GRUB
GRUB can be added to SeaBIOS as a floppy image to provide a bug-free bootloader stored in the CBFS. GRUB can be used to verify kernel/initrd integrity and/or to support encrypted /boot partitions.
Debian 13, Signed Kernel/Initrd
Debian can be configured to auto-sign the installed kernel/initrd. This setup is done as the root user.
Dependencies
apt install gpg
Generate the signing key
gpg --full-gen-key
- Use RSA (sign only)
- Use 4096 bits
- Set the key to never expire
gpg --export > boot.key
Setup auto-signing
mkdir -p /etc/initramfs/post-update.d/ vim /etc/initramfs/post-update.d/sign_image
#!/bin/sh
image=$2
if [ -f "${image}.sig" ]; then
echo "Removing ${image}.sig"
rm ${image}.sig
fi
echo "Signing ${image}"
/usr/bin/gpg --detach-sign ${image} || exit
mkdir -p /boot/latest
cp -v ${image} /boot/latest/initrd.img
cp -v ${image}.sig /boot/latest/initrd.img.sig
chmod +x /etc/initramfs/post-update.d/sign_image
vim /etc/kernel/postinst.d/sign_image
#!/bin/sh
image=$2
if [ -f "${image}.sig" ]; then
echo "Removing ${image}.sig"
rm ${image}.sig
fi
echo "Signing ${image}"
/usr/bin/gpg --detach-sign ${image} || exit
mkdir -p /boot/latest
cp -v ${image} /boot/latest/vmlinuz
cp -v ${image}.sig /boot/latest/vmlinuz.sig
chmod +x /etc/kernel/postinst.d/sign_image
Reinstall your kernel
# Find your kernel package dpkg --list | grep linux-image # Reinstall your kernel, ie: apt install --mark-auto --reinstall linux-image-6.12.63+deb13-amd64
You should find these messages in the output if everything is setup correctly:
Signing /boot/initrd.img-6.12.63+deb13-amd64 '/boot/initrd.img-6.12.63+deb13-amd64' -> '/boot/latest/initrd.img' '/boot/initrd.img-6.12.63+deb13-amd64.sig' -> '/boot/latest/initrd.img.sig' Signing /boot/vmlinuz-6.12.63+deb13-amd64 '/boot/vmlinuz-6.12.63+deb13-amd64' -> '/boot/latest/vmlinuz' '/boot/vmlinuz-6.12.63+deb13-amd64.sig' -> '/boot/latest/vmlinuz.sig'