Enabling SecureBoot on TrueNAS SCALE

[fundatus]

Hey!

Even though there is decent SecureBoot support with Linux, TrueNAS SCALE currently does not support it out of the box unfortunately. So I went ahead and manually enabled that for my installation and I wanted to record my steps here for anyone who runs into the same problem in the future.

I used this reddit thread and the Debian docs to do this.

First you need a running TrueNAS SCALE installation, so in case you don't have that yet, go ahead and disable SecureBoot so that you can install TrueNAS. Do all of the following steps as root user. Since you'll need to interact with UEFI you also need to be physically present with the machine and connect a monitor to it.

Follow this tutorial to enable apt and add the upstream debian repositories.Then make sure that the packages "shim-signed", "shim-helpers-amd64-signed", "grub-efi-amd64-signed" and "sbsigntool" are installed:

Code:

$ apt update
$ apt install shim-signed shim-helpers-amd64-signed grub-efi-amd64-signed sbsigntool

Use "fdisk -l" to check for the Devide ID of your EFI partition. For me that was "/dev/sda2". Now add shim to your boot config by using efibootmgr (make sure to adjust the values of -d and -p according the EFI partition device ID):

Code:

$ efibootmgr -c -d /dev/sda -p 2 -L debian-shim -l \\EFI\\debian\\shimx64.efi

Now create your own signing key:

Code:

$ mkdir -p /var/lib/shim-signed/mok/
$ cd /var/lib/shim-signed/mok/
$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=truenas/"
$ openssl x509 -inform der -in MOK.der -out MOK.pem

Enroll that key:

Code:

$ mokutil --import /var/lib/shim-signed/mok/MOK.der

Reboot your machine. UEFI will ask you if you want to import the key, confirm that and type in the password you gave to mokutil before. Now check if the key was enrolled successfully:

Code:

$ mokutil --test-key /var/lib/shim-signed/mok/MOK.der
/var/lib/shim-signed/mok/MOK.der is already enrolled

Now add the key to the DKMS config located at "/etc/dkms/framework.conf" by adding these three lines:

Code:

mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
mok_certificate="/var/lib/shim-signed/mok/MOK.der"
sign_tool="/etc/dkms/sign_helper.sh"

Set some variables we need in the upcoming steps:

Code:

$ VERSION="$(uname -r)"
$ SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
$ MODULES_DIR=/lib/modules/$VERSION
$ KBUILD_DIR=/usr/src/linux-headers-$VERSION

Sign the kernel:

Code:

$ sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
$ mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

Securely record the passphrase of your signing key to a environment variable:

Code:

$ read -s KBUILD_SIGN_PIN
$ export KBUILD_SIGN_PIN

Navigate to your kernel module folder and sign all the modules there:

Code:

$ cd $MODULES_DIR
$ for i in *.ko ; do sudo --preserve-env=KBUILD_SIGN_PIN "$KBUILD_DIR"/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der "$i" ; done

Enrol the DKMS keys to your machine:

Code:

mokutil --import /var/lib/dkms/mok.pub

Reboot your machine and confirm enrolling the key. Now you can reboot again and enable SecureBoot. I also had to manaully add my EFI image (shimx64.efi) but I think that was a peculiarity of my system.

Hope this helped!

 

[Arwen]

Please let us know if your setup with SecureBoot survives the update coming soon.

Lots of things that are not designed in, won't work with appliance like software after updates:

Welcome to TrueNAS SCALE - Beginners Intro

Since mid 2021 we have had many new users of TrueNAS wanting to try SCALE. Here are some things that are helpful for new TrueNAS SCALE users to know; SCALE is a specialized & targeted OS based on a Linux distro. However, SCALE is NOT a Linux...

www.truenas.com

 

[fundatus]

Please let us know if your setup with SecureBoot survives the update coming soon.

Yeah I thought about that too - will probably at least have to re-sign the new kernel (in case the update includes a kernel update).