Securing an Arch Linux Install

mbernhard · August 17, 2021, 9:19pm

Per the discussion in FDE, TPM, Secure Boot, and Linux, I’ve written up a guide for locking down an Arch Linux system using Secure Boot. I’ve implemented this on my Framework and it works great. It’s still a work in progress, so any and all feedback appreciated!

gist.github.com

https://gist.github.com/umbernhard/d1f4a44430d6d21b3881652c7a7c9ae5

arch-secure-install.md

# Building a Secure Arch Linux Device

Locking down a linux machine is getting easier by the day. Recent advancements in systemd-boot have enabled a host of features to help users ensure that their machines have not been tampered with. This guide provides a walkthrough of how to turn on many of these features during installation, as well as reasoning for why certain features help improve security. 

The steps laid out below draw on a wide variety of existing resources, and in places I'll point to them rather than attempt to regurgitate full explanations of the various security components. The most significant one, which I highly encourage everyone to read, is Rod Smith's [site about secure boot](https://www.rodsbooks.com/efi-bootloaders/secureboot.html), which is the most comprehensive and cogent explanation of UEFI, boot managers and boot loaders, and secure boot. Another incredibly useful resources is [Safeboot](https://safeboot.dev), which encapsulates many of the setup steps below in a Debian application. Finally, the Arch Wiki pages for [Secure Boot](https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot), [disk encryption](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system), and [systemd-boot](https://wiki.archlinux.org/title/Systemd-boot). Many of the decisions to use certain technologies were inspired by Matthew Garret's [Producing a trustworthy x86-based Linux appliance](https://mjg59.dreamwidth.org/57199.html).

## How best to use this guide

Using Linux is designed to be an empowering and enriching experience. Therefore, I'd like to issue a word of caution about blindly following this gude (no judgment though, I do it too). At many points in this guide there will be a series of steps with fairly complex commands, but I urge you to pause and think about each one. It may be slow and painful, and it will definitely require some googling, but if you don't proceed with intent it's possible to end up with a system that has and does a bunch of stuff that you don't understand. As this is a guide about security, that's, like, bad. Not that you should know how every intricate detail of Arch Linux, UEFI, TPMs, etc. work; I'm pretty sure no one does. But you should at least know how to find out if you come across something that is causing you trouble. It's a hard-earned skill, but you can get almost all of the way there by just paying close attention. I'll try to tip you off to when you should pay closer attention where I can, but neither of us is perfect, so make your best effort and I'll make mine.

This file has been truncated. show original

Jacob_Padgett · August 17, 2021, 10:33pm

Impressive progress so far. Thank you for sharing your knowledge! I hope to try this after the Batch 2 shipments.

Stebalien · August 19, 2021, 12:13am

If you’re using the i7-1185G7, hit F10 on boot to configure AMT. Specifically, you’re going to want to set a password then likely disable it. Otherwise, secure boot is moot. Unfortunately, there doesn’t appear to be a way to do this from the bios.

JoshuaB · October 4, 2021, 12:44am

This works for you as written? There are some things that just don’t seem right that I did differently when I was going through my install. For example, the sd-encrypt hook in mkinitcpio should require the command line rd.luks.name={UUID}=cryptlvm instead of the cryptdevice line in your write-up.

If it works as written I won’t bother writing up suggested changes; otherwise I’d be happy to make some suggestions.

mbernhard · October 5, 2021, 8:56pm

@JoshuaB it did work when I wrote it, but I’ve received a lot of feedback and am in the process of revising. If you have suggestions I’d welcome them!

smn · March 20, 2022, 1:05pm

@mbernhard Thanks for the effort of documenting.

Maybe this guide is of interest to you.

blowfish · March 20, 2022, 4:55pm

Is the process for Ubuntu similar to this? I’m trying to figure out how to get TPM + FDE to work on my machine, but I can’t figure it out.

mbernhard · March 20, 2022, 6:23pm

@smn that’s super cool. Am I correct in understanding that you have to manually re-sign on kernel and initramfs updates? Or does dracut have a hook that’s called by pacman to automatically regen and sign?

mbernhard · March 20, 2022, 6:24pm

@blowfish you should really be looking at safeboot if you want to use Ubuntu. The tooling there is pretty good, if a bit brittle, and handles everything you need to do all in one package, which is super nice.

smn · March 21, 2022, 3:02pm

@mbernhard Yes, the dracut hook makes sure dracut signs the UEFI bins it generates. However I have not yet gone for this since I’m not sure how to re-enroll the framework KEK and DB to allow for firmware updates later.

blowfish · March 23, 2022, 2:17am

Thank you @mbernhard ! I’ll take a look

Mark_Ghanz · April 5, 2022, 7:41pm

@mbernhard where should I move the generated Keys to? I can’t see the keys in the firmware if they are in /etc/efi-keys, and I also cannot see the keys after copying them to /boot.

mbernhard · April 5, 2022, 11:43pm

You might have a separate EFI system partition. If you lsblk, do you see a mountpoint for both /boot and /boot/EFI? If so, /boot/EFI is the EFI system partition, so that’s where the keys need to go.

Mark_Ghanz · July 13, 2022, 2:31am

@mbernhard Thanks for your reply! And it turns out the problem is solved by moving only .cer keys to the esp as the firmware only recognizes .cer among all 4 formats (.auth, .esl, .crt, .cer).
Also, have you dealt with dynamic kernel modules (dkms)? I cannot figure out a way to use the custom keys to sign them upon every load. modprobe always returns a segfault or just gets stuck.

mbernhard · July 13, 2022, 2:36pm

unfortunately I haven’t played around with dkms much. It kind of seems like an open problem, even amongst safeboot and other projects.