search

rhboot / shim

UEFI shim loader
Other
865 stars 293 forks source link

Support loading additional certificates #446

Closed esnowberg closed 2 years ago

esnowberg commented 2 years ago

Please see the following as an RFC pull request for loading additional certificates from a signed EFI binary.

This work was originally done by @mjg59, I have ported parts of his code to 15.5 and refactored other pieces. https://github.com/rhboot/shim/pull/204

All testing was done using certmule (https://github.com/rhboot/certmule).

esnowberg commented 2 years ago

@mjg59, since Sign-off-by's are now required, could I include yours for the second patch?

mjg59 commented 2 years ago

Yes, please feel free to add:

Signed-off-by: Matthew Garrett mgarrett@aurora.tech

esnowberg commented 2 years ago

Thanks @mjg59

esnowberg commented 2 years ago

Steps to test this change:

Clone certmule

$ git clone https://github.com/rhboot/certmule.git $ cd certmule

Generate a Public and Private X.509 Key Pair

$ cat << EOF > key_gen.config [ req ] default_bits = 4096 distinguished_name = req_distinguished_name prompt = no string_mask = utf8only x509_extensions = myexts [ req_distinguished_name ] CN = Generic Key emailAddress = john.doe@oracle.com [ myexts ] basicConstraints=critical,CA:TRUE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid EOF

$ openssl req -new -nodes -utf8 -sha512 -days 36500 -config key_gen.config -batch -x509 \ -outform DER -out signing_key.x509 -keyout signing_key.priv

$ openssl x509 -in signing_key.x509 -inform der -out signing_key.pem -outform pem

$ cert-to-efi-sig-list signing_key.pem db.esl

Build certmule with the db.esl

$ make all

Create a MOK key to sign the shim_certificate

$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=certmule key/"

$ openssl x509 -in MOK.crt -out MOK.cer -outform DER

$ openssl pkcs12 -export -out MOK.p12 -inkey MOK.key -in MOK.crt

$ pk12util -i MOK.p12 -d /etc/pki/pesign

Enroll the Public Key on the Target System

$ mokutil --import MOK.cer

Reboot and enroll the new MOK key thru MokManager Now sign the shim certificate with the key just enrolled in MOK

$ pesign -i certmule.efi -o ./shim_certificate.efi -c "certmule key" -s

Move the shim certificate into the ESP next to your shim.

$ cp shim_certificate.efi /boot/efi/EFI/redhat

Now reboot and the contents of shim certificate will load into the MokList.

esnowberg commented 2 years ago

Thanks for your review @frozencemetery, I'll take care of the style changes above and send out a new pull request.