Dvergatal
commented
7 months ago OK I have found it but it was well hidden. The LockDown.efi is providing all the uefi sb materials and it is signed by this gpg key. Everything is now clear to me.
Closed Dvergatal closed 7 months ago
Dvergatal
commented
7 months ago OK I have found it but it was well hidden. The LockDown.efi is providing all the uefi sb materials and it is signed by this gpg key. Everything is now clear to me.
Hi all, I'm switching from sample keys to user SIGNING_MODEL and according to
meta-signing-key/README.mdthe vital definitions include:SIGNING_MODEL := "user"Prohibit using the sample keys for signing the images.
UEFI_SB_KEYS_DIR := "<path>"Point to the location of user keys used for UEFI secure boot.
MOK_SB_KEYS_DIR := "<path>"Point to the location of user keys used for MOK secure boot. Note that MOK secure boot is on top of UEFI secure boot so creating the user keys for MOK secure boot only will still introduce the security risk in your product.
IMA_KEYS_DIR := "<path>"Point to the location of user keys used for IMA appraisal.
USER_KEY_SHOW_VERBOSE = "1"Optional. Used to enable the verbose output for debugging purpose.
As I'm not using
imaDISTRO_FEATURES yet. I'm also not setting IMA_KEYS_DIR only the UEFI_SB_KEYS_DIR and MOK_SB_KEYS_DIR. Now the issue I have occured is that i'm failling to enroll dbx duringAutomatic Certificate Provisionin addition there is an unknown error during loading ofLockDown.efi. So my question is what am I missing? Do I need BOOT_KEYS_DIR as well? And what is it being used for?Because I haven't found any description about it in the documentation. I've seen in the code of
user-key-store.bbclassthatLockDown.efiis signed byuks_boot_signwhich just callsboot_sign... I thought that BOOT_KEYS_DIR is just for grub password isn't it?