From 0a1d5a899e9089bfb45a139dea3d4a3b46788c44 Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Tue, 13 Jun 2023 02:57:28 -0700 Subject: [PATCH] Typo Fixes Signed-off-by: Thien Tran --- content/posts/linux/Desktop Linux Hardening.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 1cf926a..1c1cd24 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -458,7 +458,7 @@ First, you need to boot into your firmware interface and enter Secure Boot setup On certain hardware, this will not work. Instead, you will need to export the public key to your EFI partition and manually import it through your firmware interface: ``` -openssl x509 -in /usr/share/secureboot/keys/db/db.pem -outform DER -out /boot/efi/EFI/fedora/DB.cer +openssl x509 -in /usr/share/secureboot/keys/db/db.pem -outform DER -out /boot/efi/EFI/fedora/DB.der ``` ### Unified Kernel Image @@ -467,7 +467,7 @@ On most desktop Linux systems, it is possible to create a [unified kernel image] For Fedora Workstation, you can follow [Håvard Moen's guide](https://haavard.name/2022/06/22/full-uefi-secure-boot-on-fedora-using-signed-initrd-and-systemd-boot/) which covers sbctl installation, unified kernel image generation with [dracut](https://wiki.archlinux.org/title/Dracut), and automatic signing with systemd‑boot. -On Arch, the process is very similar, though sbctl is already included in the official repositories and you will need to switch from [mkinitpcio](https://wiki.archlinux.org/title/Mkinitcpio) to dracut. Arch with linux‑hardened works well with sbctl, but some level of tedious pacman hooks are required for appropriately timing the re‑signing of all relevant files every time the kernel or bootloader is updated. +On Arch, the process is very similar, though sbctl is already included in the official repositories and you will need to switch from [mkinitcpio](https://wiki.archlinux.org/title/Mkinitcpio) to dracut. Arch with linux‑hardened works well with sbctl, but some level of tedious pacman hooks are required for appropriately timing the re‑signing of all relevant files every time the kernel or bootloader is updated. In my opinion, this is the most straightforward setup, with a lot of potential such as [systemd's future UKI plans including support for early‑boot attestation](https://0pointer.de/blog/brave-new-trusted-boot-world.html). With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with [ZSys](https://github.com/ubuntu/zsys). More testing is needed to see if they can be made to work.