In this post, I dive deep into UEFI Authenticated Variables to show you how UEFI Secure Boot is implemented. I also provide the source code for a simple UEFI utility which outputs information about the X.509 certificates in the Secure Boot keys.
|
|
||
|
In this post I show you how to decode a DER encoded binary X509 certificate and use it to show you the contents of the Microsoft X509 certificate used as the UEFI Secure boot KEK for Windows 8 platforms. In this post, I discuss the new Secure Boot options made available on the Lenovo T430, T430i, T530, and T530i laptops as a result of the 2.05 firmware update. If you are unfamilar with signing executables for UEFI SecureBoot see How to Sign UEFI Drivers & Applications from the TianoCore EDK2 website. Here is a simple Makefile which can be used to create the necessary keys: # # Make all keys for UEFI SecureBoot # TOPDIR := $(shell pwd)/ .SUFFIXES: .crt all: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key PK.crt KEK.crt DB.crt: openssl req -new -x509 -newkey rsa:2048 -subj “/CN=$*/” -keyout $*.key -out $@ -days 3650 -nodes .KEEP: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key %.cer: %.crt openssl x509 -in $< -out $@ -outform DER %-subkey.csr: openssl req -new -newkey rsa:2048 While Matthew Garrett has been gathering a lot of attention with his blog posts about UEFI Secure Boot, another Red Hat employee, Peter Jones, has been doing excellent work down in the trenches developing a utility (pesign) for securing signing of UEFI binaries on Linux platforms and a setup tool for enrolling your public key(s) in UEFI firmware. Is Secure Boot breakable? Yes, of course, but it is not that easy to do. The technology underlying Secure Boot is battle tested and proven. Here is how it basically works. Assuming you have generated a 2048-bit RSA key, the signing process |
 |
|
| Copyright © 2007-2023 Finnbarr P. Murphy. All Rights Reserved | ||