I am in the process of configuring Secure Boot with my own keys (PK, KEK and DB). And so far I have done everything:
- Building Unified Kernel Image (UKI)
- Making standalone GRUB binary
- Generating own PK, KEK and DB keys; signed GRUB and UKI.
And I can boot into GRUB and Linux with Secure Boot enabled. But I also dual boot Windows and here is where the problem begins. So far I have tried signing Microsoft KEK CA with my PK, but my Laptop (Dell Precision 7740) refuses to append it to KEK, because it's "not signed properly". And another issue is Microsoft DB Signing Certificate. I am not sure how I am supposed to approach it, is it signed already by Microsoft KEK or am I supposed to sign it with my own KEK?
Below I list commands I used to generate my certificates and what I have tried to do in order to import Microsoft's Certificates.
Generating Keys:
mkdir certs
cd certs
uuidgen --random > GUID.txt
openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=example PK/" -out PK.crt
openssl x509 -outform DER -in PK.crt -out PK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=example KEK/" -out KEK.crt
openssl x509 -outform DER -in KEK.crt -out KEK.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=example DB/" -out db.crt
openssl x509 -outform DER -in db.crt -out db.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
NOTE: I replaced my actual CN name with example because I don't want to share it's name.
What I have tried to do with Microsoft Certificates:
# Certificates in PEM format are in the .crt files. I do this conversion, because otherwise some of the command below would fail and .auth file would not contain almost anything, only around ~30 bytes of arbitrary data)
openssl x509 -in microsoft_kek_ca_2011-06-24.bin -out microsoft_kek_ca_2011-06-24.crt
openssl x509 -outform DER -in microsoft_kek_ca_2011-06-24.crt -out microsoft_kek_ca_2011-06-24.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" microsoft_kek_ca_2011-06-24.cer microsoft_kek_ca_2011-06-24.esl
# Here I actually sign it. I don't get any errors and .auth file in size looks similar to other .auth files. But my Laptop still refuses to import it.
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK microsoft_kek_ca_2011-06-24.esl microsoft_kek_ca_2011-06-24.auth
openssl x509 -in microsoft_windows_pca_2011-10-19.bin -out microsoft_windows_pca_2011-10-19.crt
openssl x509 -outform DER -in microsoft_windows_pca_2011-10-19.crt -out microsoft_windows_pca_2011-10-19.cer
cert-to-efi-sig-list -g "$(< GUID.txt)" microsoft_windows_pca_2011-10-19.cer microsoft_windows_pca_2011-10-19.esl
# Here I gave up, the issue is that I need signed efi list (.auth) in order to import it to my BIOS. But in order to create signed list I would need KEK keys, and obvisly I don't own keys to Microsoft KEK, so I just tried signing it with my own KEK. Again, BIOS refuses to import it.
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db microsoft_windows_pca_2011-10-19.esl microsoft_windows_pca_2011-10-19.auth
NOTE: I downloaded Microsoft's KEK and DB from official documentation.
As a closing word I want to say that I am not willing to use SHIM or MOK, because I need and want control which having own PK, KEK and DB keys gives. And I consider SHIM/MOK to be half-baked/work-around. And it doesn't really address the issue. But rather gives a dirty fix.
Thanks for help in advance!
