uefi-keys/: Initial commit.

installation/dependencies.sh

@@ -18,3 +18,6 @@ apt -y install dracut-core dracut dracut-network
 wget https://download.opensuse.org/repositories/home:/fg.nxd/Debian_11/amd64/dep--mca-static_1-1_amd64.deb
 apt -y install ./dep--mca-static_1-1_amd64.deb
 apt -y install ./fluent-bit_1-1_amd64.deb
+
+# signing initramfs
+apt -y install sbsigntool efitools

installation/signing_uefi_application.txt

-# To perform the following instructions, some packages are needed.
-# They are all installed with apt at the begining of install.sh.
-
-## Create the keys:
-# run the script mkkeys.sh (better in a dedicated directory)
-mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh . && ./mkkeys.sh
-
-## Signing a UEFI application:
-# before running the following line (from install.sh)
-dracut --force  -c ./dracut.module/dracut.conf --confdir dracut_tmp
-# put the following from the signing key in /etc/uefi-key/
-# db.cer	db.crt	db.key
-
-## Add keys to the firmware:
-# run
-efi-readvar
-# if PK, KEK or db is not empty then
-# reboot and, in the BIOS, disable Secure Boot (SB) and remove every keys
-# then if we assume the keys have the name mkkeys.sh gives them:
-# Add the Platform Key (the authority key for the machine).
-efi-updatevar -f PK.auth PK
-# Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes)
-efi-updatevar -a -c KEK.crt -k PK.key KEK
-# Replace the current whitelist certificate
-efi-updatevar -f -c DB.crt -k KEK.key db
-# (replace -f with -a to append another whitelist certificate instead of replacing the old one)
-
-### Troubleshooting
-# Some general informations:
-# 1) As a general matter, with Secure Boot (SB) disabled and no key, every key should addable.
-# 2) A Platform Key is needed for Secure Boot (SB) to be enabled.
-# 3) To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key).
-
-## Common errors:
-
-# error: "Failed to update <var>: Operation not permitted"
-# when trying to delete or replace a key, may be resolved by making it mutable:
-lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}*
-# "----i--------------" before the key means it is set as immutable
-# to make it mutable
-chattr -i /sys/firmware/efi/efivars/<key>
-# (example:)
-chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-# recommanded: make everything immutable after your operation
-# to do so, perform the same command with +i instead of -i (same example:)
-chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-
-# error: "Cannot write to db, wrong filesystem permissions"
-# may be resolved providing the upper level private key
-# (note that it can happen even with root mode, as keys are stored on a separate filesystem)
-

uefi-keys/DB.crt

+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIUCXcXOU0UPEBomolNyuOYcJfJoRkwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTU3RvcmVkIG9uIGdpdGxhYiBEQjAeFw0yMjA0MDQwOTEz
+NDlaFw0zMjA0MDEwOTEzNDlaMB4xHDAaBgNVBAMME1N0b3JlZCBvbiBnaXRsYWIg
+REIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHiUc+MyP+TQDM4s8c
+SP1p/luYT1pgfS0H8SBQxy0bhjjCu3YTv38FdXR1pxLVLuwJfK0TYzrsL0DAUjNV
+FO45AaC0zbH7eMy4UA6prSEcaqcPgqcyD3Nfg4B/DpwCkdEQVwwT75aR4raG2+QD
+/JRe+n/4tY9PhzxsAexOazISEfMigvjWUg3lDWZyo21orObV6YWMYeX5xN+SregU
+TwE5W7LANhFTzInnaQJ9lmA7q2d+D3FQ/HM6vNmb1a/TlMlnzbGaWOEbWOaIGpku
+ZpTHM+piwm5K5oA7X0rO8Mf5c1X/zuGwLCDj44kFaQlTSV5UMdU5CclvMDK96qcS
+ypMrAgMBAAGjUzBRMB0GA1UdDgQWBBTIHsJW7yF4GMQNU4vxilfX56PMSDAfBgNV
+HSMEGDAWgBTIHsJW7yF4GMQNU4vxilfX56PMSDAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQAOPzJCyld6PMbuosnwVS0tbv+up157rgGtUB7e4r1O
+b8DKxVSMXA5q7ydj0SP6VWExr192n9omxGYolyBHq1OpxT09khjXor1ebyzBWUoD
+HDrJfHn+VZECTwKlpyR7US1cab1SACstaQomwa2AfAQ6JgBr25Lo8hCcBKKkr/gt
+sLWcQEemPjnRrcD/Wn40lpaqMvJUtasmBRIIPc43LQz4ksSvBnEdq/fHZtfgQtgT
+BDLk9voHxr7sO4X/UqzrReaCnDdbu2HZpgQa/Qv+2b2h2ytyUd2rR5GdqSOYU2Y7
+Y045LGgafuyJDvKH2yaAMtaqQhISFReuUaJ41KxTAk4z
+-----END CERTIFICATE-----

uefi-keys/KEK.crt

+-----BEGIN CERTIFICATE-----
+MIIDHzCCAgegAwIBAgIUfWXW12ByFkz/so3aswilrWI7vo0wDQYJKoZIhvcNAQEL
+BQAwHzEdMBsGA1UEAwwUU3RvcmVkIG9uIGdpdGxhYiBLRUswHhcNMjIwNDA0MDkx
+MzQ5WhcNMzIwNDAxMDkxMzQ5WjAfMR0wGwYDVQQDDBRTdG9yZWQgb24gZ2l0bGFi
+IEtFSzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJrlyqU+2K0QFlSK
+FhU4ptUchrKLZ6LnHQoREE7mRyH4VR7pBeBmOHW9I2b9DKJJEA6KswWqOhKPWInk
+XaZSvvBssy3Y1Kv30oeiBMQed3r9SfLmTJRblnNvJ+YIz1ZwwdMenrg5kMA2PaFY
+gy22yNzY0oT2SgB592ge+ftnueBD79nbEyXfR5jynZSup6glt+C49uKYukdw35Qa
+cbYnq0vvsJKmR0hxrDbAdjh/9tCqa1v4EqihHJ4r9sQ9LhGxSN4CjlfzOgufZ9Zg
+2nWt8Ig3jeBynPz9GxdHD0rH4DzQ9JZSmR9gJoF1hcUASAB3SqJLXQskF7hf/eXL
+AjCSig0CAwEAAaNTMFEwHQYDVR0OBBYEFGZEDP/JE0zKLEnrgmhfLcCnt2YcMB8G
+A1UdIwQYMBaAFGZEDP/JE0zKLEnrgmhfLcCnt2YcMA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAAUbf/Fl1rcgz2DCrlEuO8tnbhvLzc4peJxu8DIv
+m9zLgTlhceQI2lMLEYk4sJzzmzQ5ZQmRRnGUmR0SmKAPziPhRa6efRivDGVVyTqi
+Tlu6rO1ZN1mQz/uctZeTkV4TGhiVu2GrE5qE611kZLECBzQffLOJcraYhTwDi0jm
+nSvkRCRTV2SGxsD45eYcCnRYpl5pTHhLa2QbS6nTf5OFSfItSntxCSZ773zg0gWk
+nUNyAjuZOcg5223XL+njUKVWyR3Z9P3aR1D1psTrHd5e6eun/DLrAZQhZ0jQphtJ
+6YAOrwDhGhMKTFTPhegR3H99Ie8R2dIcTa752GVd54IQ44g=
+-----END CERTIFICATE-----

uefi-keys/PK.crt

+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIULMOpRSFPuIZf3kENV26CKG/n4IYwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTU3RvcmVkIG9uIGdpdGxhYiBQSzAeFw0yMjA0MDQwOTEz
+NDlaFw0zMjA0MDEwOTEzNDlaMB4xHDAaBgNVBAMME1N0b3JlZCBvbiBnaXRsYWIg
+UEswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3IX8Gfz8R93RT3hQJ
+G5SDahwoZuCSO0TsSY8akTZCe4AoRm8DlaSwb60QHiO5Be7A6zFYzbWxYVGPDqHH
+li9ICP75GtnbgjMEbGQvzAOWH7FNpUSNMiiIFdzFSdrFZBgoS4IGRgR2/D0kl+Dg
+Z+j4bU0tw6S6MlJprMxx613OxndrXZqgy/OgA/SnutpdiRjU+AziWGcnMYKCRuQS
+e3mfqTS8lMFvS2DFHmZwddPTimIVCEzVzhMUJe5bm/SuYS3z9VWnPMeDRIyIQCmN
+of9+YIzW1m8tb7P5mpS+3NPzJ65pG5FeEgOxr+U1shcMuV0swdN+h057Z1F+4jFc
+3XzPAgMBAAGjUzBRMB0GA1UdDgQWBBSwOm6VV8AbJdyhBfga4KUduU+kcTAfBgNV
+HSMEGDAWgBSwOm6VV8AbJdyhBfga4KUduU+kcTAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQBRI2flodyHjTi8JBT1911XBrZqvt+pO6IYePvjRBmy
+bmPtK73GntULkNe7OGYFswAy5tQrQjPfsSGh454dAl+xJHVtScHFD6W4atz/65DZ
+mtjhn4POnzVBlPMEL7CY0UGl/ocn/uLolbxFJ9AIHpYg5NPA6HeMt8x9+fUbHmNS
+lzXqNJOi4f9O35tRAmORABHHHXIocdLxpFNH5SmZ++rbbueLVl4llGUS++taniKn
+URIPcYmCHnP8RLyvm73djct86h0qeBFbRrVHTgu6+mGdzqMizqsXRgK9tWcj5Sh5
+GvzkzwPo7TVsMPWZYd/jB4UM1GJyCv/0Eqgs+P5DkvIa
+-----END CERTIFICATE-----

uefi-keys/README.md

+# UEFI keys enrollment
+
+To perform the following instructions, some packages are needed. They are installed by `dependencies.sh` of this directory. By default, the command listed below require to be logged as root. It will be pointed out otherwise.
+
+## Create the keys
+WARNING: A set of keys is already created here. So the following instruction is probably NOT what you want to do. This section is simply for documentation and you should proceed to the next section.
+
+Run the script `mkkeys.sh` (no root access needed):
+```bash
+mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh . && ./mkkeys.sh
+```
+
+## Sign a UEFI application
+You have nothing special to do in this section. This is performed by dracut right after creating the (unsigned) image. Dracut is called in `installation/install.sh` with parameters according to `dracut.conf` and the command line. Tip: `dracut.conf` if generated by `installation/install.sh` from `dracut.conf.in`.
+
+## Add keys to the firmware
+Run `efi-readvar` (no root access needed).
+If the field `PK`, `KEK` or `db` is not empty, then reboot. Enter the BIOS, disable Secure Boot (SB) and remove every keys.
+
+If it is empty or after the previous stage, add the keys to UEFI as follow. We assume the keys have the name `mkkeys.sh` gave them:
+* Add the Platform Key (the authority key for the machine):
+    `efi-updatevar -f PK.auth PK`
+
+* Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes):
+`efi-updatevar -a -c KEK.crt -k PK.key KEK`
+    
+* Replace the current whitelist certificate:
+`efi-updatevar -f -c DB.crt -k KEK.key db`
+(replace -f with -a to append another whitelist certificate instead of replacing the old one)
+
+
+### Troubleshooting
+Some general informations:
+* As a general matter, with Secure Boot (SB) disabled and no key, every key should be addable.
+* A Platform Key is needed for Secure Boot (SB) to be enabled.
+* To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key).
+
+##### Common errors
+
+* Error: `Failed to update <var>: Operation not permitted`
+It happens when trying to delete or replace a key. It may be resolved by making it mutable:
+```bash
+lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}*
+```
+"----i--------------" before the key means it is set as immutable. To make it mutable:
+```bash
+chattr -i /sys/firmware/efi/efivars/<key>
+```
+Example:
+```bash
+chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+```
+Recommanded: make everything immutable after your operation. To do so, perform the same command with `+i` instead of `-i`. Same example:
+```bash
+chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+```
+
+* Error: `Cannot write to db, wrong filesystem permissions`
+It may be resolved by providing the upper level private key (after the `-k` option of `efi-updatevar`). Note that it can happen even in root mode, as the keys are stored on a separate filesystem.

uefi-keys/depenencies.sh

+# generate efi certificates
+apt -y install sbsigntool efitool python3

uefi-keys/myGUID.txt

+89da4706-b3f7-11ec-92f8-00224ddacaa7

uefi-keys/old.README.md

+
+To perform the following instructions, some packages are needed.
+They are installed by `dependencies.sh` of this directory.
+
+## Create the keys
+
+WARNING: This is probably NOT what you want to do.
+
+Run the script `mkkeys.sh`:
+```bash
+    mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh . && ./mkkeys.sh
+```
+
+## Signing a UEFI application
+
+You have nothing special to do. This is performed by dracut (called in `installation/install.sh`) according to `dracut.conf` (generated by `installation/install.sh` from `dracut.conf.in`).
+
+## Add keys to the firmware:
+Run `efi-readvar`
+
+### if PK, KEK or db is not empty
+1. Reboot and, in the BIOS, disable Secure Boot (SB) and remove every keys.
+2. Then if we assume the keys have the name mkkeys.sh gives them:
+    * Add the Platform Key (the authority key for the machine).
+```bash
+efi-updatevar -f PK.auth PK
+```
+    * Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes)
+```bash
+efi-updatevar -a -c KEK.crt -k PK.key KEK
+```
+    * Replace the current whitelist certificate
+````bash
+efi-updatevar -f -c DB.crt -k KEK.key db
+````
+(replace -f with -a to append another whitelist certificate instead of replacing the old one)
+
+### Troubleshooting
+Some general informations:
+1. As a general matter, with Secure Boot (SB) disabled and no key, every key should be addable.
+2. A Platform Key is needed for Secure Boot (SB) to be enabled.
+3. To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key).
+
+#### Common errors
+
+* Error: `Failed to update <var>: Operation not permitted`
+It happens when trying to delete or replace a key. It may be resolved by making it mutable:
+```bash
+lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}*
+```
+"----i--------------" before the key means it is set as immutable. To make it mutable:
+```bash
+chattr -i /sys/firmware/efi/efivars/<key>
+```
+Example:
+```bash
+chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+```
+Recommanded: make everything immutable after your operation. To do so, perform the same command with `+i` instead of `-i`. Same example:
+```bash
+chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
+```
+
+* Error: `Cannot write to db, wrong filesystem permissions`
+It may be resolved by providing the upper level private key (after the `-k` option of `efi-updatevar`). Note that it can happen even in root mode, as the keys are stored on a separate filesystem.