Closed rrueger closed 2 years ago
It stores plain-text keys and certificates on your filesystem. The point about "TPM support" is to have keys be stored and made on the TPM so they can never really be extracted beyond the machine you are using.
sbsing
supports the TPM and SmartCards by using the PKCS11 interface. sbctl
doesn't support any of this currently.
Okay. Cool
Presumably, the secret keys are stored in the root filesystem (at /usr/share/secureboot
(which is expected to be encrypted at rest with LUKS etc.) and the public keys are stored in the efi storage (in "efi variables" in the NVRAM?) so that the booting firmware can verify that the .efi
files are correctly signed?
Yep, that is correct :)
The EFI_SIGNATURE_LIST
at /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
contains either valid x509 certificats or a list of sha256 checksums to validate images.
Thank you!
I can't find EFI_SIGNATURE_LIST
in /sys/firmware/efi//efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
though. cat
ing the file or grep
ping for EFI_SIGNATURE_LIST
results in gibberish.
$ efivar -l | grep dad00e67656f
d719b2cb-3d3a-4596-a3bc-dad00e67656f-db
Then
$ efivar
GUID: d719b2cb-3d3a-4596-a3bc-dad00e67656f
Name: "db"
Attributes:
Non-Volatile
Boot Service Access
Runtime Service Access
Time-Based Authenticated Write Access
Value:
00000000 a1 59 c0 a5 e4 94 a7 4a 87 b5 ab 15 5c 2b f0 72 |.Y.....J....\+.r|
00000010 28 05 00 00 00 00 00 00 0c 05 00 00 31 87 93 b4 |(...........1...|
but doesn't show EFI_SIGNATURE_LIST (the literal).
Is the d719b2cb-3d3a-4596-a3bc-dad00e67656f
string a randomly generated UUID for setting the sbctl
efivars? I see it is hardcoded in the source
EFI_SIGNATURE_LIST
is a binary data structure defined in the UEFI specification.
The GUID is pre-defined from the UEFI specification and a "vendor GUID" which is reserved for these variables.
https://uefi.org/sites/default/files/resources/UEFI_Spec_2_8_C_Jan_2021.pdf
Okay, thank you. Thank you for being so informative!
The roadmap to 1.0 states as one of it's goals "TPM support", which seems to imply that
sbctl
doesn't utilise the TPM at the moment.How does this work? What is
enroll-keys
doing in that case?Do other tools like
sbsign
,preLoader
orshim
use the TPM?I seem to be missing the keywords to search online to get meaningful results.
Notably, Rod Smith's articles (which appear to be the standard reference) on Bootloaders also don't appear to mention TPMs anywhere.
Thanks for clarifying!