Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to add Microsoft/vendor certs to the signature database #40

Closed
NetSysFire opened this issue Nov 19, 2020 · 4 comments
Closed

Add option to add Microsoft/vendor certs to the signature database #40

NetSysFire opened this issue Nov 19, 2020 · 4 comments

Comments

@NetSysFire
Copy link

Unfortunately, I found out that some(?) firmwares try to validate option ROMs with the custom keys the user imported, which will not succeed and might even result in a semi-bricked motherboard when no iGPU/APU is present. Adding Microsofts or the vendors certs to the signature database seems to be the only way to use secure boot with such a setup.

See also:
@fabiscafe
Copy link

This. Right now my options are

  • disable secure boot completely
  • avoiding sbctl and going the complicated route with one other app
  • using sbctl but are in need to have CSM active, because the graphics firmware is Microsoft signed and will of course fail with only my own keys in place.

@Foxboron
Copy link
Owner

Foxboron commented Aug 6, 2021

There are a few solutions I want to implement:

  • Embed Microsoft CA we can append
  • Scan for the default vendor certificates in db and append.
  • Parse the TPM2 eventlog for checksums of OpROM binaries we should append.

This has mostly been improving the APIs for dealing with signature lists and databases in go-uefi.

@Foxboron
Copy link
Owner

Foxboron commented Nov 6, 2021

I have implemented support in the master branch for enrolling Microsoft signing certs. This needs to be explicitly done, but it's a nice start. This also sports a reset option so you can reenroll keys with secure boot enabled.

This is partially based on work by @zaolin :)<3

λ sbctl master» sudo ./sbctl enroll-keys
‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
You need to chattr -i files in efivarfs
λ sbctl master» sudo chattr -i /sys/firmware/efi/efivars/{db,KEK}*

λ sbctl master» sudo ./sbctl enroll-keys
Enrolling keys to EFI variables...✓
Enrolled keys to the EFI variables!

λ sbctl master» sudo ./sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	a7b893cc-949d-408c-b5cc-6e7d0370fdb6
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled

λ sbctl master» sudo ./sbctl reset
✓ Removed Platform Key!
Use `sbctl enroll-keys` to enroll the Platform Key again.

λ sbctl master» sudo ./sbctl enroll-keys --microsoft
Enrolling keys to EFI variables...
With vendor keys from Microsoft...✓
Enrolled keys to the EFI variables!

λ sbctl master» sudo ./sbctl status
Installed:	✓ sbctl is installed
Owner GUID:	a7b893cc-949d-408c-b5cc-6e7d0370fdb6
Setup Mode:	✓ Disabled
Secure Boot:	✗ Disabled
Vendor Keys:	 microsoft

@Foxboron Foxboron mentioned this issue Nov 6, 2021
Closed
@Foxboron
Copy link
Owner

Implemented with 4713d98

@MrDuartePT MrDuartePT mentioned this issue May 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Foxboron @fabiscafe @NetSysFire