Configuring UEFI variables
Boards that embed the UEFI keys in the U-Boot binary Secure boot limitations won’t allow you to change the EFI security related variables (PK, KEK, db and dbx).
That category of boards comes with a predefined set of keys. For more details look at Building with your own certificates.
Enabling Secure Boot
Secure Boot is enabled and disabled automatically based on the existence of a Platform Key (PK). Enrolling one will enable UEFI Secure Boot and all the EFI binaries must to be signed.
For more details look at [UEFI] (§ 32.3.1 Enrolling The Platform Key)
Create certificates and keys
Copy and run the script below. The .auth files you need can be found in efi_keys/
directory and the private certificates on priv_keys
.
Note
This script is provided as sample. Always backup your SSL certificates directory!
#!/bin/bash
# sudo apt install efitools openssl uuid-runtime
set -e
CN='mytestCA'
OUT_DIR=priv_keys/
OUT_EFI_DIR=efi_keys/
mkdir $OUT_DIR -p
mkdir $OUT_EFI_DIR -p
if [ ! -e "$OUT_DIR/GUID.txt" ]; then
GUID=$(uuidgen)
echo $GUID > $OUT_DIR/GUID.txt
else
echo "Please remove '"$OUT_DIR"GUID.txt' to regenerate certs"
echo "This will overwrite your private keys!"
exit 1
fi
for cert in PK KEK db dbx; do
# SSL certs
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$CN $cert/" -keyout \
$OUT_DIR/$cert.key -out $OUT_DIR/$cert.crt -days 3650 -nodes -sha256
# EFI signature list certs
# .esl certs can be concatenated if we want to support multiple signers
cert-to-efi-sig-list -g $GUID $OUT_DIR/$cert.crt $OUT_EFI_DIR/$cert.esl
done
# Empty PK to reset secure boot
rm -f $OUT_EFI_DIR/noPK.esl
touch $OUT_EFI_DIR/noPK.esl
sign-efi-sig-list -c $OUT_DIR/PK.crt -k $OUT_DIR/PK.key PK $OUT_EFI_DIR/noPK.esl $OUT_EFI_DIR/noPK.auth
sign-efi-sig-list -c $OUT_DIR/PK.crt -k $OUT_DIR/PK.key PK $OUT_EFI_DIR/PK.esl $OUT_EFI_DIR/PK.auth
sign-efi-sig-list -c $OUT_DIR/PK.crt -k $OUT_DIR/PK.key KEK $OUT_EFI_DIR/KEK.esl $OUT_EFI_DIR/KEK.auth
sign-efi-sig-list -c $OUT_DIR/KEK.crt -k $OUT_DIR/KEK.key db $OUT_EFI_DIR/db.esl $OUT_EFI_DIR/db.auth
sign-efi-sig-list -c $OUT_DIR/KEK.crt -k $OUT_DIR/KEK.key dbx $OUT_EFI_DIR/dbx.esl $OUT_EFI_DIR/dbx.auth
chmod 0600 $OUT_DIR/*.key
Enable Secure Boot
The commands below assume the keys are stored in the first partition of a usb stick.
load usb 0:1 90000000 PK.auth && setenv -e -nv -bs -rt -at -i 90000000:$filesize PK
load usb 0:1 90000000 KEK.auth && setenv -e -nv -bs -rt -at -i 90000000:$filesize KEK
load usb 0:1 90000000 db.auth && setenv -e -nv -bs -rt -at -i 90000000:$filesize db
load usb 0:1 90000000 dbx.auth && setenv -e -nv -bs -rt -at -i 90000000:$filesize dbx
Disable Secure Boot
The commands below assume the keys are stored in the first partition of a usb stick.
load usb 0:1 90000000 noPK.auth && setenv -e -nv -bs -rt -at -i 90000000:$filesize PK