<nowiki> 'rpmsrate_flags_chosen' => { + CAT_X => 0, + }, +</nowiki>}} ==== Default X ==== ==== Default X ==== BcornecAuto inst
Liste von Anwendungen-de
Software aus externen Quellen (Nicht in Mageia enthalten)
← Older revision Revision as of 10:56, 10 November 2024 Line 1,072: Line 1,072: | [[File:Heroic.png|25px|center]] | [[File:Heroic.png|25px|center]] | '''[https://heroicgameslauncher.com/ Heroic Game Launcher]''' | '''[https://heroicgameslauncher.com/ Heroic Game Launcher]''' −| Heroic Game launcher Client (Siehe '''[Möglichkeiten_um_Anwendungen_zu_installieren-de#Heroic_Game_Launcher Möglichkeiten um Anwendungen zu installieren]''')+| Heroic Game launcher Client (Siehe '''[[Möglichkeiten_um_Anwendungen_zu_installieren-de#Heroic_Game_Launcher|Möglichkeiten um Anwendungen zu installieren]]''') |- |- | [[File:App-accessories.png|25px|center]] | [[File:App-accessories.png|25px|center]] PsycaList of applications
Software from external sources (Not included in Mageia): change external to internal link
← Older revision Revision as of 10:55, 10 November 2024 Line 1,066: Line 1,066: | [[File:Heroic.png|25px|center]] | [[File:Heroic.png|25px|center]] | '''[https://heroicgameslauncher.com/ Heroic Game Launcher]''' | '''[https://heroicgameslauncher.com/ Heroic Game Launcher]''' −| Heroic Game launcher Client (See '''[https://wiki.mageia.org/en/Ways_to_install_programs#Heroic_Game_Launcher Ways to install programs]''')+| Heroic Game launcher Client (See '''[[Ways_to_install_programs#Heroic_Game_Launcher|Ways to install programs]]''') |- |- | [[File:App-accessories.png|25px|center]] | [[File:App-accessories.png|25px|center]] PsycaListe von Anwendungen-de
Cauldron-de
User:Zeldas7777
Working on improving content making it easier to understand. Make sections more clear.
← Older revision Revision as of 20:42, 9 November 2024 Line 6: Line 6: === Overview === === Overview === −Secure boot was created to ensure the protection of the operating system (OS). The Linux community did not like the secure boot upgrade. The end user would have to disable secure boot then install Linux. The reason was because the computers did not have the TPM Linux distribution signatures installed in the computer before manufacturing the computers. The Linux distribution developers would have to sign the bootloader, kernel, and drivers. This also created the need for more documentation for computers without Linux distribution signatures to successfully install Linux distribution. This wiki entry will hopefully bring some clarity from users in the Linux community on the secure boot upgrade, and it's impact on Linux. The purpose of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. The secure boot is for protecting the end user from any threats to security and/or privacy. The secure boot feature disables the OS immediately upon detection of invalid signatures. +Secure boot was created to ensure the protection of the operating system (OS). The Linux community did not like the secure boot upgrade. The end user would have to disable secure boot then install Linux. The reason was because the computers did not have the TPM Linux distribution signatures installed in the computer before manufacturing the computers. The Linux distribution developers would have to sign the bootloader, kernel, and drivers. This also created the need for more documentation for computers without Linux distribution signatures to successfully install Linux distribution. This wiki entry will hopefully bring some clarity from users in the Linux community on the secure boot implementation, and it's impact on Linux. The purpose of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. The secure boot is for protecting the end user from any threats to security and/or privacy. The secure boot feature stops the OS from booting upon detection of invalid signatures. === Who this applies to === === Who this applies to === −This document does not apply to your computer if it was manufactured before 2009. If your computer was manufactured in 2009 or later, You may have a Trusted Platform Module (TPM) chip. This wiki can apply to your personal computer (PC). Personal computers with TPM chip version 1.0 started to appear in 2009. This chip was soon upgraded to TPM version 1.1 in 2011. The next major update to TPM chips was version 2.0, which came out in 2014. This has been considered the new standard since 2016. The TPM chip does ensure the boot processes of your PC cannot be modified without your knowledge. If you would like to learn more about TPM, please check out the reference links below.+This wiki does not apply to your computer if it was manufactured before 2009. If your computer was manufactured in 2009 or later, You may have a Trusted Platform Module (TPM) chip. This wiki can apply to your computer. Computers with a TPM chip version 1.0 started to appear in 2009. This chip was soon updated to TPM version 1.1 in 2011. The next major update to TPM chips was version 2.0, which came out in 2014. This has been considered the new standard since 2016. The TPM chip does ensure the boot processes of your PC cannot be modified without your knowledge. If you would like to learn more about TPM, please check out the reference links below. Reference links:<br> Reference links:<br> Line 18: Line 18: === Why the secure boot mode option was created === === Why the secure boot mode option was created === −There has been several root vulnerabilities found in PC BIOS that were exposed that allowed the booting OS to be compromised. This left the OS kernel and hardware drivers exposed. Eventually, even more vulnerabilities to the system were discovered making it hard to keep OS secure and protected from exploits. It was clear that the time had come to improve upon the Unified Extensible Firmware Interface (UEFI) with emphasis on making the process even more secure. UEFI decided to implement the secure boot mode in the BIOS using the TPM chip. This would allow authentication of the OS from signed bootloader, kernel, and drivers.+Extensible Firmware Interface (EFI) was developed in the mid 1990's. In 2004, Intel released the first open source Unified Extensible Firmware Interface (UEFI) implementation. Then EFI was transitioned to Unified Extensible Firmware Interface (UEFI) in 2005. There has been several root vulnerabilities found in the computer BIOS that were exposed that allowed the booting OS to be compromised. This left the OS kernel and hardware drivers exposed. Eventually, even more vulnerabilities to the system were discovered making it hard to keep OS secure and protected from exploits. It was clear that the time had come to improve upon the Unified Extensible Firmware Interface (UEFI) with emphasis on making the process even more secure. Then "Trusted Platform Module (TPM) was developed. This was not enough and TPM was updated to make secure boot mode possible. Secure boot was implemented in the BIOS using the TPM chip. This would allow authentication of the OS from signed bootloader, kernel, and drivers. This affected the Linux community because the time secure boot came out limited documentation was available at the time. This is why we have so many issues with secure boot. The Linux community has been working hard on this for years now to learn and implement secure boot on the OS. === The secure mode operation design === === The secure mode operation design === −Secure boot mode is designed to authenticate the OS from a list of authorized operating systems in the TPM chip. By default, if a signature is in the "blocked" list, The computer will stop booting indicating that an invalid signature has been detected. Secure boot mode operation is meant to validate two areas and watch one area of the OS. If any of these areas fails authentication, the system will stop booting. This design creates a secure boot environment. If the bootloader, kernel, or its drivers are modified the signature is marked invalid. The Invalid signatures are also installed when firmware updates the UEFI firmware. Any OS without a valid signature is also blocked. This presents a challenge during the development of an OS but is necessary to maintain OS security.+Secure boot mode is designed to authenticate the OS from a list of authorized operating systems in the TPM chip. By default, if a signature is in the "blocked" list, The computer will stop booting indicating that an invalid signature has been detected. Secure boot mode operation is meant to validate three areas while booting the OS. Authentication is performed by checking the bootloader, kernel, and kernel drivers on booting. If any of these areas fails authentication, the system will stop booting. This design creates a secure boot environment. If the bootloader, kernel, or its drivers are modified the signature is marked invalid and stops booting. The Invalid signatures are also installed when firmware updates the UEFI firmware. Any OS without a valid signature is also blocked. This presents a challenge during the development of an OS, but is required to maintain OS security. === The secure mode operation while booting === === The secure mode operation while booting === Line 47: Line 47: The requirements to successfully enable secure boot mode on an OS are: The requirements to successfully enable secure boot mode on an OS are: −# Extended validation certificate from a signed Certificate Authority (CA) certificate signing request (CSR), private key, and public key. You would generate this and submit to your choice of secure certificate provider. This would be meant for code signing. The EV cert must come from the domain or organization that requests it to be verified.+# Extended validation certificate from a signed Certificate Authority (CA) certificate signing request (CSR), private key, and public key. You would generate this and submit to your choice of secure certificate provider the required CSR and key. This would be meant for code signing. The EV cert must come from the domain or organization that requests it to be verified. # Tools developed to be used in order to use the signed certificate returned by SSL provider. Remember that you should have both the valid signed certificate, a private key (must have a strong password and be kept secure), and a public key. # Tools developed to be used in order to use the signed certificate returned by SSL provider. Remember that you should have both the valid signed certificate, a private key (must have a strong password and be kept secure), and a public key. # The OS must be able to install the certificate and public key on computer. # The OS must be able to install the certificate and public key on computer. Line 59: Line 59: Uefi Information - https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf Uefi Information - https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf −Microsoft KEK expiring because the certificate is expiring on 10/19/2026. This means there will be another secure boot upgrade coming for current and new computers.+Microsoft KEK expiring because the certificate is expiring on 10/19/2026. This means there will be another secure boot update coming for current and new computers. Here is the link to the PDF document: Here is the link to the PDF document: Line 76: Line 76: === Common issues with TPM === === Common issues with TPM === −Dual- or multi-boot is harder to work with when you want to boot Windows and Linux. This can be even harder for Windows, Linux, and another OS. If the Linux distro does not support secure boot enabled and you have the TPM on the PC, you would need to enable legacy mode and disable secure boot. This is the only way to dual or multi boot with Windows. This will slow down the boot process and disable all BIOS protection. This will also disable any hardware improved features until the OS has booted. Remember that, if you need this kind of environment, you will need to reinstall Windows and any other operating systems you wish to dual or multi boot. This method is not recommended as it will open a security risk of having malware infecting or modifying your computer.+Dual or multi-boot is harder to work with when you want to boot Windows and Linux. This can be even harder for Windows, Linux, and another OS. If the Linux distro does not support secure boot enabled and you have the TPM on the computer, you would need to enable legacy mode and disable secure boot. This is the only way to dual or multi boot with Windows. This will slow down the boot process and disable all BIOS protection. This will also disable any hardware improved features until the OS has booted. Remember that, if you need this kind of environment, you will need to reinstall Windows and any other operating systems you wish to dual or multi boot. This method is not recommended as it will open a security risk of having malware infecting or modifying your computer. − === Clarification conclusion === === Clarification conclusion === −Again, this article will hopefully bring some clarity to the confusion caused by the secure boot upgrade and its impact on Linux. I hope you learned the importance of the secure boot and why we need it. We need to maintain stable and secure Linux distributions for all users. I will be creating a "How to" and linking it to this document when I am finished.+Again, this article will hopefully bring some clarity to the confusion caused by the secure boot updates and its impact on Linux. I hope you learned the importance of the secure boot and why we need it. We need to maintain stable and secure Linux distributions for all users. I will be creating a "How to" and linking it to this wiki when I am finished. Zeldas7777User:Zeldas7777
You need to follow the wiki creation guidelines
← Older revision Revision as of 09:55, 9 November 2024 Line 1: Line 1: {{Multi language banner|[[User:Zeldas7777|english]] ;}} {{Multi language banner|[[User:Zeldas7777|english]] ;}} −</noinclude><includeonly>{|style="margin-bottom: 1em; border-radius:0.2em; background-color: #2397D410; border: 0.25em solid #2397D4FF; width: auto; min-width: 32%; min-height: auto" −|- −|style="width: 50px;"|[[Image:{{{img|Drakconf_multiflag.png}}}|center|46px]] −|style="solid #2397D4FF; text-align:left; vertical-align:top;"|<span style="color: #262F45; font-weight:bold;">{{{title|Secure boot clarification}}}</span><br /><span style="color: green; white-space:pre-line; line-height: 100%;"><span style="color: green; text-transform: capitalize">{{{1|{{{msg}}}}}}</span> −|}</includeonly> −<h2 style="font-size:xx-large">'''Secure boot clarification'''</h2> −<h3>Overview</h3>+= Secure boot clarification = + +=== Overview === −<p style="text-indent:15px"> Secure boot was created to ensure the protection of the operating system (OS). The Linux community did not like the secure boot upgrade. The end user would have to disable secure boot then install Linux. The reason was because the computers did not have the TPM Linux distribution signatures installed in the computer before manufacturing the computers. The Linux distribution developers would have to sign the bootloader, kernel, and drivers. This also created the need for more documentation for computers without Linux distribution signatures to successfully install Linux distribution. This wiki entry will hopefully bring some clarity from users in the Linux community on the secure boot upgrade, and it's impact on Linux. The purpose of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. The secure boot is for protecting the end user from any threats to security and/or privacy. The secure boot feature disables the OS immediately upon detection of invalid signatures. Secure boot was created to ensure the protection of the operating system (OS). The Linux community did not like the secure boot upgrade. The end user would have to disable secure boot then install Linux. The reason was because the computers did not have the TPM Linux distribution signatures installed in the computer before manufacturing the computers. The Linux distribution developers would have to sign the bootloader, kernel, and drivers. This also created the need for more documentation for computers without Linux distribution signatures to successfully install Linux distribution. This wiki entry will hopefully bring some clarity from users in the Linux community on the secure boot upgrade, and it's impact on Linux. The purpose of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. The secure boot is for protecting the end user from any threats to security and/or privacy. The secure boot feature disables the OS immediately upon detection of invalid signatures. −</p> −<h3>Who this applies to</h3>+=== Who this applies to === −<p style="text-indent:15px"> This document does not apply to your computer if it was manufactured before 2009. If your computer was manufactured in 2009 or later, You may have a Trusted Platform Module (TPM) chip. This wiki can apply to your personal computer (PC). Personal computers with TPM chip version 1.0 started to appear in 2009. This chip was soon upgraded to TPM version 1.1 in 2011. The next major update to TPM chips was version 2.0, which came out in 2014. This has been considered the new standard since 2016. The TPM chip does ensure the boot processes of your PC cannot be modified without your knowledge. If you would like to learn more about TPM, please check out the reference links below. This document does not apply to your computer if it was manufactured before 2009. If your computer was manufactured in 2009 or later, You may have a Trusted Platform Module (TPM) chip. This wiki can apply to your personal computer (PC). Personal computers with TPM chip version 1.0 started to appear in 2009. This chip was soon upgraded to TPM version 1.1 in 2011. The next major update to TPM chips was version 2.0, which came out in 2014. This has been considered the new standard since 2016. The TPM chip does ensure the boot processes of your PC cannot be modified without your knowledge. If you would like to learn more about TPM, please check out the reference links below. −</p> Reference links:<br> Reference links:<br> Line 24: Line 16: Wikipedia - https://en.wikipedia.org/wiki/Trusted_Platform_Module<br> Wikipedia - https://en.wikipedia.org/wiki/Trusted_Platform_Module<br> −<h3>Why the secure boot mode option was created</h3>+=== Why the secure boot mode option was created === −<p style="text-indent:15px">+There has been several root vulnerabilities found in PC BIOS that were exposed that allowed the booting OS to be compromised. This left the OS kernel and hardware drivers exposed. Eventually, even more vulnerabilities to the system were discovered making it hard to keep OS secure and protected from exploits. It was clear that the time had come to improve upon the Unified Extensible Firmware Interface (UEFI) with emphasis on making the process even more secure. UEFI decided to implement the secure boot mode in the BIOS using the TPM chip. This would allow authentication of the OS from signed bootloader, kernel, and drivers. − There has been several root vulnerabilities found in PC BIOS that were exposed that allowed the booting OS to be compromised. This left the OS kernel and hardware drivers exposed. Eventually, even more vulnerabilities to the system were discovered making it hard to keep OS secure and protected from exploits. It was clear that the time had come to improve upon the Unified Extensible Firmware Interface (UEFI) with emphasis on making the process even more secure. UEFI decided to implement the secure boot mode in the BIOS using the TPM chip. This would allow authentication of the OS from signed bootloader, kernel, and drivers. −</p> −<h3>The secure mode operation design</h3>+=== The secure mode operation design === −<p style="text-indent:15px"> Secure boot mode is designed to authenticate the OS from a list of authorized operating systems in the TPM chip. By default, if a signature is in the "blocked" list, The computer will stop booting indicating that an invalid signature has been detected. Secure boot mode operation is meant to validate two areas and watch one area of the OS. If any of these areas fails authentication, the system will stop booting. This design creates a secure boot environment. If the bootloader, kernel, or its drivers are modified the signature is marked invalid. The Invalid signatures are also installed when firmware updates the UEFI firmware. Any OS without a valid signature is also blocked. This presents a challenge during the development of an OS but is necessary to maintain OS security. Secure boot mode is designed to authenticate the OS from a list of authorized operating systems in the TPM chip. By default, if a signature is in the "blocked" list, The computer will stop booting indicating that an invalid signature has been detected. Secure boot mode operation is meant to validate two areas and watch one area of the OS. If any of these areas fails authentication, the system will stop booting. This design creates a secure boot environment. If the bootloader, kernel, or its drivers are modified the signature is marked invalid. The Invalid signatures are also installed when firmware updates the UEFI firmware. Any OS without a valid signature is also blocked. This presents a challenge during the development of an OS but is necessary to maintain OS security. −</p> −<h3>The secure mode operation while booting</h3>+=== The secure mode operation while booting === Secure mode authenticates the system from the installed signatures. Here is how the process works. Secure mode authenticates the system from the installed signatures. Here is how the process works. Line 45: Line 33: If everything is successful, the OS will boot as expected. If everything is successful, the OS will boot as expected. −<h3>CPU board manufacturer requirements</h3>+=== CPU board manufacturer requirements === −<p style="text-indent:15px"> CPU board manufacturers are required to follow fair trade laws This means that no company can be biased and that all OS vendors share equal rights. All manufactures have a standard to follow that is strictly monitored. We have a few types of CPU boards on the market that must comply with personal data security. Here are the following types of CPU boards that allow secure boot to be disabled, those that do not allow it, or made optional for custom manufactured computers. CPU board manufacturers are required to follow fair trade laws This means that no company can be biased and that all OS vendors share equal rights. All manufactures have a standard to follow that is strictly monitored. We have a few types of CPU boards on the market that must comply with personal data security. Here are the following types of CPU boards that allow secure boot to be disabled, those that do not allow it, or made optional for custom manufactured computers. Line 53: Line 40: # Business to Government computers: in order to maintain data security, these cannot have secure boot mode disabled. # Business to Government computers: in order to maintain data security, these cannot have secure boot mode disabled. # Custom manufactured computers specifically made for a company: these allow the option to "disable secure boot options" at the request of the business customer. # Custom manufactured computers specifically made for a company: these allow the option to "disable secure boot options" at the request of the business customer. −</p> −<p style="text-indent:15px"> The documentation for the UEFI firmware is required to be made available to all OS vendors. This documentation shall have all commands required for UEFI firmware updates. The currently installed OS owns the updating of the firmware. If you have a dual-boot or multi-boot system, then each OS shares ownership rights. The documentation for the UEFI firmware is required to be made available to all OS vendors. This documentation shall have all commands required for UEFI firmware updates. The currently installed OS owns the updating of the firmware. If you have a dual-boot or multi-boot system, then each OS shares ownership rights. −</p> −<h3>The requirement to enable secure boot</h3>+=== The requirement to enable secure boot === −<p style="text-indent:15px"> The requirements to successfully enable secure boot mode on an OS are: The requirements to successfully enable secure boot mode on an OS are: Line 69: Line 52: # The boot image, kernel, and drivers must be signed using the certificate. # The boot image, kernel, and drivers must be signed using the certificate. # Must have a TPM chip. # Must have a TPM chip. −</p> −<h3>References and documents</h3>+=== References and documents === Uefi.org documents in PDF file format Uefi.org documents in PDF file format Line 86: Line 68: https://www.uefi.org https://www.uefi.org −<h3>Support history from the secure boot upgrade</h3>+=== Support history from the secure boot upgrade === Visit this link to see recent issues related to secure boot. Visit this link to see recent issues related to secure boot. Line 92: Line 74: https://forums.mageia.org/en/search.php?keywords=secure+boot&fid%5B0%5D=7 https://forums.mageia.org/en/search.php?keywords=secure+boot&fid%5B0%5D=7 −<h3>Common issues with TPM</h3>+=== Common issues with TPM === −<p style="text-indent:15px">+ Dual- or multi-boot is harder to work with when you want to boot Windows and Linux. This can be even harder for Windows, Linux, and another OS. If the Linux distro does not support secure boot enabled and you have the TPM on the PC, you would need to enable legacy mode and disable secure boot. This is the only way to dual or multi boot with Windows. This will slow down the boot process and disable all BIOS protection. This will also disable any hardware improved features until the OS has booted. Remember that, if you need this kind of environment, you will need to reinstall Windows and any other operating systems you wish to dual or multi boot. This method is not recommended as it will open a security risk of having malware infecting or modifying your computer. Dual- or multi-boot is harder to work with when you want to boot Windows and Linux. This can be even harder for Windows, Linux, and another OS. If the Linux distro does not support secure boot enabled and you have the TPM on the PC, you would need to enable legacy mode and disable secure boot. This is the only way to dual or multi boot with Windows. This will slow down the boot process and disable all BIOS protection. This will also disable any hardware improved features until the OS has booted. Remember that, if you need this kind of environment, you will need to reinstall Windows and any other operating systems you wish to dual or multi boot. This method is not recommended as it will open a security risk of having malware infecting or modifying your computer. −</p> − −<h3>Clarification conclusion</h3> −Again, this article will hopefully bring some clarity to the confusion caused by the secure boot upgrade and its impact on Linux. I hope you learned the importance of the secure boot and why we need it. We need to maintain stable and secure Linux distributions for all users. I will be creating a "How to" and linking it to this document when I am finished. +=== Clarification conclusion === −</p>+Again, this article will hopefully bring some clarity to the confusion caused by the secure boot upgrade and its impact on Linux. I hope you learned the importance of the secure boot and why we need it. We need to maintain stable and secure Linux distributions for all users. I will be creating a "How to" and linking it to this document when I am finished. SturmvogelUser:Zeldas7777
Grafischen Server aufsetzen-de
User:Zeldas7777
Mageia does not support secure boot. Check the documentation, forum and mailing lists...
← Older revision Revision as of 18:20, 8 November 2024 Line 4: Line 4: <p style="text-indent:15px"> <p style="text-indent:15px"> −Secure boot was created to ensure the protection of the operating system (OS). We have allowed the installation and use of Mageia with secure boot enabled for years. The Linux community went into panic mode when secure boot was recently upgraded. This wiki entry will hopefully bring some clarity to the confusion caused by the secure boot upgrade and its impact on Linux. The process of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. In general, the idea behind secure boot is to protect the end user from any threats to security and/or privacy. The secure boot feature disables the OS immediately upon detection of a threat. +Secure boot was created to ensure the protection of the operating system (OS). The Linux community went into panic mode when secure boot was recently upgraded. This wiki entry will hopefully bring some clarity to the confusion caused by the secure boot upgrade and its impact on Linux. The process of enabling secure boot is to ensure the OS is secure from rootkits, keyloggers, and malware. In general, the idea behind secure boot is to protect the end user from any threats to security and/or privacy. The secure boot feature disables the OS immediately upon detection of a threat. </p> </p> Sturmvogel