Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
metadata-collect-agent
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
metadata-collect-agent
Commits
3ef89618
Commit
3ef89618
authored
Aug 02, 2021
by
Ophélie Gagnard
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add explanations about signing an UEFI application and setting the keys in the firmware.
parent
5953773b
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
51 additions
and
0 deletions
+51
-0
signing_uefi_application.txt
signing_uefi_application.txt
+51
-0
No files found.
signing_uefi_application.txt
0 → 100644
View file @
3ef89618
# To perform the following instructions, some packages are needed.
# They are all installed with apt at the beginning of install.sh.
## Create keys:
# run the script mkkeys.sh (better in a dedicated directory)
mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh && ./mkkeys.sh
## Signing UEFI application:
# before running the following line (from install.sh)
dracut --force -c ./dracut.module/dracut.conf --confdir dracut_tmp
# put the following from the signing key in /etc/uefi-key/
# db.cer db.crt db.key
## Add keys to the firmware:
# run
efi-readvar
# if PK, KEK or db is not empty then
# reboot and, in the BIOS, disable Secure Boot (SB) and remove every keys
# then if we assume the keys have the name mkkeys.sh gives them:
# Add the Platform Key (the authority key for the machine).
efi-updatevar -f PK.auth PK
# Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes)
efi-updatevar -a -c KEK.crt -k PK.key KEK
# Replace the current whitelist certificate
efi-updatevar -f -c DB.crt -k KEK.key db
# (replace -f with -a to append another whitelist certificate instead of replacing the old one)
### Troubleshooting
# Some general informations:
# 1) As a general matter, with Secure Boot (SB) disabled and no key, every key should addable.
# 2) A Platform Key is needed for Secure Boot (SB) to be enabled.
# 3) To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key).
## Common errors:
# error: "Failed to update <var>: Operation not permitted"
# when trying to delete or replace a key, may be resolved by making it mutable:
lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}*
# "----i--------------" before the key means it is set as immutable
# to make it mutable
chattr -i /sys/firmware/efi/efivars/<key>
# (example:)
chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
# recommanded: make everything immutable after your operation
# to do so, perform the same command with +i instead of -i (same example:)
chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
# error: "Cannot write to db, wrong filesystem permissions"
# may be resolved providing the upper level private key
# (note that it can happen even with root mode, as keys are stored on a separate filesystem)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment