Debian based systems
- YubiKey: Ensure you have a YubiKey that supports PIV (Personal Identity Verification).
- OpenSSL: Install OpenSSL on your system.
- Ykman: Install the apt version of YubiKey Manager to manage your YubiKey,
apt install ykmansnap install ykmancan only write to/tmp/snap-private-tmp/snap.ykman/tmp/- you may need to restart pcscd
sudo service pcscd start.
- you may need to restart pcscd
- Ykcs11: Install ykcs11 library on your system.
- libengine-pkcs11-openssl: Install pkcs11 libengine dynamic extention on your system.
- U-Boot: Build "mutably" with
CONFIG_HEXDUMP=yandCONFIG_CMD_NVEDIT_EFI=yto make efi vars editable. - sbsign: Build with slight patch as described in osresearch/sbsigntools@5154c68
- Debuggers:
- Install gdb
apt install gdb - Install OpenSC on your system if you need to debug the module further
pkcs11-tools --module /usr/lib/aarch64-linux-gnu/libykcs11.so -t.
- Install gdb
You can generate a key pair directly on the YubiKey using the YubiKey PIV application. Here’s how to do it:
sudo su && pushd /etc/platform/keys/ && ykman piv keys generate -a RSA2048 --touch-policy ALWAYS --pin-policy ALWAYS 9a public_key.pem
Next, you need to create a self-signed certificate using the private key stored on the YubiKey. You can do this with OpenSSL:
export PKCS11_MODULE_PATH=/usr/lib/aarch64-linux-gnu/libykcs11.so && openssl x509 -new -engine pkcs11 -keyform ENGINE -key 1 -out ca.pem -subj "/C=US/ST=CA/O=OMNITECK/CN=Root CA" -days 1826
You can import the self-signed certificate back to the YubiKey:
ykman piv certificates import -v 9a ca.pem
You can verify that the certificate is correctly stored on the YubiKey:
ykman piv info
openssl req -x509 -sha256 -engine pkcs11 -keyform ENGINE -key 1 -subj /CN=OMNITECK_PK/ -out PK.crt -nodes -days 1826
cert-to-efi-sig-list -g cc1e39bc-7c39-11ef-b26d-9b41b973d7e9 PK.crt PK.esl
sign-efi-sig-list -c PK.crt -t "$(echo $(date +%Y-%m-%d) 00:00:00)" -o PK PK.esl PK.forsig
openssl smime -sign -binary -engine pkcs11 -keyform ENGINE -in PK.forsig -out PK.signed -signer PK.crt -inkey 1 -outform DER -md sha256
sign-efi-sig-list -i PK.signed -t "$(echo $(date +%Y-%m-%d) 00:00:00)" PK PK.esl PK.auth
openssl req -x509 -sha256 -engine pkcs11 -keyform ENGINE -key 1 -subj /CN=OMNITECK_KEK/ -out KEK.crt -nodes -days 1826
cert-to-efi-sig-list -g cc1e39bc-7c39-11ef-b26d-9b41b973d7e9 KEK.crt KEK.esl
sign-efi-sig-list -c PK.crt -t "$(echo $(date +%Y-%m-%d) 00:00:00)" -o KEK KEK.esl KEK.forsig
openssl smime -sign -binary -engine pkcs11 -keyform ENGINE -in KEK.forsig -out KEK.signed -signer PK.crt -inkey 1 -outform DER -md sha256
sign-efi-sig-list -i KEK.signed -t "$(echo $(date +%Y-%m-%d) 00:00:00)" KEK KEK.esl KEK.auth
openssl req -x509 -sha256 -engine pkcs11 -keyform ENGINE -key 1 -subj /CN=OMNITECK_db/ -out db.crt -nodes -days 1826
cert-to-efi-sig-list -g cc1e39bc-7c39-11ef-b26d-9b41b973d7e9 db.crt db.esl
sign-efi-sig-list -c KEK.crt -t "$(echo $(date +%Y-%m-%d) 00:00:00)" -o db db.esl db.forsig
openssl smime -sign -binary -engine pkcs11 -keyform ENGINE -in db.forsig -out db.signed -signer KEK.crt -inkey 1 -outform DER -md sha256
sign-efi-sig-list -i db.signed -t "$(echo $(date +%Y-%m-%d) 00:00:00)" db db.esl db.auth
rm -f /boot/efi/*.auth && cp /etc/platform/keys/*.auth /boot/efi/ && rm -f /boot/efi/EFI/ubuntu/shimaa64.efi.signed && sbsign --engine pkcs11 --key 1 --cert db.crt /usr/lib/shim/shimaa64.efi --output /boot/efi/EFI/ubuntu/shimaa64.efi.signed && popd
# Build U-boot in mutable mode
rm -f /boot/efi/ubootefi.var
reboot
# Stop autoboot and remove any existing entries from eficonfig
eficonfig
reset
# Load platform keys
fatload mmc 0:1 $kernel_addr_r PK.auth
setenv -e -nv -bs -rt -at -i $kernel_addr_r:$filesize PK
fatload mmc 0:1 $kernel_addr_r KEK.auth
setenv -e -nv -bs -rt -at -i $kernel_addr_r:$filesize KEK
fatload mmc 0:1 $kernel_addr_r db.auth
setenv -e -nv -bs -rt -at -i $kernel_addr_r:$filesize db
run bootcmd