List the secure boot trust stores:
apt-get install -y efitools
efi-readvarTo take ownership of the system by following the next steps.
Create our own Platform Key (PK), Key Exchange Key (KEK), and Code Signing CAs:
mkdir my
cd my
for t in pk kek sign; do
openssl req \
-newkey rsa:2048 -nodes \
-keyout my-$t-key.pem \
-new -x509 -sha256 -days 3650 -subj "/CN=My Secure Boot $t CA $(date --utc +%Y-%m-%d)" \
-out my-$t-crt.pem
openssl x509 -inform pem -in my-$t-crt.pem -outform der -out my-$t-crt.der
#openssl x509 -noout -text -in my-$t-crt.pem
doneCreate the secure boot databases:
owner=$(uuidgen --namespace @dns --name ruilopes.com --sha1) # this maps to b106ba30-44aa-5858-86f5-e6985f9aa99f.
#owner=00000000-0000-0000-0000-000000000000
# PK: can change the existing PK and update the KEK.
# KEK: can update the db and dbx databases and sign binaries.
for t in pk kek sign; do
cert-to-efi-sig-list -g $owner my-$t-crt.pem my-$t.esl
done
#sign-efi-sig-list -g $owner -t "$(date --utc +%Y-%m-%d)" -k my-pk-key.pem -c my-pk-crt.pem PK my-pk.esl my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem PK my-pk.esl my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem PK /dev/null rm_my-pk.auth
sign-efi-sig-list -g $owner -k my-pk-key.pem -c my-pk-crt.pem KEK my-kek.esl my-kek.auth
sign-efi-sig-list -g $owner -k my-kek-key.pem -c my-kek-crt.pem db my-sign.esl my-sign.authLoad the databases:
efi-updatevar -f my-pk.auth PK # XXX fails with Failed to update PK: Invalid argument
efi-updatevar -f my-pk.auth KEK
efi-updatevar -f my-pk.auth db
efi-updatevar -f my-kek.auth KEK
efi-updatevar -f my-sign.auth db
efi-updatevar -f my-pk.auth PK # XXX fails with Failed to update PK: Invalid argument
Can I enroll certificates even if I don't have keys? I can invoke setup mode from BIOS settings.