Reputation: 430
UEFI secure boot issues with hello efi
I have created one efi and signed with pesign using the docs -
UEFI secure boot :
https://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
https://en.opensuse.org/openSUSE:UEFI_Secure_boot_using_qemu-kvm
https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
https://wiki.ubuntu.com/SecurityTeam/SecureBoot
http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-hands-on-experience/
And booted with :
sudo qemu-system-x86_64 -L . -pflash /usr/share/qemu/OVMF.fd -hda fat:uefi_disk
uefi disk contains signed efi file
But to secure boot I need to have
DB
DBX
KEK
PK
so that I can enroll in OVMF secure boot But in the tutorials, never got these how to generate. Please suggest
Upvotes: 0
Views: 376
Answers (1)
Reputation: 5
In addition to generating keys for secure boot, one need to take care of signing the keys. procedure for generating keys, signing and storing them to keystore is defined in detail here https://www.rodsbooks.com/efi-bootloaders/secureboot.html
Security keys can be categorised in 2 ways Private and Public and secure boot follow chain of root of trust for key addition PK=>KEK=>DB. Any changes in DB needs to be signed using KEK private key, changes in KEK needs to be signed by PK private key and changes in PK requires key to be signed by previous PK publik key's private key.
- Generate PK pair and sign PK public key with private key. PK is a self signed key.
- Generate KEK pair and sign KEK public key using PK private key
- Generate DB key pair and sign DB public key using KEK private key
- Generate DBX key pair and sign DBX key pair using KEK private key
Note : for replacing previous PK from BIOS, you will require an empty key signed by platform owner. Most BIOSs allow changing keys without verifying but ideally it should not be allowed. Whole purpose of secure boot is that things can be traced to root of trust and verified.
Apart from generating completely new set of keys, you can also use Machine Owner's Key MOK for registering a new key with secure boot.
- Generate a key pair
- sign your utility using private key(using sbsign)
- add public key to MOK utility (using mokutility)
- also described in link mentioned above
Upvotes: -1
Related Questions
- How to compile uefi application using gnu-efi?
- The boot behavior for GRUB's multiple EFI executable files
- How to perform some security verification before booting operating system?
- How can I use UEFI Runtime Services?
- How can I get a protocol working under GNU-EFI?
- EFI Memory Map returns 0 sections of EFIConventionalMemory
- EFI Application Erorr Write Protected
- UEFI LocateHandleBuffer always returns "Invalid Parameter"
- Most UEFI protocols are reported as "unsupported"
- UEFI BootLoader