Preparing the FOG server with the prerequisites
sudo apt-get update
sudo apt-get upgrade -y
Reboot the FOG server and then install the required packages
sudo apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev
sudo perl -e'use CPAN; install "File::Slurp"'
Create the Secure Boot PKI infrastructure
Lets create the working directories
mkdir -p /opt/fog/secureboot/efikeys
Now lets create our bash file to create the PKI infrastructure
vi /opt/fog/secureboot/mkkeys.sh
Insert the following text into that bash script.
#!/bin/bash
# Copyright (c) 2015 by Roderick W. Smith
# Updated 26-Nov-2021 by George1421 for the FOG Project
# Licensed under the terms of the GPL v3
NAME=FOGProjectSB
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \
-out efikeys/PK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \
-out efikeys/KEK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \
-out efikeys/DB.crt -days 3650 -nodes -sha256
openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER
openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER
openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER
GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
echo $GUID > efikeys/myGUID.txt
cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl
cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl
cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl
rm -f efikeys/noPK.esl
touch efikeys/noPK.esl
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth
chmod 0600 efikeys/*.key
echo ""
echo ""
echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
echo "flash drive or to your EFI System Partition (ESP)."
echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
echo "but some UEFIs require the *.auth files."
echo ""
Make the script we just created executable
Change into the secureboot directory and finally run the bash script.
chmod a+x /opt/fog/secureboot/mkkeys.sh
cd /opt/fog/secureboot/
./mkkeys.sh
I will tell you that when you run the mkkeys.sh you may get run time errors. You will need to research on your own what is missing and add that to your fog server using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.
Create the Secure Boot signed enrollment boot loader
Lets get the efitools package so we can built the enrollment bootloaders
git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
Change into the efitools directory and run make to build the templates.
cd /opt/fog/secureboot/efitools
make
I will tell you that when you run the make commandyou may get run time errors. You will need to research on your own what is missing and add that to your fog server’s environment using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.
Now that we have the templates created we need to download the current secure boot key chains that are created by the hardware manufacture. My plan is to take the original certificate database, tack on the FOG certificates onto the end and then upload the combined certificates back to the target hardware. So for completeness I’ll show you how I downloaded the original certificates. To save you some time, I’ll include these files in a zip file a bit later in this post.
For this bit one of my dev fog servers runs on real hardware. I used these commands under debian to extract these generic certificates from the target computer’s bios. The computer I extracted them from was a Dell Precision 3620. So these certificates and certificate store is fairly new.
mkdir -p /opt/fog/secureboot/hwkeys
cd /opt/fog/secureboot/
sudo efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl
sudo efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl
sudo efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl
sudo efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
sudo chmod 666 /opt/fog/secureboot/hwkeys/*
The following certificates (not really the correct word to use, but for my sanity I’ll call them certificates) are the only ones we are interested in (hw_KEK.esl, hw_db.esl, hw_dbx.esl). As I said above, you don’t need to do the above part because I’ll provide these generic certificates. note: 15-Dec-23 the hw_dbx.esl file might not be created if the dbx database is empty. If this is the case you should ignore the commands that use that file. Thank you @jfernandz for the updated inforamtion
Now lets bring everything together
cp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/
cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/
cd /opt/fog/secureboot/efitools
mv DB.esl DB-fog.esl
mv KEK.esl KEK-fog.esl
mv dbx.esl dbx-fog.esl
At this point we are going to take the hardware certificates we downloaded from the uefi firmware and tag the FOG certificates onto the end.
cat hw_db.esl DB-fog.esl > DB.esl
cat hw_KEK.esl KEK-fog.esl > KEK.esl
cat hw_dbx.esl > dbx.esl
Lets rebuild the signed boot loaders with the updated certificates
rm LockDown*efi LockDown.so LockDown.o
make
cp LockDown-signed.efi EnrollKeys.efi
/opt/fog/secureboot/efitools/EnrollKeys.efi is the boot loader we will use to auto insert the updated security keys into the uefi firmware. So lets copy that file to the /tftpboot
cp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot
The other two key files from this process that we will need is the FOG certificate private and public keys.
/opt/fog/secureboot/efikeys/DB.crt
/opt/fog/secureboot/efikeys/DB.key
In the next post we will go through and sign all of the boot files needed to secure boot into FOG.
Sample download with certificates
Here are the microsoft certificates that I downloaded from my Dell Desktop computer running debian. If you want this file you will need to download it and change the extension to .zip from .txt to be able to extract the contents. These keys are not unique, serialized, or unique. Every computer that is secure boot capable have these default keys installed.
ms_hwcerts.zip.txt