Linux Tactic

Mastering UEFI Settings on Linux: Secure Boot Boot Entries and Customization

Managing UEFI Settings on Linux

As technology continues to advance, so do the ways in which we maintain and configure our computer systems. The Unified Extensible Firmware Interface (UEFI) is a replacement for traditional BIOS firmware, providing greater security and flexibility in managing computer hardware.

In this article, we will explore the various ways in which we can manage UEFI settings on Linux, including using mokutil for secure boot, efibootmgr for managing boot entries, creating a boot entry with efibootmgr, and using EFI tools to manipulate UEFI variables.

Using mokutil for Secure Boot

Secure boot is a security standard that helps to protect against unauthorized firmware, operating systems, or other malware from loading during the boot process. Mokutil is a utility that allows us to enroll keys in the UEFI firmware to enable secure boot.

To use mokutil, we must first generate a key pair and certificate using OpenSSL. This can be done by executing the command:

“`

openssl req -new -x509 -newkey rsa:2048 -subj “/CN=My Secure Boot Certificate/” -keyout MOK.priv -outform DER -out MOK.der -nodes

“`

This command generates two files: MOK.priv, which contains the private key, and MOK.der, which contains the public key certificate.

Once we have the key pair and certificate, we can enroll them using the following commands:

“`

sudo mokutil –import MOK.der

“`

This command prompts us to create a password, which we will use later to confirm our enrollment. After confirming our enrollment, we must reboot the system and enter the MOK (Machine Owner Key) menu, which allows us to confirm our enrollment and enable secure boot.

Using efibootmgr for Managing Boot Entries

Efibootmgr is a utility that allows us to modify the UEFI firmware’s boot order, including boot entries, boot options, and boot preferences. We can use the efibootmgr utility to create, modify, and delete boot entries.

To view the current boot entries, we can use the command:

“`

sudo efibootmgr -v

“`

This command lists all the current boot entries in the UEFI firmware, including their names, UUID, and their characteristics. To create a new boot entry, we can use the following command:

“`

sudo efibootmgr -c -d /dev/sda -p 1 -L “My New Boot Entry” -l “EFIbootbootx64.efi”

“`

This command creates a new boot entry called “My New Boot Entry” with the bootx64.efi file located in the EFI/boot directory.

We can modify a boot entry’s label, order, and boot options using the efibootmgr utility. For example, we can use the following command to change the boot order:

“`

sudo efibootmgr -o 0002,0000,0001

“`

This command changes the boot order to boot entry 0002 first, followed by boot entry 0000 and then boot entry 0001.

Creating a Boot Entry with efibootmgr

Creating a boot entry with efibootmgr requires us to understand how to locate the boot loader file and its location. By default, the boot loader file is usually located in the /boot/efi/EFI directory.

To create a boot entry, we can use the following command:

“`

sudo efibootmgr -c -d /dev/sda -p 1 -L “My New Boot Entry” -l “EFIbootgrubx64.efi”

“`

This command creates a new boot entry for the grubx64.efi file located in the EFI/boot directory. We can also modify the boot entry’s label, order, and boot options using the efibootmgr utility.

Using EFI Tools to Manipulate UEFI Variables

EFI tools are utilities that allow us to manipulate UEFI variables, which are used to store system and firmware configuration data. We can use EFI tools to view and modify UEFI variables, including those related to boot options, hardware settings, and system parameters.

To view the UEFI variables, we can use the efivar command, as follows:

“`

sudo efivar -l

“`

This command lists all the UEFI variables currently stored in the system. We can use the efivar command to view and modify individual UEFI variables, as follows:

“`

sudo efivar -n “BootOrder” -r

“`

This command displays the current boot order variable and allows us to modify it.

Conclusion

UEFI settings play a crucial role in computer security and system configuration. Understanding the various methods we can use to manage UEFI settings on Linux, including using mokutil for secure boot, efibootmgr for managing boot entries, creating a boot entry with efibootmgr, and using EFI tools to manipulate UEFI variables, can help us to ensure our systems are secure and operate correctly.

With the right tools and techniques, we can customize our systems to meet our needs and maintain the highest levels of performance and reliability.

Creating a Boot Entry with efibootmgr

Creating a boot entry with efibootmgr is a powerful way to manage the boot process on a UEFI system. It allows users to create custom configurations that can be used to boot the system or specific applications.

In this section, we will discuss the syntax and parameters for creating a boot entry, how to specify the location of the EFI System Partition (ESP) and the boot file, and setting the boot order and activating/deactivating entries.

Syntax and Parameters for Creating a Boot Entry

The syntax for creating a boot entry with efibootmgr is as follows:

“`

efibootmgr [options] -c -w [-n N] [-L label] [-l efilinux] [-u unicode] [-d /dev/sdX]

“`

The parameters for creating a boot entry are:

– `options`: additional options that can be passed to efibootmgr

– `-c`: create a new boot entry

– `-w`: write changes to the efi vars and make the boot entry persistent after a reboot

– `-n N`: set the boot order to N (optional if this is the first boot entry)

– `-L label`: set the label for the boot entry (optional)

– `-l efilinux`: specify the location of the ELF or PE executable of the bootloader that will be loaded to boot the OS (required)

– `-u unicode`: specify the command-line arguments that should be passed to the kernel during boot (optional)

– `-d /dev/sdX`: specify the device where the EFI System Partition (ESP) resides (optional, default is `/dev/sda`)

Specifying the Location of ESP and the Boot File

The `-d` parameter is used to specify the device where the EFI System Partition (ESP) resides. By default, efibootmgr looks for the ESP on `/dev/sda`, but it can be changed to any other device by specifying `-d /dev/sdX`, where `X` is the device letter.

Once the device is specified, we need to specify the location of the executable bootloader file. The `-l` parameter is used to do this.

It requires the path to the executable bootloader file. For example, to specify the location of `grubx64.efi`, the command would be:

“`

efibootmgr -c -w -d /dev/sda -p 1 -L “Grub Bootloader” -l EFIgrubgrubx64.efi

“`

This command creates a boot entry called “Grub Bootloader” that points to the `grubx64.efi` file located in the `EFIgrub` directory.

Setting the Boot Order and Activating/Deactivating Entries

Once boot entries have been created, they can be reordered using the `-o` parameter. For example, the following command sets the boot order to boot from entry 0001 first, followed by entry 0000:

“`

efibootmgr -o 0001,0000

“`

Boot options can be activated or deactivated using the `-A` and `-a` parameters respectively.

The `-A` parameter can be used to deactivate all entries, while the `-a` parameter activates them. For example, to deactivate all boot entries, use the following command:

“`

efibootmgr -A

“`

To activate, use:

“`

efibootmgr -a

“`

Using EFI Tools to Manipulate UEFI Variables

EFI variables are a type of firmware-based non-volatile memory that contains system and firmware configuration data. These variables can be viewed and manipulated using EFI tools.

In this section, we will discuss the

efi-readvar and efi-updatevar tools, as well as access to the efivarfs file system.

Viewing UEFI Variables with

efi-readvar

The

efi-readvar tool is used to view UEFI variables on a system. The syntax for using this tool is as follows:

“`

efi-readvar [-h] [-v guid] [name]

“`

The `-h` parameter lists the available options for the tool. The `-v` parameter allows users to specify the GUID of the variable that they want to view, while the `name` parameter allows for the name of the variable to be listed.

For example, the following command would list all the UEFI variables on the system:

“`

efi-readvar

“`

Manipulating UEFI Variables with efi-updatevar

The efi-updatevar tool is used to manipulate UEFI variables. This tool allows users to change the value stored in these variables.

The syntax for using this tool is as follows:

“`

efi-updatevar [-h] [-v guid] [name] [data]

“`

The `-h` parameter lists the available options for the tool. The `-v` parameter allows users to specify the GUID of the variable that they want to modify, while the `name` parameter allows for the name of the variable to be listed.

The `data` parameter specifies the new value that should be placed into the UEFI variable. For example, the following command changes the variable named `Timeout` to 5:

“`

efi-updatevar Timeout 5

“`

Accessing the efivarfs File System

The efivarfs file system is the location where UEFI variables are stored on the file system. It is mounted at `/sys/firmware/efi/efivars/`.

This file system can be accessed like any other file system and contains information about the UEFI variables. For example, the following command lists all the UEFI variables using the efivarfs file system:

“`

ls /sys/firmware/efi/efivars

“`

Conclusion

In conclusion, efibootmgr is a powerful tool that allows users to manage boot entries on a UEFI system. With it, users can create custom configurations, specify the location of the executable bootloader file, and set the boot order to load the desired system configuration.

EFI tools like

efi-readvar and efi-updatevar provide the means for manipulating system and firmware configuration data. Accessing the efivarfs file system provides a means for understanding the layout and contents of UEFI variables.

These tools and techniques are essential for configuring and fine-tuning a UEFI-based system.

Conclusion

UEFI settings on Linux are an essential aspect of system configuration that provides greater flexibility, security, and control over the boot process. Managing boot entries with efibootmgr, creating entries, and manipulating UEFI variables with EFI tools are principal means by which a system administrator can control the various settings involved in the boot process.

However, it is important to use caution when changing UEFI variables since modifying settings incorrectly can potentially render the computer inoperable.

Importance of Caution When Changing UEFI Variables

The firmware and driver settings managed by UEFI are crucial to the operation of a computer system. Changing these variables can potentially cause system failure or instability.

It is essential to know the variables’ functions and their recommended values before adjusting them. Incorrect changes to the variables can lead to non-bootable systems, data corruption and loss, and render the warranty void.

Therefore, system administrators should ensure that they have a clear understanding of what they are doing before changing anything and ensure backups are available.

Considering rEFInd for a more Dynamic Boot

rEFInd is a boot manager that presents a more graphical and dynamic interface than most boot managers. It supports a wide range of boot loaders and offers many customization options.

rEFInd can scan for boot loaders and other bootable files on the system automatically. It allows users to change themes, resolutions, and background images.

With rEFInd, a user can effortlessly add a new boot entry, adjust the default boot order, and see information about the system’s hardware. Moreover, rEFInd is available under the GPL license, making it a cost-effective option for boot manager solutions.

To use rEFInd, Users need to download the package and install it to the ESP. Once installed, they can modify the configuration file to add or remove boot entries, change the icons, and other settings.

rEFInd also has support for both GUI and CLI parameters, allowing users to customize boot options for specific boot entries.

Conclusion

UEFI settings play an essential role in computer security and system configuration. It is important to manage these settings carefully to ensure system stability and reliability.

We have explored the various methods of managing UEFI settings on Linux, including creating boot entries with efibootmgr and manipulating UEFI variables with EFI tools. As stated, caution is essential when changing UEFI variables since modifying settings incorrectly can cause instability or worse.

rEFInd is an alternative boot manager that can provide a more dynamic and graphical solution for managing boot entries. You should ensure to evaluate your needs to choose the best-suited boot manager for your system.

In conclusion, managing UEFI settings on Linux is crucial for system configuration and security. Utilizing tools like mokutil and efibootmgr allows users to enable secure boot, create and manage boot entries, and manipulate UEFI variables.

However, caution must be exercised when changing UEFI variables to avoid system instability or failure. Additionally, considering alternatives like rEFInd can provide a more dynamic and visually appealing boot management solution.

The importance of understanding UEFI settings and their impact on system functionality cannot be overstated. By carefully managing and configuring these settings, users can ensure a secure and reliable boot process.

Choose the right tools and apply changes judiciously to maintain a well-functioning system while enjoying the benefits of customizability and enhanced security.

Popular Posts