Sign variables with YubiKey 5 #

Prerequisites #

Generate Secure Boot keys on a YubiKey 5.

Install cert-to-efi-siglist and sign-efi-sig-list

sudo apt install efitools

Install Yubico’s PKCS#11 module and openssl’s PKCS#11 engine.

sudo apt install ykcs11 libengine-pkcs11-openssl
export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so

Note that PKCS11_MODULE_PATH is required for sign-efi-sig-list to work.

PK signs itself #

cert-to-efi-sig-list PK.crt PK.esl
sign-efi-sig-list -c PK.crt -k "pkcs11:id=%05" -e pkcs11 PK PK.esl PK.auth

Press ENTER on engine passphrase (empty). Provide your PIN when prompted, then touch your YubiKey.

PK signs KEK #

cert-to-efi-sig-list KEK.crt KEK.esl
sign-efi-sig-list -c PK.crt -k "pkcs11:id=%05" -e pkcs11 KEK KEK.esl KEK.auth

Press ENTER on engine passphrase (empty). Provide your PIN when prompted, then touch your YubiKey.

KEK signs db #

cert-to-efi-sig-list db.crt db.esl
sign-efi-sig-list -c KEK.crt -k "pkcs11:id=%06" -e pkcs11 db db.esl db.auth

Press ENTER on engine passphrase (empty). Provide your PIN when prompted, then touch your YubiKey.

Debrief #

You used openssl’s PKCS#11 engine with Yubico’s PKCS#11 module to sign with your YubiKey. You determined the appropriate PKCS#11 object IDs when generating keys.

Before signing, you formatted each input certificate as an EFI signature list with a single entry using cert-to-efi-sig-list. The signature produced by sign-efi-sig-list is bound to the current time and the respective EFI variable’s metadata using the authentication_v2 descriptor.

Each variable’s EFI signature list and descriptor are included in the respective .auth files. For example, db.auth contains db.crt signed by KEK. Note that the Secure Boot key hierarchy requires PK to be self signed, KEK to be signed by PK, and db (and dbx) to be signed by KEK. This is what you just achieved.