List UEFI Secure Boot Certificate Contents

In this post, I dive deep into UEFI Authenticated Variables to show you how UEFI Secure Boot is implemented. I also provide the source code for a simple UEFI utility which outputs information about the X.509 certificates in the Secure Boot keys.

Decode Microsoft Secure Boot KEK Certificate

In this post I show you how to decode a DER encoded binary X509 certificate and use it to show you the contents of the Microsoft X509 certificate used as the UEFI Secure boot KEK for Windows 8 platforms.

Lenovo T430, T530 Now Support UEFI Secure Boot

In this post, I discuss the new Secure Boot options made available on the Lenovo T430, T430i, T530, and T530i laptops as a result of the 2.05 firmware update.

Makefile to Create UEFI SecureBoot Keys

If you are unfamilar with signing executables for UEFI SecureBoot see How to Sign UEFI Drivers & Applications from the TianoCore EDK2 website. Here is a simple Makefile which can be used to create the necessary keys: # # Make all keys for UEFI SecureBoot # TOPDIR := $(shell pwd)/ .SUFFIXES: .crt all: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key PK.crt KEK.crt DB.crt: openssl req -new -x509 -newkey rsa:2048 -subj “/CN=$*/” -keyout $*.key -out $@ -days 3650 -nodes .KEEP: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key %.cer: %.crt openssl x509 -in $< -out $@ -outform DER %-subkey.csr: openssl req -new -newkey rsa:2048

Linux UEFI Secure Boot

While Matthew Garrett has been gathering a lot of attention with his blog posts about UEFI Secure Boot, another Red Hat employee, Peter Jones, has been doing excellent work down in the trenches developing a utility (pesign) for securing signing of UEFI binaries on Linux platforms and a setup tool for enrolling your public key(s) in UEFI firmware. Is Secure Boot breakable? Yes, of course, but it is not that easy to do. The technology underlying Secure Boot is battle tested and proven. Here is how it basically works. Assuming you have generated a 2048-bit RSA key, the signing process