sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

WIP: Add support for loading certificates from dbDefault

Open DHowett opened this issue 3 years ago • 1 comments

⚠️ I'm submitting this as a work-in-progress right now. Things I'd like to do before I mark it ready for review:

  • [ ] Display a list of firmware-backed vendor certificates in sbctl status
  • [ ] find the right place for GetBuiltinCertificates; Package certs isn't necessarily the right place
  • [ ] more?

This pull request teaches sbctl enroll-keys to include keys indicated by the firmware as being part of the default Secure Boot configuration.

Entries are read from dbDefault, and ones that have the same Owner GUID as another entry in the vendor set (such as microsoft) are skipped. This should give the user better control over whose certificates are enrolled.

I've tested this by stubbing out writing and saving the sig-list to a file:

# ./sbctl enroll-keys -i -f -m             
Enrolling keys to EFI variables...
With vendor keys from microsoft...
With vendor certificates built into the firmware...✓ 
Enrolled keys to the EFI variables!

# sig-list-to-certs TEST.db.unsigned db  
X509 Header sls=1320, header=0, sig=1276
file db-0.der: Guid 8e2b961d-6ca9-47fe-b1cb-d92f278d85f3
Written 1276 bytes
X509 Header sls=1600, header=0, sig=1556
file db-1.der: Guid 77fa9abd-0359-4d32-bd60-28f4e78f784b
Written 1556 bytes
X509 Header sls=1543, header=0, sig=1499
file db-2.der: Guid 77fa9abd-0359-4d32-bd60-28f4e78f784b
Written 1499 bytes
X509 Header sls=739, header=0, sig=695
file db-3.der: Guid 55555555-5555-5555-5555-555555555555
Written 695 bytes

In my case, the machine's OEM certificates are owned by GUID 55555555-5555-5555-5555-555555555555.

DHowett avatar May 09 '22 16:05 DHowett

Generally I think this change and approach is fine. I need to figure out how this should interact with the general OpROM warning, but I can do that in a separate change.

I think we want a good way to display enrolled certificates in sbctl status so it's up to you if you want to take a stab at implementing something to show firmware enrolled certs or not. I'd be fine with merging this without that change.

The only thing missing is a manpage entry I believe.

Foxboron avatar May 16 '22 19:05 Foxboron

@DHowett

Yo,

I've taken a stab at implementing this with https://github.com/Foxboron/sbctl/pull/222. It uses your outline but extends the option to allow picking from dbDefault, KEKDefault and PKDefault.

I'll close this in favour of the other PR :) Feel free to give some feedback when you can.

Foxboron avatar Jun 16 '23 16:06 Foxboron

OH this is so great! Thanks for carrying this over the finish line, and I'm sorry I left it to languish. :smile:

DHowett avatar Jun 17 '23 01:06 DHowett