Sign variables with soft keys #
Prerequisites #
Generate soft Secure Boot keys.
Install cert-to-efi-siglist and sign-efi-sig-list.
sudo apt install efitools
PK signs itself #
cert-to-efi-sig-list PK.crt PK.esl
sign-efi-sig-list -c PK.crt -k PK.priv PK PK.esl PK.auth
PK signs KEK #
cert-to-efi-sig-list KEK.crt KEK.esl
sign-efi-sig-list -c PK.crt -k PK.priv KEK KEK.esl KEK.auth
KEK signs db #
cert-to-efi-sig-list db.crt db.esl
sign-efi-sig-list -c KEK.crt -k KEK.priv db db.esl db.auth
Debrief #
Before signing, you formatted each input certificate as an
EFI signature
list with a single entry using cert-to-efi-sig-list. The signature
produced by sign-efi-sig-list is bound to the current time and the respective
EFI variable’s metadata using the
authentication_v2 descriptor.
Each variable’s EFI signature list and descriptor are included in the respective
.auth files. For example, db.auth contains db.crt signed
by
KEK. Note that the Secure Boot key hierarchy requires
PK to be
self signed,
KEK to be signed by
PK, and
db (and
dbx) to
be signed by
KEK. This is what you just achieved.