Documente Academic
Documente Profesional
Documente Cultură
http://dee.su/liberte-install
1 di 3
30/03/2013 23:30
http://dee.su/liberte-install
Authenticity
Libert Linux releases are signed with a designated PGP key: Libert Linux (Release Signing Key) <liberte@dee.su>
You are encouraged to verify the downloaded les using, e.g., GNU Privacy Assistant or PGP Desktop, after fetching the key from a keyserver (or downloading it using the link above), by providing the associated *.asc le as input:
gpg --verify liberte-2010.1.zip.asc gpg: Signature made Fri 19 Nov 2010 03:48:36 MSK gpg: using DSA key 0x9B027FCD81DE1001 gpg: Good signature from "Libert Linux (Release Signing Key) <liberte@dee.su>"
Secure Boot
(U)EFI bootloader binaries are signed for Secure Boot, establishing a trusted boot chain starting with a KEK / DB certicate (located in EFI directory). The procedure for enrolling the certicate in TianoCore OVMF is as follows: 1. Navigate to Device Manager Secure Boot Conguration Secure Boot Mode, and select Custom Mode. 2. Navigate to Device Manager Secure Boot Conguration Custom Secure Boot Options DB Options Enroll Signature, load EFI/Liberte-SecureBoot-CA.der, and commit the changes. For real hardware, the procedure should be similar e.g., for Dell Latitude rmware, navigate to Secure Boot Expert Key Management Enable Custom Mode db: Append from File. It is also possible to add the bootloader signature directly (by selecting, e.g., EFI/BOOT/BOOTx64.EFI instead of the certicate above), but this step will need to be done after each Libert update. Adding the certicate to KEK database (instead of DB above) will let Libert modify authenticated EFI variables at runtime such functionality is not used at present. If you dont want to customize Secure Boot se ings, and your UEFI rmware has Microsofts UEFI CA certicate already enrolled (which is probably the case), you can use shim instead (this assumes a .zip install): 1. Drop shim.efi and MokManager.efi into EFI/BOOT. 2. Rename BOOTx64.EFI to grubx64.efi, and then rename shim.efi to BOOTx64.EFI. 3. After booting, use shims interface to enroll EFI/Liberte-SecureBoot-CA.der key, or EFI/BOOT/BOOTx64.EFI signature, similarly to OVMF instructions above. Note that
2 di 3
30/03/2013 23:30
http://dee.su/liberte-install
such whitelisting is visible to shim only. With regular BIOS-based boot, only the last stage of trusted boot chain is performed: root lesystem image verication. However, a minimal bootstrap .iso image (lacking a compressed root lesystem) is now shipped, which can be burned to read-only media and used to boot a regular install of Libert on writable media. Such image is also useful for booting writable media that are unsupported as boot devices on given hardware (e.g., SD cards).
Support
Bug reports, suggestions, and generic discussion are always welcome. Dont forget to rate this project on SourceForge! Contribute and discuss E-mail: Maxim Kammerer <mk@dee.su> If you are interested in having specic customizations implemented, please contact me by e-mail.
3 di 3
30/03/2013 23:30