Commit 3ef89618 authored by Ophélie Gagnard's avatar Ophélie Gagnard

Add explanations about signing an UEFI application and setting the keys in the firmware.

parent 5953773b
# To perform the following instructions, some packages are needed.
# They are all installed with apt at the beginning of install.sh.
## Create keys:
# run the script mkkeys.sh (better in a dedicated directory)
mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh && ./mkkeys.sh
## Signing UEFI application:
# before running the following line (from install.sh)
dracut --force -c ./dracut.module/dracut.conf --confdir dracut_tmp
# put the following from the signing key in /etc/uefi-key/
# db.cer db.crt db.key
## Add keys to the firmware:
# run
efi-readvar
# if PK, KEK or db is not empty then
# reboot and, in the BIOS, disable Secure Boot (SB) and remove every keys
# then if we assume the keys have the name mkkeys.sh gives them:
# Add the Platform Key (the authority key for the machine).
efi-updatevar -f PK.auth PK
# Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes)
efi-updatevar -a -c KEK.crt -k PK.key KEK
# Replace the current whitelist certificate
efi-updatevar -f -c DB.crt -k KEK.key db
# (replace -f with -a to append another whitelist certificate instead of replacing the old one)
### Troubleshooting
# Some general informations:
# 1) As a general matter, with Secure Boot (SB) disabled and no key, every key should addable.
# 2) A Platform Key is needed for Secure Boot (SB) to be enabled.
# 3) To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key).
## Common errors:
# error: "Failed to update <var>: Operation not permitted"
# when trying to delete or replace a key, may be resolved by making it mutable:
lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}*
# "----i--------------" before the key means it is set as immutable
# to make it mutable
chattr -i /sys/firmware/efi/efivars/<key>
# (example:)
chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
# recommanded: make everything immutable after your operation
# to do so, perform the same command with +i instead of -i (same example:)
chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
# error: "Cannot write to db, wrong filesystem permissions"
# may be resolved providing the upper level private key
# (note that it can happen even with root mode, as keys are stored on a separate filesystem)
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment