sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Show the current Secure Boot related EFI variables

Open rgl opened this issue 4 years ago • 2 comments

It would very useful to be able to show the current value of all the Secure Boot EFI variables, and export/import them as .pem/.hex files.

Currently I'm using efi-readvar as:

apt-get install -y efitools
efi-readvar

Which outputs something alike:

Variable PK, length 862
PK: List 0, type X509
    Signature 0, size 834, owner 26dc4851-195f-4ae1-9a19-fbf883bbb35e
        Subject:
            CN=DO NOT TRUST - AMI Test PK
        Issuer:
            CN=DO NOT TRUST - AMI Test PK
Variable KEK, length 1560
KEK: List 0, type X509
    Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Variable db, length 3143
db: List 0, type X509
    Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
db: List 1, type X509
    Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Subject:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Issuer:
            C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
Variable dbx, length 3724
dbx: List 0, type SHA256
    Signature 0, size 48, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
        Hash:80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
    ... OMITED FOR BREVITY ...
Variable MokList has no entries

It can also save them to files and convert to known file formats:

efi-readvar -v PK -o PK.esl   # Platform Key (PK).
efi-readvar -v KEK -o KEK.esl # Key Exchange Key (KEK).
efi-readvar -v db -o db.esl   # Signature Database (DB); aka Allow list database.
efi-readvar -v dbx -o dbx.esl # Forbidden Signature Database (DBX); ala Deny list database.

# convert them to an openssl compatible .der or .hash files.
sig-list-to-certs PK.esl PK
sig-list-to-certs KEK.esl KEK
sig-list-to-certs db.esl db
sig-list-to-certs dbx.esl dbx

# show them.
find . -type f -name '*.der' -print | sort | xargs -I% bash -c 'echo;set -x;openssl x509 -noout -text -inform der -in %'
find . -type f -name '*.hash' -print | sort | xargs -I% bash -c 'echo;set -x;xxd -c 72 -p %'

What do you think?

rgl avatar Jan 13 '21 22:01 rgl

I think this is partially going to be solved with go-uefi. I have implemented a POC efivars analyzer:

https://github.com/Foxboron/go-uefi/blob/master/cmd/efianalyze/main.go

Foxboron avatar Jan 14 '21 21:01 Foxboron

Indeed, I'm liking it!

rgl avatar Jan 17 '21 11:01 rgl