<ulink url="https://edk2-docs.gitbook.io/understanding-the-uefi-secure-boot-chain/secure_boot_chain_in_uefi/uefi_secure_boot">
EDK2 documentation</ulink>.</para>
- <para>A complete set of UEFI variable includes <filename>db.esl</filename>, <filename>KEK.esl</filename>
- and <filename>PK.esl</filename>. Note that these files need to be authenticated UEFI variables. See
+ <para>A complete set of UEFI variable includes <filename>db.auth</filename>, <filename>KEK.auth</filename>
+ and <filename>PK.auth</filename>. Note that these files need to be authenticated UEFI variables. See
below for an example of how to generate them from regular X.509 keys.</para>
<programlisting>uuid=$(systemd-id128 new --uuid)
for key in PK KEK db; do
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
- cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.tmp"
+ cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
done
-sign-efi-sig-list -c PK.crt -k PK.key PK PK.tmp PK.esl
-sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.tmp KEK.esl
-sign-efi-sig-list -c KEK.crt -k KEK.key db db.tmp db.esl
+for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
+ curl "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}"
+ sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}"
+done
+
+# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
+cat MicWinProPCA2011_2011-10-19.esl >> db.esl
+
+# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs
+# and third-party boot loaders (including shim). This is highly recommended on real
+# hardware as not including this may soft-brick your device (see next paragraph).
+cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
+
+# Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the
+# Microsoft keys is used as the official UEFI revocation database is signed with this
+# key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
+cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
+
+sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
+sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
+sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
</programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the
similar, to extend the native firmware support.</para>
<para>Enrollment of Secure Boot variables can be performed manually or automatically if files are available
- under <filename>/keys/<replaceable>NAME</replaceable>/{db,KEK,PK}.esl</filename>, <replaceable>NAME</replaceable>
+ under <filename>/keys/<replaceable>NAME</replaceable>/{db,KEK,PK}.auth</filename>, <replaceable>NAME</replaceable>
being the display name for the set of variables in the menu. If one of the sets is named <filename>auto</filename>
then it might be enrolled automatically depending on whether <literal>secure-boot-enroll</literal> is set
to force or not.</para>
char *buffer;
size_t size;
} sb_vars[] = {
- { u"db", u"db.esl", EFI_IMAGE_SECURITY_DATABASE_VARIABLE, NULL, 0 },
- { u"KEK", u"KEK.esl", EFI_GLOBAL_VARIABLE, NULL, 0 },
- { u"PK", u"PK.esl", EFI_GLOBAL_VARIABLE, NULL, 0 },
+ { u"db", u"db.auth", EFI_IMAGE_SECURITY_DATABASE_VARIABLE, NULL, 0 },
+ { u"KEK", u"KEK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
+ { u"PK", u"PK.auth", EFI_GLOBAL_VARIABLE, NULL, 0 },
};
/* Make sure all keys files exist before we start enrolling them by loading them from the disk first. */
projects / thirdparty / systemd.git / commitdiff
