Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Oct 2019 19:53:54 -0700
From:      Doug Ambrisko <ambrisko@ambrisko.com>
To:        David Cross <dcrosstech@gmail.com>
Cc:        FreeBSD Hackers <freebsd-hackers@freebsd.org>
Subject:   Re: uefisign and loader
Message-ID:  <20191011025354.GA59270@ambrisko.com>
In-Reply-To: <CAM9edePsJuv-Vouc7RuBNpzEDUY2LE-q8Gs_xpyWrzZvSwxF5g@mail.gmail.com>
References:  <CAM9edeOTrNev=izkp2R3C5A0geHRe51m71BPn1OrXSn_QWFaGQ@mail.gmail.com> <CANCZdfqdbKgRqF7AhsfjNwQdzbwA7uSuQoWzWvHQrwkJ2p4AXg@mail.gmail.com> <CAM9edeP%2BbvKzOuuGMXLvgczzkaDCCuDJdH7C%2BnRanXp=3w6Fdg@mail.gmail.com> <CAM9edePsJuv-Vouc7RuBNpzEDUY2LE-q8Gs_xpyWrzZvSwxF5g@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 10, 2019 at 02:29:37PM -0400, David Cross wrote:
| Ok, it appears uefisign is just outright broken; after not being able to
| boot even boot1 signed, I brought the signed image over to windows and used
| signtool verify and got the error message:
| "SignTool Error: WinVerifyTrust returned error: 0x80096010
|     The digital signature of the object did not verify."
| 
| 
| This is a different error then I get form SignTool boot1.efi from an
| untrusted cert (signed via SignTool) which reports:
| "..A certificate chain processed, but terminated in a root certificate
| which is not trusted..."
| 
| Anyone actually use uefisign successfully?

I've been using sbsign with patches to use an external OpenSSL
engine since our keys are stored in a corporate signing server.
This worked well since at work we have different groups running
Linux as well so having common signing tools made things easier.
Each group has their own UEFI keys.

I had authenticated updates working in FreeBSD
	https://reviews.freebsd.org/D8278

Warner had some feedback.  I think I incorporated it but forget.
It's been a while.  My former group has being shipping FreeBSD
in UEFI secure boot mode with their own custom keys for several
years.

Doug A.
 
| On Mon, Oct 7, 2019 at 9:29 AM David Cross <dcrosstech@gmail.com> wrote:
| 
| >
| >
| > On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <imp@bsdimp.com> wrote:
| >
| >>
| >>
| >> On Sun, Oct 6, 2019, 10:58 PM David Cross <dcrosstech@gmail.com> wrote:
| >>
| >>> I've been working on getting secureboot working under freebsd (I today
| >>> just
| >>> finished off a REALLY rough tool that lets one tweak uefi authenticated
| >>> variables under freebsd, with an eye to try to get a patch to put this
| >>> into
| >>> efivar).  After setting the PK, the KEK, and the db, I was super excited
| >>> to
| >>> finally secure-boot my machine, and discovered that I could not uefisign
| >>> loader.  Attempting to sign loader returns a cryptic: "section points
| >>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
| >>> under 12.0 FWIW).
| >>>
| >>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so
| >>> its
| >>> not really useful for me.
| >>>
| >>> Suggestions?
| >>>
| >>
| >> Use loader.efi directly instead?
| >>
| >>>
| >>>
| > I currently do use loader.efi directly, however not being able to sign
| > loader.efi directly complicates things a bit (using hash based signature
| > lists for the 'db' variable); and it seems we *should* be able to sign
| > loader.  From some other posts on the internet it seems that at some point
| > we could.
| >
| _______________________________________________
| freebsd-hackers@freebsd.org mailing list
| https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
| To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191011025354.GA59270>