Image of Advanced Programming in the UNIX Environment, Second Edition (Addison-Wesley Professional Computing Series)
Image of Android Wireless Application Development
Image of Modern Operating Systems (3rd Edition)
Image of XSLT 2.0 and XPath 2.0 Programmer's Reference (Programmer to Programmer)

List UEFI Secure Boot Certificate Contents

Now that consumer versions of Windows 8 have been released and UEFI Secure Boot-enabled systems are becoming more common, how can a user (or a developer) see what keys have been installed on their system to control what applications they can boot on their system? This post explains how to list out the contents of such keys from the UEFI Shell command line. Why UEFI Secure Boot? The answer is simple – because there are an increasing number of real-world exploits where fraudulently modified early boot code has introduced vulnerabilities into an operating system. It has lead to calls for

Decode Microsoft Secure Boot KEK Certificate

Version 2.3.1 of the UEFI specification included Secure Boot. There have also been numerous blog posts about Secure Boot of the past year so I am not going to go into how it works here. Read chapter 27 of the specification if you need to know the gory details. Suffice to say that Microsoft has mandated the use of Secure Boot for non-server versions of Windows 8 and the Linux community has to deal with that decision. In another post I showed readers of my blog how to read authenticated variable(s) from NVRAM and save the contents of the variable

Lenovo T430, T530 Now Support UEFI Secure Boot

A recent firmware update (version 2.05, dated 9/12/2012) for the Lenovo T430 (and T430i) provided support for UEFI (Unified Extensible Firmware Interface) Secure Boot. The previous firmware version for the Lenovo T430 was 1.20 dated 8/7/2012. A similar firmware update is available for the Lenovo T530 and T530i. This support was added in order to enable the soon-to-be-released Windows 8 to run on these laptops. As you all probably know by now, devices conforming to the Windows Certification Program (previously known as the Windows Logo Program), and running a client version of Windows 8, must ship with Secure Boot enabled

Makefile to Create UEFI SecureBoot Keys

If you are unfamilar with signing executables for UEFI SecureBoot see How to Sign UEFI Drivers & Applications from the TianoCore EDK2 website. Here is a simple Makefile which can be used to create the necessary keys: # # Make all keys for UEFI SecureBoot # TOPDIR := $(shell pwd)/ .SUFFIXES: .crt all: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key PK.crt KEK.crt DB.crt: openssl req -new -x509 -newkey rsa:2048 -subj “/CN=$*/” -keyout $*.key -out $@ -days 3650 -nodes .KEEP: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key %.cer: %.crt openssl x509 -in $< -out $@ -outform DER %-subkey.csr: openssl req -new -newkey rsa:2048

Linux UEFI Secure Boot

While Matthew Garrett has been gathering a lot of attention with his blog posts about UEFI Secure Boot, another Red Hat employee, Peter Jones, has been doing excellent work down in the trenches developing a utility (pesign) for securing signing of UEFI binaries on Linux platforms and a setup tool for enrolling your public key(s) in UEFI firmware. Is Secure Boot breakable? Yes, of course, but it is not that easy to do. The technology underlying Secure Boot is battle tested and proven. Here is how it basically works. Assuming you have generated a 2048-bit RSA key, the signing process