Skip to content

Instantly share code, notes, and snippets.

@rgl
Last active July 15, 2024 10:06
Show Gist options
  • Save rgl/fd1104c9d63843def5a111863df99898 to your computer and use it in GitHub Desktop.
Save rgl/fd1104c9d63843def5a111863df99898 to your computer and use it in GitHub Desktop.
Enroll certificates in UEFI OVMF Secure Boot

List the secure boot trust stores:

apt-get install -y efitools
efi-readvar

To take ownership of the system by following the next steps.

Create our own Platform Key (PK), Key Exchange Key (KEK), and Code Signing CAs:

mkdir my
cd my
for t in pk kek sign; do
  openssl req \
    -newkey rsa:2048 -nodes \
      -keyout my-$t-key.pem \
    -new -x509 -sha256 -days 3650 -subj "/CN=My Secure Boot $t CA $(date --utc +%Y-%m-%d)" \
      -out my-$t-crt.pem
  openssl x509 -inform pem -in my-$t-crt.pem -outform der -out my-$t-crt.der
  #openssl x509 -noout -text -in my-$t-crt.pem
done

Create the secure boot databases:

owner=$(uuidgen --namespace @dns --name ruilopes.com --sha1) # this maps to b106ba30-44aa-5858-86f5-e6985f9aa99f.
#owner=00000000-0000-0000-0000-000000000000
# PK:  can change the existing PK and update the KEK.
# KEK: can update the db and dbx databases and sign binaries.
for t in pk kek sign; do
  cert-to-efi-sig-list -g $owner my-$t-crt.pem my-$t.esl
done
#sign-efi-sig-list -g $owner -t "$(date --utc +%Y-%m-%d)" -k my-pk-key.pem -c my-pk-crt.pem PK my-pk.esl my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem PK my-pk.esl my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem PK /dev/null rm_my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem KEK my-kek.esl my-kek.auth
sign-efi-sig-list -g $owner -k my-kek-key.pem -c my-kek-crt.pem db my-sign.esl my-sign.auth

Load the databases:

efi-updatevar -f my-pk.auth PK  # XXX fails with Failed to update PK: Invalid argument
efi-updatevar -f my-pk.auth KEK
efi-updatevar -f my-pk.auth db

efi-updatevar -f my-kek.auth KEK
efi-updatevar -f my-sign.auth db
efi-updatevar -f my-pk.auth PK # XXX fails with Failed to update PK: Invalid argument
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment