secure boot - dbx.esl no such file to move

george1421

@robertkwild said in secure boot - dbx.esl no such file to move:

I can’t mv dbx.esl as it’s not there to move

So if after you compile efitools and the dbx.esl doesn’t exist that is OK since you will be replacing it with the exported hw_dbx.esl key. So its all good

robertkwild

@george1421 thank you george very much

im doing this on another laptop with secure boot on and then il transfer the files to my fog server that way

is the below file the only file i need from the laptop, or do i need these two files aswell

/opt/fog/secureboot/efitools/EnrollKeys.efi

/opt/fog/secureboot/efikeys/DB.crt
/opt/fog/secureboot/efikeys/DB.key

thanks,
rob

george1421

@robertkwild If you are going to let EnrollKeys.efi update your PC then that is the only thing you need for pxe booting

You need to sign ipxe.efi and bzImage using the other keys. But that all stays on the FOG server.

robertkwild

@george1421 thanks

also im using as the boot file name “snp.efi” is that a problem

george1421

@robertkwild said in secure boot - dbx.esl no such file to move:

boot file name “snp.efi”

Not a problem as long as you sign that file too. Any efi file you want to boot needs to be signed with the matching certificate in firmware.

robertkwild

@george1421 so your saying

mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi

i could all instances of “ipxe.efi” with any one of these

intel.efi
ipxe.efi
realtek.efi
snp.efi
snponly.efi

thanks,
rob

robertkwild

@george1421 i get this error

george1421

@robertkwild What does your parameter block look for this menu item?

It should be similar to this if the error was generated when applying the enrollkeys.efi program.

chain tftp:/${fog-ip}/EnrollKeys.efi
echo Rebooting the system in 8 seconds
sleep 5
reboot

robertkwild

@george1421 thanks George il check my params for the enroll key entry

Just out of interest as I’m making the enrollkeys.efi using another laptop which has a more recent UEFI and secure boot keys, I know I need to export it to my fog server but what about dB.crt and dB.key, do I need to export these aswell to the fog server or can I use the ones already on there on the fog server?

This is because I have followed this howto on both systems, so I have 2 sets of crt and key files one on the fog server and one on the laptop

/opt/fog/secureboot/efitools/EnrollKeys.efi
/opt/fog/secureboot/efikeys/DB.crt
/opt/fog/secureboot/efikeys/DB.key

robertkwild

@george1421 made it into all one script, even the mkkeys.sh

#!/bin/bash

apt-get update
apt-get upgrade -y

apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev
perl -e'use CPAN; install "File::Slurp"'

mkdir -p /opt/fog/secureboot/efikeys

cat << EOF > /opt/fog/secureboot/mkkeys.sh
#!/bin/bash
# Copyright (c) 2015 by Roderick W. Smith
# Updated 26-Nov-2021 by George1421 for the FOG Project
# Licensed under the terms of the GPL v3

NAME=FOGProjectSB

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \
        -out efikeys/PK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \
        -out efikeys/KEK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \
        -out efikeys/DB.crt -days 3650 -nodes -sha256
openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER
openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER
openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER

GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
echo $GUID > efikeys/myGUID.txt

cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl
cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl
cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl
rm -f efikeys/noPK.esl
touch efikeys/noPK.esl

sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth

chmod 0600 efikeys/*.key

echo ""
echo ""
echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
echo "flash drive or to your EFI System Partition (ESP)."
echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
echo "but some UEFIs require the *.auth files."
echo ""
EOF

chmod a+x /opt/fog/secureboot/mkkeys.sh
cd /opt/fog/secureboot/
./mkkeys.sh

git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git

cd /opt/fog/secureboot/efitools
make

mkdir -p /opt/fog/secureboot/hwkeys
cd /opt/fog/secureboot/

efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl
efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl
efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl
efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl
chmod 666 /opt/fog/secureboot/hwkeys/*

cp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/
cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/
cd /opt/fog/secureboot/efitools

cat hw_db.esl > DB.esl
cat hw_KEK.esl > KEK.esl
cat hw_dbx.esl > dbx.esl

rm LockDown*efi LockDown.so LockDown.o
make

cp LockDown-signed.efi EnrollKeys.efi

mkdir -p /tftpboot

cp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot

mv /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage /var/www/html/fog/service/ipxe/bzImage-unsigned

mv /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/bzImage32 /var/www/html/fog/service/ipxe/bzImage32-unsigned

mv /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /var/www/html/fog/service/ipxe/refind.efi /var/www/html/fog/service/ipxe/refind-unsigned.efi


mv /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/ipxe.efi /tftpboot/ipxe-unsigned.efi

mv /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snponly.efi /tftpboot/snponly-unsigned.efi

mv /tftpboot/snp.efi /tftpboot/snp-unsigned.efi
sbsign --key /opt/fog/secureboot/efikeys/DB.key --cert /opt/fog/secureboot/efikeys/DB.crt --output /tftpboot/snp.efi /tftpboot/snp-unsigned.efi