Morten Linderud
Morten Linderud
Ah, it's the checksum of the oprom itself! UEFI spec 2.8 errata A, February 2020. Page 1727, Table 227. "Authorization process flow", 2 A. But then I need to figure...
If we can get by with just reading the eventlog for oprom and stuffing the checksum into `db` it would make things a lot simpler. It would be interesting if...
Right, it measures the OpROM with Microsoft Authenticode. Hmm. I need to check if we can use the authenticode checksum in `db` + `dbx`. See 2.3.3.1, Measuring PE/COFF Image Files...
It's funny because I was discussing the same code on IRC just now :) I intend to try mess a little bit with enrolling some authenticode checksums into my laptops...
However, I think this issue has strayed a bit from the original request of MOK/shim support. I'll make a new issue detailing potential approaches for dealing with the Microsoft CA...
@osresearch Trivia: How many different ways do you need to have for properly checksuming PE/COFF binaries under UEFI/Secure Boot? 2! It turns out that when embedding the PE/COFF checksum into...
I wonder if this makes the measurements in the TPM eventlog useless actually. If they are aligned we can't use them in the db variable.....
If you add signatures to the file then `sbsigntools` gives you the correct checksum, while `pesign` still fails. ``` # Add two signatures to the example file λ go-uefi master»...
I have gotten eventlogs from the Lenovo T14 and T14s :) They load 7 and 11 OpROMs during boot respectively. https://pub.linderud.dev/secureboot/eventlogs/
Seems like someone on reddit got this to work using the TPM eventlog. https://www.reddit.com/r/linuxquestions/comments/pi1daj/secure_boot_how_to_extract_nvidia_uefi_boot/hbq49ft/?context=3