diff options
Diffstat (limited to 'system/efitools/README.Secure_Boot')
-rw-r--r-- | system/efitools/README.Secure_Boot | 116 |
1 files changed, 116 insertions, 0 deletions
diff --git a/system/efitools/README.Secure_Boot b/system/efitools/README.Secure_Boot new file mode 100644 index 0000000000..41a45914c8 --- /dev/null +++ b/system/efitools/README.Secure_Boot @@ -0,0 +1,116 @@ +## README_Secure_Boot + +WARNING!!!! PLEASE MAKE SURE YOU KNOW EXACTLY WHAT YOU ARE DOING BEFORE PROCEEDING. + +SlackBuilds.org 2023 accepts no liability for any issues caused by +using this software. The software is provided as is and requires +a working knowledge, of setting up secure booting and keys. + + +How to use these files + +simply typing make will build you everything including sample certificates for +PK, KEK and db. + +The prerequisites are the standard development environment, +gnu-efi version 3.0q or later, help2man and sbsigntools. + +There will be one file called LockDown.efi. If run on your +efi platform in Setup Mode, this binary will *replace* all the +values in thePK, KEK and db +variables with the ones you just generated and place the platform +back into User Mode (booting securely). If you don't +want to replace allthe variables, take a dump of your current +variables, +see sig-list-to-cert(1), and add them +to the EFI signature list files before creating LockDown.efi + +Say you want to concatenate an existing platform-db.esl file, +do this: + +make DB.esl +cat platform.esl DB.esl > newDB.esl +mv newDB.esl DB.esl + +and then make LockDown.efi in the usual way. + +All of the EFI programs are also generated in signed form +(signed by both db and KEK). + + +Loader.efi +========== + +This EFI binary is created to boot an unsigned EFI file on the +platform. Since this explicitly breaks the security of the +platform, it will first check to see if the boot binary is +naturally executable and execute it if it is +(either it's properly signed or the platform isn't in Secure +Boot mode). + +If the binary gives an EFI_ACCESS_DENIED error meaning it +isn't properly signed, +Loader.efi will request present user authorisation before +proceeding to boot. + +The idea is that Loader.efi may serve as a chain for elilo.efi +or another boot loader on distributed linux live and install +CDs and even as +the boot loader for the distribution on the hard disk +assuming the user does not wish to take control of the platform +and replace the keys. + +To build a secure bootable CD, simply use Loader.efi as the usual +/efi/boot/bootX64.efi and place the usual loader in the same +directory as the file boot.efi. + +In order to add further convenience, if the user places +the platform in setup mode and re-runs the loader, +it will ask permission to add the signature the unsigned +boot loader, boot.efi, to the authorised signatures +database, meaningLoader.efi will now no longer +ask for present user authorisation every time the system is +started. + + +Creating, using and installing your own keys +============================================ + +To create PEM files with the certificate and the key for PK for +example, do + +openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout \ +PK.key -out PK.crt -days 3650 -nodes -sha256 + +Which will create a self signed X509 certificate for PK in PK.crt +(using unprotected key PK.key with the subject common name PK +(that's what the CN=PK is doing). + +You need to create at least three sets of certificates: one for PK, +one for KEK and one for db. + +Now you need to take all the efi binaries in +/usr/share/efitools/efi and sign them with your own db key +using, +sbsign --key db.key --cert db.crt --output \ +HelloWorld-signed.efi HelloWorld.efi + +To install your new keys on the platform, first create your +authorised update bundles: + +cert-to-sig-list PK.crt PK.esl +sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth + +And repeat for KEK and db. In setup mode, it only matters that +the PK update PK.auth is signed by the new platform key. +None of the other variables will have their signatures checked. + +Now on your platform update the variables, remembering to do PK +last because an update to PK usually puts the platform +into secure mode + +UpdateVars db db.auth +UpdateVars KEK KEK.auth +UpdateVars PK PK.auth + +And you should now be running in secure mode with your own keys. |