• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    secure boot - dbx.esl no such file to move

    Scheduled Pinned Locked Moved
    FOG Problems
    2
    13
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robertkwild @george1421
      last edited by robertkwild

      @george1421

      sudo efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
      

      I did run this command and then I moved it to this dir as you can see from my previous post when I ran the ls command

      I did run the make command in the efitools dir but as you can see it’s not here as I’ve done an ls command and it’s not listed

      I can’t mv dbx.esl as it’s not there to move

      I can however cp hw_dbx.esl and rename the copy dbx.esl so I do have a dbx.esl file, do I have to do this?

      Thanks
      Rob

      george1421G 1 Reply Last reply Reply Quote 0
      • george1421G
        george1421 Moderator @robertkwild
        last edited by

        @robertkwild said in secure boot - dbx.esl no such file to move:

        I can’t mv dbx.esl as it’s not there to move

        So if after you compile efitools and the dbx.esl doesn’t exist that is OK since you will be replacing it with the exported hw_dbx.esl key. So its all good

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

        R 1 Reply Last reply Reply Quote 1
        • R
          robertkwild @george1421
          last edited by

          @george1421 thank you george very much

          im doing this on another laptop with secure boot on and then il transfer the files to my fog server that way

          is the below file the only file i need from the laptop, or do i need these two files aswell

          /opt/fog/secureboot/efitools/EnrollKeys.efi

          /opt/fog/secureboot/efikeys/DB.crt
          /opt/fog/secureboot/efikeys/DB.key

          thanks,
          rob

          george1421G 1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @robertkwild
            last edited by

            @robertkwild If you are going to let EnrollKeys.efi update your PC then that is the only thing you need for pxe booting

            You need to sign ipxe.efi and bzImage using the other keys. But that all stays on the FOG server.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            R 1 Reply Last reply Reply Quote 0
            • R
              robertkwild @george1421
              last edited by

              @george1421 thanks

              also im using as the boot file name “snp.efi” is that a problem

              george1421G 1 Reply Last reply Reply Quote 0
              • george1421G
                george1421 Moderator @robertkwild
                last edited by

                @robertkwild said in secure boot - dbx.esl no such file to move:

                boot file name “snp.efi”

                Not a problem as long as you sign that file too. Any efi file you want to boot needs to be signed with the matching certificate in firmware.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                R 1 Reply Last reply Reply Quote 0
                • R
                  robertkwild @george1421
                  last edited by

                  @george1421 so your saying

                  mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
                  sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
                  

                  i could all instances of “ipxe.efi” with any one of these

                  intel.efi
                  ipxe.efi
                  realtek.efi
                  snp.efi
                  snponly.efi

                  thanks,
                  rob

                  1 Reply Last reply Reply Quote 0
                  • R
                    robertkwild
                    last edited by

                    @george1421 i get this error

                    c646b690-7e86-4ca9-b827-ae02242564b2-image.png

                    george1421G 1 Reply Last reply Reply Quote 0
                    • george1421G
                      george1421 Moderator @robertkwild
                      last edited by

                      @robertkwild What does your parameter block look for this menu item?

                      It should be similar to this if the error was generated when applying the enrollkeys.efi program.

                      chain tftp:/${fog-ip}/EnrollKeys.efi
                      echo Rebooting the system in 8 seconds
                      sleep 5
                      reboot
                      

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                      R 1 Reply Last reply Reply Quote 0
                      • R
                        robertkwild @george1421
                        last edited by robertkwild

                        @george1421 thanks George il check my params for the enroll key entry

                        Just out of interest as I’m making the enrollkeys.efi using another laptop which has a more recent UEFI and secure boot keys, I know I need to export it to my fog server but what about dB.crt and dB.key, do I need to export these aswell to the fog server or can I use the ones already on there on the fog server?

                        This is because I have followed this howto on both systems, so I have 2 sets of crt and key files one on the fog server and one on the laptop

                        /opt/fog/secureboot/efitools/EnrollKeys.efi
                        /opt/fog/secureboot/efikeys/DB.crt
                        /opt/fog/secureboot/efikeys/DB.key

                        1 Reply Last reply Reply Quote 0
                        • R
                          robertkwild
                          last edited by robertkwild

                          @george1421 made it into all one script, even the mkkeys.sh

                          #!/bin/bash
                          
                          apt-get update
                          apt-get upgrade -y
                          
                          apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev
                          perl -e'use CPAN; install "File::Slurp"'
                          
                          mkdir -p /opt/fog/secureboot/efikeys
                          
                          cat << EOF > /opt/fog/secureboot/mkkeys.sh
                          #!/bin/bash
                          # Copyright (c) 2015 by Roderick W. Smith
                          # Updated 26-Nov-2021 by George1421 for the FOG Project
                          # Licensed under the terms of the GPL v3
                          
                          NAME=FOGProjectSB
                          
                          openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \
                                  -out efikeys/PK.crt -days 3650 -nodes -sha256
                          openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \
                                  -out efikeys/KEK.crt -days 3650 -nodes -sha256
                          openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \
                                  -out efikeys/DB.crt -days 3650 -nodes -sha256
                          openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER
                          openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER
                          openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER
                          
                          GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
                          echo $GUID > efikeys/myGUID.txt
                          
                          cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl
                          cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl
                          cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl
                          rm -f efikeys/noPK.esl
                          touch efikeys/noPK.esl
                          
                          sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                                            -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth
                          sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                                            -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth
                          sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                                            -k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth
                          sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                                            -k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth
                          
                          chmod 0600 efikeys/*.key
                          
                          echo ""
                          echo ""
                          echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
                          echo "flash drive or to your EFI System Partition (ESP)."
                          echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
                          echo "but some UEFIs require the *.auth files."
                          echo ""
                          EOF
                          
                          chmod a+x /opt/fog/secureboot/mkkeys.sh
                          cd /opt/fog/secureboot/
                          ./mkkeys.sh
                          
                          git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
                          
                          cd /opt/fog/secureboot/efitools
                          make
                          
                          mkdir -p /opt/fog/secureboot/hwkeys
                          cd /opt/fog/secureboot/
                          
                          efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl
                          efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl
                          efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl
                          efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
                          chmod 666 /opt/fog/secureboot/hwkeys/*
                          
                          cp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/
                          cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/
                          cd /opt/fog/secureboot/efitools
                          
                          cat hw_db.esl > DB.esl
                          cat hw_KEK.esl > KEK.esl
                          cat hw_dbx.esl > dbx.esl
                          
                          rm LockDown*efi LockDown.so LockDown.o
                          make
                          
                          cp LockDown-signed.efi EnrollKeys.efi
                          
                          mkdir -p /tftpboot
                          
                          cp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot
                          
                          mv /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned
                          sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned
                          
                          mv /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned
                          sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned
                          
                          mv /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi
                          sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi
                          
                          
                          mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
                          sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
                          
                          mv /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi
                          sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi
                          
                          mv /tftpboot/snp.efi /tftpboot/snp-unsigned.efi
                          sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snp.efi /tftpboot/snp-unsigned.efi
                          
                          
                          1 Reply Last reply Reply Quote 1
                          • P pocca referenced this topic on
                          • 1 / 1
                          • First post
                            Last post

                          254

                          Online

                          12.0k

                          Users

                          17.3k

                          Topics

                          155.2k

                          Posts
                          Copyright © 2012-2024 FOG Project