No Description

Ioannis Koutras 968b000ccc More 3 years ago
doc 89e9139856 cert-to-efi-hash-list: add man page 5 years ago
include 5563561f3e security_policy: factor out the current MoK hash policies 4 years ago
lib 25c98b2cd2 security_policy: fully convert to override,allow and deny functions 4 years ago
.gitignore 613cf530f0 flash-var: new routine for manipulating variables in flash images 5 years ago
COPYING f5d338c875 COPYING: complete lib/ transition to LGPL 7 years ago
HashTool.c b98d381bf3 arm build fixes 4 years ago
HelloWorld.c c2d01b88be HelloWorld: Add return to shut obs up 7 years ago
KeyTool.c b98d381bf3 arm build fixes 4 years ago
Loader.c b98d381bf3 arm build fixes 4 years ago
LockDown.c b98d381bf3 arm build fixes 4 years ago
Make.rules 968b000ccc More 3 years ago
Makefile 4910595692 ShimReplace: add new shim loader simply to install protocol 4 years ago
PreLoader.c 791e4639ee PreLoader: use updated security policy install function 4 years ago
README da0cdc4fab README: update with better explanations 8 years ago
ReadVars.c 7c813413f5 ReadVars, UpdateVars: add support for dbt 5 years ago
SetNull.c 4b7176ef8f SetNull: simple program to prevent *NULL from being 0 7 years ago
ShimReplace.c b50b862abd shim_protocol: convert to using the pkcs7verify allow and deny function 4 years ago
UpdateVars.c b98d381bf3 arm build fixes 4 years ago
cert-to-efi-hash-list.c 9697101d8b Fix ARM32 build 4 years ago
cert-to-efi-sig-list.c 9697101d8b Fix ARM32 build 4 years ago
efi-keytool.c 14530e59d7 efi-keytool, efi-readvar: begin constructing linux versions of efi tools 7 years ago
efi-readvar.c bb287cfce8 efi-readvar: add MokList as possible variable to read from 7 years ago
efi-updatevar.c 29af7cf326 Fix month offset problem 5 years ago
flash-var.c 613cf530f0 flash-var: new routine for manipulating variables in flash images 5 years ago
hash-to-efi-sig-list.c 9697101d8b Fix ARM32 build 4 years ago 7bac4ef3c3 script to create a bootable USB image with the files 7 years ago
ms-kek.crt 5555eebe84 Add MS KEK update bundle 5 years ago
ms-uefi.crt 40b8dbb8ae Build an update bundle for the Microsoft db key 5 years ago
sig-list-to-certs.c a27a9f9ae4 sig-list-to-certs: add -e option to break out all esl payloads 4 years ago
sign-efi-sig-list.c 9697101d8b Fix ARM32 build 4 years ago 272314ecc8 Makefile/Make.rules: don't rely on vim-core 7 years ago


How to use these files

simply typing make will build you everything including sample certificates for
PK, KEK and db.

The prerequisites are the standard development environment, gnu-efi version
3.0q or later, help2man and sbsigntools.

There will be one file called LockDown.efi. If run on your efi platform in
Setup Mode, this binary will *replace* all the values in the PK, KEK and db
variables with the ones you just generated and place the platform back into
User Mode (booting securely). If you don't want to replace all the variables,
take a dump of your current variables, see sig-list-to-cert(1), and add them
to the EFI signature list files before creating LockDown.efi

Say you want to concatenate an existing platform-db.esl file, do this:

make DB.esl
cat platform.esl DB.esl > newDB.esl
mv newDB.esl DB.esl

and then make LockDown.efi in the usual way.

All of the EFI programs are also generated in signed form (signed by both db
and KEK).


This EFI binary is created to boot an unsigned EFI file on the platform. Since
this explicitly breaks the security of the platform, it will first check to
see if the boot binary is naturally executable and execute it if it is (either
it's properly signed or the platform isn't in Secure Boot mode). If the
binary gives an EFI_ACCESS_DENIED error meaning it isn't properly signed,
Loader.efi will request present user authorisation before proceeding to boot.

The idea is that Loader.efi may serve as a chain for elilo.efi or another boot
loader on distributed linux live and install CDs and even as the boot loader
for the distribution on the hard disk assuming the user does not wish to take
control of the platform and replace the keys.

To build a secure bootable CD, simply use Loader.efi as the usual
/efi/boot/bootX64.efi and place the usual loader in the same directory as the
file boot.efi.

In order to add further convenience, if the user places the platform in setup
mode and re-runs the loader, it will ask permission to add the signature the
unsigned boot loader, boot.efi, to the authorised signatures database, meaning
Loader.efi will now no longer ask for present user authorisation every time
the system is started.

Creating, using and installing your own keys

To create PEM files with the certificate and the key for PK for example, do

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

Which will create a self signed X509 certificate for PK in PK.crt (using
unprotected key PK.key with the subject common name PK (that's what the CN=PK
is doing).

You need to create at least three sets of certificates: one for PK, one for
KEK and one for db.

Now you need to take all the efi binaries in /usr/share/efitools/efi and sign
them with your own db key using

sbsign --key db.key --cert db.crt --output HelloWorld-signed.efi HelloWorld.efi

To install your new keys on the platform, first create your authorised update

cert-to-sig-list PK.crt PK.esl
sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

And repeat for KEK and db. In setup mode, it only matters that the PK update
PK.auth is signed by the new platform key. None of the other variables will
have their signatures checked.

Now on your platform update the variables, remembering to do PK last because
an update to PK usually puts the platform into secure mode

UpdateVars db db.auth
UpdateVars KEK KEK.auth
UpdateVars PK PK.auth

And you should now be running in secure mode with your own keys.