From owner-freebsd-questions@freebsd.org  Mon Nov  4 23:02:24 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 7FA541B3242
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon,  4 Nov 2019 23:02:24 +0000 (UTC)
 (envelope-from clay.daniels.jr@gmail.com)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com
 [IPv6:2607:f8b0:4864:20::e2a])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 476SxC1QgSz4StF
 for <freebsd-questions@freebsd.org>; Mon,  4 Nov 2019 23:02:22 +0000 (UTC)
 (envelope-from clay.daniels.jr@gmail.com)
Received: by mail-vs1-xe2a.google.com with SMTP id j85so12117997vsd.11
 for <freebsd-questions@freebsd.org>; Mon, 04 Nov 2019 15:02:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=T3nPrqfIf0DsV+A5eIpuiSuTMXfehbCOcFE6dQ6L/e0=;
 b=W0NEB3gkyvmJbYoqKRUWz6FPD3yrbxWTC1v3QXMXvojWd8xLD3S5TKXwhg7MGslgVM
 uChnlcXBfnjeqfgl3CGJsLPmbkfd5oaD+BYFQCPPK9Qu945I5WKG53A4e+gDivB5U3yR
 WMGVTnRidaqa+foDI8jbVsOVIap0p2El4t8Zm3bBS0442Ju3BByqCz5rm29c60NPBz7O
 +XqhrdXxQZyP4XGo8MXltVDLaFA/NLO+IJZ3UJFILNUGPhqy3doswrmQvSTq04UV/IV2
 xcnGEUoEuPagsYScwwUkQbOMXHZJ9he/O/relhX1QfEKvAH9K+YCXlX0YUVKJ0iUQx4S
 4j6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=T3nPrqfIf0DsV+A5eIpuiSuTMXfehbCOcFE6dQ6L/e0=;
 b=pS0yUmIhbcG2GRnRw2pbTA1iQuY8TRojQYD0tqPetFXPZNnjKZIhqO50AWuaB0r9vm
 LMrPt5nZVmXFGUWdVV73niLZnYIbQJ70mkKJwY29SiaMPh1iCI+S4SWV36JdHciTZeSl
 rDRjE7mcQ9MZqyFBTo+Qm3VDSkrXi2bs/Yy3isgA9lqKi/STyhZj9kWqLXC5EOZlsKRK
 ZP/vlxlwUMGw+VynIG66xH66x1AvKErFF6hJCjWIgoJlr5Tjp2lPRPJDBaszwXLDoerq
 +UlLmK6SIVOclJ4OMzI82j2yPEobNJoZs2yGLwPATosg/2ZL3UqynOpY9ikiXj5Yh9E0
 Sepw==
X-Gm-Message-State: APjAAAUxpI/l7tQkndLRnHdbWGTwY9OzfG3Kxrk2KRHsGCQkd9Cncz5c
 AxlMRmlmQvSTscUfWf6Ee5jaB7pdELUjs+OY5D0354lI8A==
X-Google-Smtp-Source: APXvYqzeSUArIzcRLkhudmKvdvhF51jQdffMThPhiSEMqa38l3USBYYwwDi0JKhr2CZkYE7I9MPbE51YTSmazu2699s=
X-Received: by 2002:a67:de16:: with SMTP id q22mr13964580vsk.116.1572908540541; 
 Mon, 04 Nov 2019 15:02:20 -0800 (PST)
MIME-Version: 1.0
From: Clay Daniels <clay.daniels.jr@gmail.com>
Date: Mon, 4 Nov 2019 17:02:18 -0600
Message-ID: <CAGLDxTVxWNPtLYyppx=+MTOaETFMdVGwbEg6H61nBVTFc9MH2Q@mail.gmail.com>
Subject: Read firmware boot keys & save to files
To: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
X-Rspamd-Queue-Id: 476SxC1QgSz4StF
X-Spamd-Bar: --
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=W0NEB3gk;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of claydanielsjr@gmail.com designates
 2607:f8b0:4864:20::e2a as permitted sender)
 smtp.mailfrom=claydanielsjr@gmail.com
X-Spamd-Result: default: False [-3.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c];
 FREEMAIL_FROM(0.00)[gmail.com];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; IP_SCORE_FREEMAIL(0.00)[];
 RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(0.00)[ip: (-9.73), ipnet: 2607:f8b0::/32(-2.37), asn: 15169(-2.03),
 country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[a.2.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org
 : 127.0.5.0]; TO_DN_EQ_ADDR_ALL(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 TAGGED_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 23:02:24 -0000

FreeBSD has several nice programs dealing with boot keys & certs, including:
OpenSSL/LibreSSL
GnuPG/gpg
efivar

I keep trying to get any of these to read the contents of the firmware boot
keys and save them to files. I'm talking about four files, PK, KEK, DB, DBX
and maybe a fifth, the MOK (Machine Owners Key).

My newer 2019 machine's bios does a good job of saving then, my older 2014
machine does not even list them except to call them "HP Keys".

Some linux distros have a nice little tool named efi-readvar, which is part
of a larger package named efitools by James Bottomley, that does a nice job
of both reading and saving them to files.

Microsoft's Powershell has a Get-SecureBootUEFI command that saves to a
file, but I never tried to read them there, as it was mostly for a backup.

The reason for my question is that before one starts to mess with your bios
keys, you probably want to back them up on a thumbdrive. And I'm interested
in doing it totally (well mostly) with FreeBSD.

Clay