mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
man: Add instructions for Microsoft secure boot keys
Adding Microsoft keys by default is recommended because firmware drivers might be signed by it. This also changes the file ending from .esl to .auth as that is used by sign-efi-sig-list manpage and other sources.
This commit is contained in:
parent
f234a56db5
commit
adb9485acb
@ -244,20 +244,38 @@
|
|||||||
<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
|
<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
|
||||||
EDK2 documentation</ulink>.</para>
|
EDK2 documentation</ulink>.</para>
|
||||||
|
|
||||||
<para>A complete set of UEFI variable includes <filename>db.esl</filename>, <filename>KEK.esl</filename>
|
<para>A complete set of UEFI variable includes <filename>db.auth</filename>, <filename>KEK.auth</filename>
|
||||||
and <filename>PK.esl</filename>. Note that these files need to be authenticated UEFI variables. See
|
and <filename>PK.auth</filename>. Note that these files need to be authenticated UEFI variables. See
|
||||||
below for an example of how to generate them from regular X.509 keys.</para>
|
below for an example of how to generate them from regular X.509 keys.</para>
|
||||||
|
|
||||||
<programlisting>uuid=$(systemd-id128 new --uuid)
|
<programlisting>uuid=$(systemd-id128 new --uuid)
|
||||||
for key in PK KEK db; do
|
for key in PK KEK db; do
|
||||||
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
|
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
|
||||||
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
|
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
|
||||||
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.tmp"
|
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
|
||||||
done
|
done
|
||||||
|
|
||||||
sign-efi-sig-list -c PK.crt -k PK.key PK PK.tmp PK.esl
|
for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
|
||||||
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.tmp KEK.esl
|
curl "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}"
|
||||||
sign-efi-sig-list -c KEK.crt -k KEK.key db db.tmp db.esl
|
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
|
||||||
|
cat MicWinProPCA2011_2011-10-19.esl >> db.esl
|
||||||
|
|
||||||
|
# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs
|
||||||
|
# and third-party boot loaders (including shim). This is highly recommended on real
|
||||||
|
# hardware as not including this may soft-brick your device (see next paragraph).
|
||||||
|
cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
|
||||||
|
|
||||||
|
# Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the
|
||||||
|
# Microsoft keys is used as the official UEFI revocation database is signed with this
|
||||||
|
# key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
|
||||||
|
cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
|
||||||
|
|
||||||
|
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
|
||||||
|
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
|
||||||
|
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>This feature is considered dangerous because even if all the required files are signed with the
|
<para>This feature is considered dangerous because even if all the required files are signed with the
|
||||||
|
@ -319,7 +319,7 @@
|
|||||||
similar, to extend the native firmware support.</para>
|
similar, to extend the native firmware support.</para>
|
||||||
|
|
||||||
<para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
|
<para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
|
||||||
under <filename>/keys/<replaceable>NAME</replaceable>/{db,KEK,PK}.esl</filename>, <replaceable>NAME</replaceable>
|
under <filename>/keys/<replaceable>NAME</replaceable>/{db,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
|
||||||
being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
|
being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
|
||||||
then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
|
then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
|
||||||
to force or not.</para>
|
to force or not.</para>
|
||||||
|
@ -81,9 +81,9 @@ EFI_STATUS secure_boot_enroll_at(EFI_FILE *root_dir, const char16_t *path) {
|
|||||||
char *buffer;
|
char *buffer;
|
||||||
size_t size;
|
size_t size;
|
||||||
} sb_vars[] = {
|
} sb_vars[] = {
|
||||||
{ u"db", u"db.esl", EFI_IMAGE_SECURITY_DATABASE_VARIABLE, NULL, 0 },
|
{ u"db", u"db.auth", EFI_IMAGE_SECURITY_DATABASE_VARIABLE, NULL, 0 },
|
||||||
{ u"KEK", u"KEK.esl", EFI_GLOBAL_VARIABLE, NULL, 0 },
|
{ u"KEK", u"KEK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
|
||||||
{ u"PK", u"PK.esl", EFI_GLOBAL_VARIABLE, NULL, 0 },
|
{ u"PK", u"PK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Make sure all keys files exist before we start enrolling them by loading them from the disk first. */
|
/* Make sure all keys files exist before we start enrolling them by loading them from the disk first. */
|
||||||
|
Loading…
Reference in New Issue
Block a user