search

system76 / edk2

EDK II
http://www.tianocore.org/edk2/
Other
1 stars 3 forks source link

"Delete System76 and Microsoft keys (Use your own)" doesn't actually delete them #40

Open gentoo-root opened 1 year ago

gentoo-root commented 1 year ago

After choosing "Delete System76 and Microsoft keys (Use your own)" in the firmware setup menu, both System76 and Microsoft keys can still be seen with sbkeysync from Linux.

The code hints that only PK is deleted and the computer is immediately rebooted, but the keys of System76 and Microsoft are not actually deleted:

https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfig.vfr#L108 https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c#L4521-L4523 https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c#L4842-L4858

I would expect all these steps to be performed to actually delete vendor keys:

https://github.com/system76/edk2/blob/42a443d5cdf07b55afd92ae1d8e9949c1deed310/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigImpl.c#L4181-L4210

crawfxrd commented 1 year ago

Yes, only the PK is deleted. The KEKs are still there.

State after clean flash, before enabling Secure Boot:

$ sbkeysync --verbose --dry-run
Filesystem keystore:
firmware keys:
  PK:
  KEK:
  db:
  dbx:
filesystem keys:
  PK:
  KEK:
  db:
  dbx:
New keys in filesystem:

State after restoring default keys:

(NOTE: Restoring default keys does not enroll the DBX; This doesn't seem to happen unless you enable Secure Boot. DBX should probably always be enrolled.)

$ sbkeysync --verbose --dry-run
Filesystem keystore:
firmware keys:
  PK:
    /C=US/ST=Colorado/L=Denver/O=System76/CN=System76 Secure Boot Platform Key
  KEK:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation KEK CA 2011
    /C=US/ST=Colorado/L=Denver/O=System76/CN=System76 Secure Boot Key Exchange Key
  db:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
    /C=US/ST=Colorado/L=Denver/O=System76/CN=System76 Secure Boot Database Key
  dbx:
filesystem keys:
  PK:
  KEK:
  db:
  dbx:
New keys in filesystem:

State after deleting default keys:

$ sbkeysync --verbose --dry-run
Filesystem keystore:
firmware keys:
  PK:
  KEK:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation KEK CA 2011
    /C=US/ST=Colorado/L=Denver/O=System76/CN=System76 Secure Boot Key Exchange Key
  db:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
    /C=US/ST=Colorado/L=Denver/O=System76/CN=System76 Secure Boot Database Key
  dbx:
    <snip>
filesystem keys:
  PK:
  KEK:
  db:
  dbx:
New keys in filesystem: