Date: Mon, 4 Nov 2019 17:02:18 -0600 From: Clay Daniels <clay.daniels.jr@gmail.com> To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Read firmware boot keys & save to files Message-ID: <CAGLDxTVxWNPtLYyppx=%2BMTOaETFMdVGwbEg6H61nBVTFc9MH2Q@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
FreeBSD has several nice programs dealing with boot keys & certs, including: OpenSSL/LibreSSL GnuPG/gpg efivar I keep trying to get any of these to read the contents of the firmware boot keys and save them to files. I'm talking about four files, PK, KEK, DB, DBX and maybe a fifth, the MOK (Machine Owners Key). My newer 2019 machine's bios does a good job of saving then, my older 2014 machine does not even list them except to call them "HP Keys". Some linux distros have a nice little tool named efi-readvar, which is part of a larger package named efitools by James Bottomley, that does a nice job of both reading and saving them to files. Microsoft's Powershell has a Get-SecureBootUEFI command that saves to a file, but I never tried to read them there, as it was mostly for a backup. The reason for my question is that before one starts to mess with your bios keys, you probably want to back them up on a thumbdrive. And I'm interested in doing it totally (well mostly) with FreeBSD. Clay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGLDxTVxWNPtLYyppx=%2BMTOaETFMdVGwbEg6H61nBVTFc9MH2Q>