Categories

• Announcements

  Get the latest news on what's happening.
  178
  Topics
  766
  Posts

  

  I know I’ve been out of this for a little bit. I check in here or there, but just been extremely busy.

  I don’t want to stop contributing, I just am taking time for myself after my workly duties.

  I have to give a big gratitude and thanks for everyone here trying to help out whether by code, by helping the rest of the community, or documentation.

  @Sebastian-Roth I know you’re busy but you’ve kept the project rolling even with the minimal availability you have. Thank you.
  @george1421 I’m sure you’re busy, but I still see you posting and helping where possible and amenible. Thank you.
  @Wayne-Workman I know you’re helping where you can as well. (Of course I can’t exactly post everybody because I’ve been busy and honestly not keeping up with the forums as much as I probably should.)

  @everyone Thank you. Thank you for still believing in this project. We’re doing the best with what we have. Please understand in we’re lacking, it’s most likely unintentional. I know I’m just busy.

• General Topics

  View tutorials or talk about FOG in general.

  General

  Tutorials
  2205
  Topics
  17483
  Posts

  

  Preparing the FOG server with the prerequisites

  sudo apt-get update sudo apt-get upgrade -y

  Reboot the FOG server and then install the required packages

  sudo apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev sudo perl -e'use CPAN; install "File::Slurp"'

  Create the Secure Boot PKI infrastructure

  Lets create the working directories

  mkdir -p /opt/fog/secureboot/efikeys

  Now lets create our bash file to create the PKI infrastructure

  vi /opt/fog/secureboot/mkkeys.sh

  Insert the following text into that bash script.

  #!/bin/bash # Copyright (c) 2015 by Roderick W. Smith # Updated 26-Nov-2021 by George1421 for the FOG Project # Licensed under the terms of the GPL v3 NAME=FOGProjectSB openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \ -out efikeys/PK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \ -out efikeys/KEK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \ -out efikeys/DB.crt -days 3650 -nodes -sha256 openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'` echo $GUID > efikeys/myGUID.txt cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl rm -f efikeys/noPK.esl touch efikeys/noPK.esl sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth chmod 0600 efikeys/*.key echo "" echo "" echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB" echo "flash drive or to your EFI System Partition (ESP)." echo "For use with most UEFIs' built-in key managers, copy the *.cer files;" echo "but some UEFIs require the *.auth files." echo ""

  Make the script we just created executable
  Change into the secureboot directory and finally run the bash script.

  chmod a+x /opt/fog/secureboot/mkkeys.sh cd /opt/fog/secureboot/ ./mkkeys.sh

  I will tell you that when you run the mkkeys.sh you may get run time errors. You will need to research on your own what is missing and add that to your fog server using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.

  Create the Secure Boot signed enrollment boot loader

  Lets get the efitools package so we can built the enrollment bootloaders

  git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

  Change into the efitools directory and run make to build the templates.

  cd /opt/fog/secureboot/efitools make

  I will tell you that when you run the make commandyou may get run time errors. You will need to research on your own what is missing and add that to your fog server’s environment using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.

  Now that we have the templates created we need to download the current secure boot key chains that are created by the hardware manufacture. My plan is to take the original certificate database, tack on the FOG certificates onto the end and then upload the combined certificates back to the target hardware. So for completeness I’ll show you how I downloaded the original certificates. To save you some time, I’ll include these files in a zip file a bit later in this post.

  For this bit one of my dev fog servers runs on real hardware. I used these commands under debian to extract these generic certificates from the target computer’s bios. The computer I extracted them from was a Dell Precision 3620. So these certificates and certificate store is fairly new.

  mkdir -p /opt/fog/secureboot/hwkeys cd /opt/fog/secureboot/ sudo efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl sudo efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl sudo efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl sudo efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl sudo chmod 666 /opt/fog/secureboot/hwkeys/*

  The following certificates (not really the correct word to use, but for my sanity I’ll call them certificates) are the only ones we are interested in (hw_KEK.esl, hw_db.esl, hw_dbx.esl). As I said above, you don’t need to do the above part because I’ll provide these generic certificates.

  Now lets bring everything together

  cp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/ cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/ cd /opt/fog/secureboot/efitools mv DB.esl DB-fog.esl mv KEK.esl KEK-fog.esl mv dbx.esl dbx-fog.esl

  At this point we are going to take the hardware certificates we downloaded from the uefi firmware and tag the FOG certificates onto the end.

  cat hw_db.esl DB-fog.esl > DB.esl cat hw_KEK.esl KEK-fog.esl > KEK.esl cat hw_dbx.esl > dbx.esl

  Lets rebuild the signed boot loaders with the updated certificates

  rm LockDown*efi LockDown.so LockDown.o make cp LockDown-signed.efi EnrollKeys.efi

  /opt/fog/secureboot/efitools/EnrollKeys.efi is the boot loader we will use to auto insert the updated security keys into the uefi firmware. So lets copy that file to the /tftpboot

  cp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot

  The other two key files from this process that we will need is the FOG certificate private and public keys.

  /opt/fog/secureboot/efikeys/DB.crt
  /opt/fog/secureboot/efikeys/DB.key

  In the next post we will go through and sign all of the boot files needed to secure boot into FOG.

• Technical Help

  Get help with your FOG system.

  FOG Problems

  Hardware Compatibility

  Windows Problems

  Linux Problems

  Mac Problems

  General Problems
  10872
  Topics
  105515
  Posts

  

  @sonic136 Can you describe what you did to fix the issue rather than just saying solved? I’m still “coming back” but I think a more descript message of what you did to fix the issue can help others more readily too.

• Developers

  Report bugs, request features, or get the latest progress.

  General

  Feature Request

  Bug Reports
  2196
  Topics
  20458
  Posts

  

  @sebastian-roth et al.

  Sorry, I’ve not been able much to work on anything in a while. I will try to correct that moving forward though I’m still fairly busy with work and all.

  I’m keen, if everybody else is, to look over 1.6 vs 1.5.x and just simply moving over to it. The UI for 1.5 was itself quite an overhaul but shows too little progress now (that we’re at 1.5.9). Moving to 1.5.10 seems cursory at this point, in my opinion.

  I can’t say I’ll have a lot of cycles free to keep this moving in a linear fashion though.

  The biggest hurdles with 1.5.x and 1.6.x are getting the codebase ready with PHP 8 support it seems too me.

  I’m of course able to try to help release a 1.5.10 release if that’s what’s really needed, but I think the 1.6 codebase has been around long enough and in parallel long enough it might be a good position to just check the bases, clean up where necessary, and release 1.6.0.

  Let me know what you all think.