Sign EFI applications with YubiKey 5 #

Preliminaries #

Generate Secure Boot keys on a YubiKey 5.

Install sbsign.

sudo apt install sbsigntool

Install Yubico’s PKCS#11 module and openssl’s PKCS#11 engine.

sudo apt install ykcs11 libengine-pkcs11-openssl
export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so

Note that PKCS11_MODULE_PATH is required for sbsign to work.

Locate an EFI application to sign. This guide assumes the file is named stboot.uki.

Sign with db key #

sbsign --engine pkcs11 --key "pkcs11:id=%07" --cert db.crt stboot.uki

Press ENTER on engine passphrase (empty). Provide your PIN when prompted, then touch your YubiKey.

Debrief #

You used openssl’s PKCS#11 engine with Yubico’s PKCS#11 module to sign with the db key on your YubiKey. You determined the appropriate PKCS#11 object ID when generating your key.

sbverify --list stboot.uki.signed

The embedded signature should validate against db.crt.

sbverify --cert db.crt stboot.uki.signed