uefisign and loader

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

uefisign and loader

David Cross
I've been working on getting secureboot working under freebsd (I today just
finished off a REALLY rough tool that lets one tweak uefi authenticated
variables under freebsd, with an eye to try to get a patch to put this into
efivar).  After setting the PK, the KEK, and the db, I was super excited to
finally secure-boot my machine, and discovered that I could not uefisign
loader.  Attempting to sign loader returns a cryptic: "section points
inside the headers" and then hangs in pipe-read (via siginfo). (this is
under 12.0 FWIW).

I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its
not really useful for me.

Suggestions?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: uefisign and loader

Warner Losh
On Sun, Oct 6, 2019, 10:58 PM David Cross <[hidden email]> wrote:

> I've been working on getting secureboot working under freebsd (I today just
> finished off a REALLY rough tool that lets one tweak uefi authenticated
> variables under freebsd, with an eye to try to get a patch to put this into
> efivar).  After setting the PK, the KEK, and the db, I was super excited to
> finally secure-boot my machine, and discovered that I could not uefisign
> loader.  Attempting to sign loader returns a cryptic: "section points
> inside the headers" and then hangs in pipe-read (via siginfo). (this is
> under 12.0 FWIW).
>
> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its
> not really useful for me.
>
> Suggestions?
>

Use loader.efi directly instead?

Warner

> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: uefisign and loader

David Cross
On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <[hidden email]> wrote:

>
>
> On Sun, Oct 6, 2019, 10:58 PM David Cross <[hidden email]> wrote:
>
>> I've been working on getting secureboot working under freebsd (I today
>> just
>> finished off a REALLY rough tool that lets one tweak uefi authenticated
>> variables under freebsd, with an eye to try to get a patch to put this
>> into
>> efivar).  After setting the PK, the KEK, and the db, I was super excited
>> to
>> finally secure-boot my machine, and discovered that I could not uefisign
>> loader.  Attempting to sign loader returns a cryptic: "section points
>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
>> under 12.0 FWIW).
>>
>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its
>> not really useful for me.
>>
>> Suggestions?
>>
>
> Use loader.efi directly instead?
>
>>
>>
I currently do use loader.efi directly, however not being able to sign
loader.efi directly complicates things a bit (using hash based signature
lists for the 'db' variable); and it seems we *should* be able to sign
loader.  From some other posts on the internet it seems that at some point
we could.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: uefisign and loader

David Cross
Ok, it appears uefisign is just outright broken; after not being able to
boot even boot1 signed, I brought the signed image over to windows and used
signtool verify and got the error message:
"SignTool Error: WinVerifyTrust returned error: 0x80096010
    The digital signature of the object did not verify."


This is a different error then I get form SignTool boot1.efi from an
untrusted cert (signed via SignTool) which reports:
"..A certificate chain processed, but terminated in a root certificate
which is not trusted..."


Anyone actually use uefisign successfully?

On Mon, Oct 7, 2019 at 9:29 AM David Cross <[hidden email]> wrote:

>
>
> On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <[hidden email]> wrote:
>
>>
>>
>> On Sun, Oct 6, 2019, 10:58 PM David Cross <[hidden email]> wrote:
>>
>>> I've been working on getting secureboot working under freebsd (I today
>>> just
>>> finished off a REALLY rough tool that lets one tweak uefi authenticated
>>> variables under freebsd, with an eye to try to get a patch to put this
>>> into
>>> efivar).  After setting the PK, the KEK, and the db, I was super excited
>>> to
>>> finally secure-boot my machine, and discovered that I could not uefisign
>>> loader.  Attempting to sign loader returns a cryptic: "section points
>>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
>>> under 12.0 FWIW).
>>>
>>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so
>>> its
>>> not really useful for me.
>>>
>>> Suggestions?
>>>
>>
>> Use loader.efi directly instead?
>>
>>>
>>>
> I currently do use loader.efi directly, however not being able to sign
> loader.efi directly complicates things a bit (using hash based signature
> lists for the 'db' variable); and it seems we *should* be able to sign
> loader.  From some other posts on the internet it seems that at some point
> we could.
>
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: uefisign and loader

Doug Ambrisko
On Thu, Oct 10, 2019 at 02:29:37PM -0400, David Cross wrote:
| Ok, it appears uefisign is just outright broken; after not being able to
| boot even boot1 signed, I brought the signed image over to windows and used
| signtool verify and got the error message:
| "SignTool Error: WinVerifyTrust returned error: 0x80096010
|     The digital signature of the object did not verify."
|
|
| This is a different error then I get form SignTool boot1.efi from an
| untrusted cert (signed via SignTool) which reports:
| "..A certificate chain processed, but terminated in a root certificate
| which is not trusted..."
|
| Anyone actually use uefisign successfully?

I've been using sbsign with patches to use an external OpenSSL
engine since our keys are stored in a corporate signing server.
This worked well since at work we have different groups running
Linux as well so having common signing tools made things easier.
Each group has their own UEFI keys.

I had authenticated updates working in FreeBSD
        https://reviews.freebsd.org/D8278

Warner had some feedback.  I think I incorporated it but forget.
It's been a while.  My former group has being shipping FreeBSD
in UEFI secure boot mode with their own custom keys for several
years.

Doug A.
 
| On Mon, Oct 7, 2019 at 9:29 AM David Cross <[hidden email]> wrote:
|
| >
| >
| > On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <[hidden email]> wrote:
| >
| >>
| >>
| >> On Sun, Oct 6, 2019, 10:58 PM David Cross <[hidden email]> wrote:
| >>
| >>> I've been working on getting secureboot working under freebsd (I today
| >>> just
| >>> finished off a REALLY rough tool that lets one tweak uefi authenticated
| >>> variables under freebsd, with an eye to try to get a patch to put this
| >>> into
| >>> efivar).  After setting the PK, the KEK, and the db, I was super excited
| >>> to
| >>> finally secure-boot my machine, and discovered that I could not uefisign
| >>> loader.  Attempting to sign loader returns a cryptic: "section points
| >>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
| >>> under 12.0 FWIW).
| >>>
| >>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so
| >>> its
| >>> not really useful for me.
| >>>
| >>> Suggestions?
| >>>
| >>
| >> Use loader.efi directly instead?
| >>
| >>>
| >>>
| > I currently do use loader.efi directly, however not being able to sign
| > loader.efi directly complicates things a bit (using hash based signature
| > lists for the 'db' variable); and it seems we *should* be able to sign
| > loader.  From some other posts on the internet it seems that at some point
| > we could.
| >
| _______________________________________________
| [hidden email] mailing list
| https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
| To unsubscribe, send any mail to "[hidden email]"
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"