gedankensplitter/linux_hardening.md

# secureboot

Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.

- systemctl reboot --firmware
 - bootctl
 - efibootmgr -v
 - mokutil --sb-state
 - mokutil --list-enrolled
 - mokutil --enable-validation

## ubuntu
ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot.
# cryptsetup luks
crypsetup luksDump /dev/sdaX
cryptsetup luksChangeKey /dev/sdaX
cryptsetup luksErase

ressource:
http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/
linux_hardening 2022-03-02 15:17:56 +00:00			`# secureboot`

			`Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil.`

			`- systemctl reboot --firmware`
			`- bootctl`
			`- efibootmgr -v`
			`- mokutil --sb-state`
			`- mokutil --list-enrolled`
			`- mokutil --enable-validation`

			`## ubuntu`
			`ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot.`
			`# cryptsetup luks`
			`crypsetup luksDump /dev/sdaX`
			`cryptsetup luksChangeKey /dev/sdaX`
			`cryptsetup luksErase`

			`ressource:`
			`http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/`