morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

man: Add instructions for Microsoft secure boot keys

Browse Source 
Adding Microsoft keys by default is recommended because firmware drivers
might be signed by it.

This also changes the file ending from .esl to .auth as that is used by
sign-efi-sig-list manpage and other sources.
This commit is contained in:
Jan Janssen
2022-08-03 11:27:38 +02:00
parent f234a56db5
commit adb9485acb
3 changed files with 28 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
man/loader.conf.xml
View File

@@ -244,20 +244,38 @@
<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
EDK2 documentation</ulink>.</para>
<para>A complete set of UEFI variable includes <filename>db.esl</filename>, <filename>KEK.esl</filename>
and <filename>PK.esl</filename>. Note that these files need to be authenticated UEFI variables. See
<para>A complete set of UEFI variable includes <filename>db.auth</filename>, <filename>KEK.auth</filename>
and <filename>PK.auth</filename>. Note that these files need to be authenticated UEFI variables. See
below for an example of how to generate them from regular X.509 keys.</para>
<programlisting>uuid=$(systemd-id128 new --uuid)
for key in PK KEK db; do
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.tmp"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
done
sign-efi-sig-list -c PK.crt -k PK.key PK PK.tmp PK.esl
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.tmp KEK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.tmp db.esl
for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
curl "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}"
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}"
done
# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
cat MicWinProPCA2011_2011-10-19.esl >> db.esl
# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs
# and third-party boot loaders (including shim). This is highly recommended on real
# hardware as not including this may soft-brick your device (see next paragraph).
cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
# Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the
# Microsoft keys is used as the official UEFI revocation database is signed with this
# key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
</programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the