- Enabling secure boot and full disk encryption on Ubuntu Core
- What you’ll learn
- What you’ll need
- 2. Understanding FDE and Secure Boot
- Fundamentals of FDE
- Fundamentals of Secure Boot
- Understanding model assertion
- 3. Selecting the image
- Prebuilt images
- Custom images
- 4. Flashing the image
- 5. Wrapping up
- Further reading
- Stuck in terminal at Configuring Secure Boot
- 3 Answers 3
- You must log in to answer this question.
- Linked
- Related
- Hot Network Questions
- Subscribe to RSS
Enabling secure boot and full disk encryption on Ubuntu Core
In this tutorial, we will show the simplicity of the process of enabling Full Disk Encryption (FDE) and Secure Boot on Ubuntu Core on platforms with Trusted Platform Module (TPM) support. A quick introduction for understanding the concepts and a simple walk through the process of preparing and flashing an Intel NUC image, will be followed.
FDE and Secure Boot are key security features which have been incorporated into Ubuntu Core 20 release, complementing the out-of-the-box security characteristics already available in previous versions.
Bear in mind, Ubuntu Core is production-friendly, not necessarily developer-friendly. We recommend you use Ubuntu Core for “fire and forget” purposes where you won’t want to iterate on the software.
With Ubuntu Core, you are able to execute remote updates and patches for your appliances and devices, but for development and prototyping, we recommend Ubuntu Server. Let’s start!
What you’ll learn
What you’ll need
- An Ubuntu SSO account with an SSH key
- An Intel NUC with BIOS updated to the latest version (update instructions)
- 2 USB 2.0 or 3.0 flash drives (2GB minimum)
- A monitor with an HDMI interface
- A Mini HDMI to HDMI cable
- A USB keyboard and a mouse
- A monitor with VGA or HDMI interface
- A VGA or HDMI cable
- A network connection with Internet access
- An Ubuntu Desktop 20.04.1 LTS image
- An Ubuntu Core image
2. Understanding FDE and Secure Boot
Fundamentals of FDE
Ubuntu Core 20 uses full disk encryption (FDE) whenever the hardware allows, protecting both the confidentiality and integrity of a device’s data when there’s physical access to a device, or after a device has been lost or stolen.
Built-in FDE support requires both UEFI Secure Boot and TPM (Trusted Platform Module) support, but its implementation in Ubuntu Core is generic and widely compatible to help support a range of hardware. TPM-based FDE seals the FDE secret key to the full EFI state, including the kernel command line, which is subsequently unsealed by the initrd code in the secure-boot protected kernel.efi at boot time.
For further reading about FDE, you can find the key aspects here and more extensive documentation can be found here.
Fundamentals of Secure Boot
The boot process can be detrimental to computers, if not secured. This is the case because booting is the initial stage of a computing cycle. Kernel, hardware peripherals, and user space processes are initiated at boot. Therefore, a vulnerability in boot firmware can have cascading effects on the entire system.
Secure Boot is an operation booting mode which denies the execution of any software which is neither signed nor certified, assuring software integrity.
You can read the full Secure Boot story here.
Understanding model assertion
Using FDE and Secure Boot features in Ubuntu Core is as simple as selecting the right image to flash. Ubuntu Core does the rest for you on the booting process.
Although it is possible to build your own Ubuntu Core images, the easiest starting point for any user is to make use of pre-built images. Latest stable images can always be found here.
In either case, each image has an associated model assertion file, a text-based document that contains the fundamental definition of the image for a specific device. It describes what the system image includes and is signed by the brand account owning the device definition.
There are two key fields in the model assertion file related to FDE and Secure Boot:
- grade: It indicates the overall degree of security of the image
- storage-safety: It reflects the preferred mode of filesystem encryption
Grade and Storage-safety are tightly coupled, and their combination along with the platform’s HW TPM support, results in the following operation modes:
- Encrypted: Filesystem gets encrypted on first boot.
- Unencrypted: Filesystem is not encrypted.
- Error output: The image doesn’t boot. An error message is generated.
- Invalid: It’s not possible to generate an image with such combination.
Which are summarized in the following table:
More detailed information on image building and model assertion files can be found in the Ubuntu Core Documentation.
3. Selecting the image
As described in the previous section, using FDE and Secure Boot is just a matter of choosing the right image for your platform.
Prebuilt images
If you are using an standard platform with HW TPM support, such as an Intel NUC, you will probably want to use a prebuilt image, following the steps below:
- Download the latest image from here
- Download also the model assertion file and make sure the right combination of grade and storage-safety is set for your platform according to the previous table
Note: For Intel NUC platforms, the pre-built image enables FDE and Secure Boot by default. This can be checked in the model assertion file [line to the assertion file URL].
Custom images
If you are using your own board or if a custom self-built image is going to be used, it must be ensured that the combination of platform (HW TPM support) + grade + storage-safety, makes it possible to have FDE and Secure Boot support. The steps below must be followed:
- Check that your board has HW TPM support
- Generate a new model assertion file according to this instructions setting the appropriate grade and storage-safety options
4. Flashing the image
Once you have selected the image, the process of flashing and first configuration of the board does not differ from the standard flashing process. Intel NUC flashing process can be found here.
5. Wrapping up
Full Disk Encryption and Secure Boot are key features of Ubuntu Core. They don’t need to be specifically enabled on a configuration or on-boarding process, they are out-of-the-box features which will be applied if the combination of platform and image model assertion allows it.
In summary, security is no longer an option but a compulsory feature with Ubuntu Core when hardware TPM is available on the platform, making the process as simple as installing the image on the device.
Further reading
Stuck in terminal at Configuring Secure Boot
I am on Ubuntu 18. I was trying to install amd drivers. A Configuring Secure Boot screen appeared in terminal and I am stuck on it. Clicking ok does nothing, pressing enter does nothing.. what do I do?
3 Answers 3
I did Ctrl + ‘mousewheel down‘ ( Ctrl + PageDown for those without mice) and a screen for typing password appeared.
I then typed password pressed Enter ,
retyped password pressed Enter
and the installation continued.
whenever it happened, I used to close the terminal. Thought it was just my system that got stuck. You have my respect. D
Press Shift + PgDown , then you will have to type a password and confirm it. Done!
Arrows to the left or right are selecting the OK, than just click ENTER.
You must log in to answer this question.
Linked
Related
Hot Network Questions
Subscribe to RSS
To subscribe to this RSS feed, copy and paste this URL into your RSS reader.
Site design / logo © 2023 Stack Exchange Inc; user contributions licensed under CC BY-SA . rev 2023.7.14.43533
Ubuntu and the circle of friends logo are trade marks of Canonical Limited and are used under licence.
By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.