Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enrolling / exporting / importing signatures. #13

Open
ericonr opened this issue Jun 29, 2020 · 1 comment
Open

Enrolling / exporting / importing signatures. #13

ericonr opened this issue Jun 29, 2020 · 1 comment

Comments

@ericonr
Copy link
Contributor

ericonr commented Jun 29, 2020

In this section of the README, we could link to some article / wiki page / something for instructions on how to put the device in Setup Mode, or just explain it ourselves. According to https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance , it should require only resetting all current Secure Boot configuration on the device.

$ sbctl status
==> WARNING: Setup Mode: Enabled
==> WARNING: Secure Boot: Disabled

$ sbctl create-keys
==> Creating secure boot keys...
  -> Using UUID d6e9af79-c6b5-4b43-b893-dbb7e6570142...
==> Signing /usr/share/secureboot/keys/PK/PK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
==> Signing /usr/share/secureboot/keys/KEK/KEK.der.esl with /usr/share/secureboot/keys/PK/PK.key...
==> Signing /usr/share/secureboot/keys/db/db.der.esl with /usr/share/secureboot/keys/KEK/KEK.key...

$ sbctl enroll-keys
==> Syncing /usr/share/secureboot/keys to EFI variables...
==> Synced keys!

However, in my case, since I was already in the UEFI menu, I imported the keys manually, from the .auth files. Perhaps it could make sense to have a command to export keys (and then, only the necessary .auth/.esr./.cel files) into a folder for use with either the device's UEFI firmware or KeyTool.

Finally, what do you think of moving keys across devices? Should it be a supported thing, or should users just manually copy the /usr/share/secureboot folder?
@Foxboron
Copy link
Owner

It should be possible to enroll a signed empty file, signed by PK and get us into setup mode. I have tried writing code for this with goefi but haven't been able to reproduce this functionality inside qemu with tianocore.

Some export functionality makes sense, as the actual files would probably disappear, and created on-demand, when we move from sbsigntools to goefi.

Finally, what do you think of moving keys across devices? Should it be a supported thing, or should users just manually copy the /usr/share/secureboot folder?

Not sure. If we want better secured keys, say we add yubikey support, I wonder if it's better to have sbctl.conf and allow people to point at keystores at will. Then sbctl can just do it's due diligence and ensure we know we have the enrolled keys in the keystore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Foxboron @ericonr