Preparing the FOG server with the prerequisitessudo apt-get update sudo apt-get upgrade -y
Reboot the FOG server and then install the required packagessudo apt-get install -y openssl efitools gnu-efi git build-essential help2man libssl-dev sudo perl -e'use CPAN; install "File::Slurp"'
Create the Secure Boot PKI infrastructure
Lets create the working directoriesmkdir -p /opt/fog/secureboot/efikeys
Now lets create our bash file to create the PKI infrastructurevi /opt/fog/secureboot/mkkeys.sh
Insert the following text into that bash script.#!/bin/bash # Copyright (c) 2015 by Roderick W. Smith # Updated 26-Nov-2021 by George1421 for the FOG Project # Licensed under the terms of the GPL v3 NAME=FOGProjectSB openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout efikeys/PK.key \ -out efikeys/PK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout efikeys/KEK.key \ -out efikeys/KEK.crt -days 3650 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout efikeys/DB.key \ -out efikeys/DB.crt -days 3650 -nodes -sha256 openssl x509 -in efikeys/PK.crt -out efikeys/PK.cer -outform DER openssl x509 -in efikeys/KEK.crt -out efikeys/KEK.cer -outform DER openssl x509 -in efikeys/DB.crt -out efikeys/DB.cer -outform DER GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'` echo $GUID > efikeys/myGUID.txt cert-to-efi-sig-list -g $GUID efikeys/PK.crt efikeys/PK.esl cert-to-efi-sig-list -g $GUID efikeys/KEK.crt efikeys/KEK.esl cert-to-efi-sig-list -g $GUID efikeys/DB.crt efikeys/DB.esl rm -f efikeys/noPK.esl touch efikeys/noPK.esl sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/PK.esl efikeys/PK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt PK efikeys/noPK.esl efikeys/noPK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/PK.key -c efikeys/PK.crt KEK efikeys/KEK.esl efikeys/KEK.auth sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ -k efikeys/KEK.key -c efikeys/KEK.crt db efikeys/DB.esl efikeys/DB.auth chmod 0600 efikeys/*.key echo "" echo "" echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB" echo "flash drive or to your EFI System Partition (ESP)." echo "For use with most UEFIs' built-in key managers, copy the *.cer files;" echo "but some UEFIs require the *.auth files." echo ""
Make the script we just created executable
Change into the secureboot directory and finally run the bash script.
I will tell you that when you run the mkkeys.sh you may get run time errors. You will need to research on your own what is missing and add that to your fog server using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.
Create the Secure Boot signed enrollment boot loader
Lets get the efitools package so we can built the enrollment bootloadersgit clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
Change into the efitools directory and run make to build the templates.cd /opt/fog/secureboot/efitools make
I will tell you that when you run the make commandyou may get run time errors. You will need to research on your own what is missing and add that to your fog server’s environment using the apt-get package tool. I developed this process and a linux mint server and the duplicated it on a debian 10 fog server. I think I have all of the packages above that is needed. But YMMV.
Now that we have the templates created we need to download the current secure boot key chains that are created by the hardware manufacture. My plan is to take the original certificate database, tack on the FOG certificates onto the end and then upload the combined certificates back to the target hardware. So for completeness I’ll show you how I downloaded the original certificates. To save you some time, I’ll include these files in a zip file a bit later in this post.
For this bit one of my dev fog servers runs on real hardware. I used these commands under debian to extract these generic certificates from the target computer’s bios. The computer I extracted them from was a Dell Precision 3620. So these certificates and certificate store is fairly new.mkdir -p /opt/fog/secureboot/hwkeys cd /opt/fog/secureboot/ sudo efi-readvar -v PK -o /opt/fog/secureboot/hwkeys/hw_PK.esl sudo efi-readvar -v KEK -o /opt/fog/secureboot/hwkeys/hw_KEK.esl sudo efi-readvar -v db -o /opt/fog/secureboot/hwkeys/hw_db.esl sudo efi-readvar -v dbx -o /opt/fog/secureboot/hwkeys/hw_dbx.esl sudo chmod 666 /opt/fog/secureboot/hwkeys/*
The following certificates (not really the correct word to use, but for my sanity I’ll call them certificates) are the only ones we are interested in (hw_KEK.esl, hw_db.esl, hw_dbx.esl). As I said above, you don’t need to do the above part because I’ll provide these generic certificates.
Now lets bring everything togethercp /opt/fog/secureboot/efikeys/* /opt/fog/secureboot/efitools/ cp /opt/fog/secureboot/hwkeys/* /opt/fog/secureboot/efitools/ cd /opt/fog/secureboot/efitools mv DB.esl DB-fog.esl mv KEK.esl KEK-fog.esl mv dbx.esl dbx-fog.esl
At this point we are going to take the hardware certificates we downloaded from the uefi firmware and tag the FOG certificates onto the end.cat hw_db.esl DB-fog.esl > DB.esl cat hw_KEK.esl KEK-fog.esl > KEK.esl cat hw_dbx.esl > dbx.esl
Lets rebuild the signed boot loaders with the updated certificatesrm LockDown*efi LockDown.so LockDown.o make cp LockDown-signed.efi EnrollKeys.efi
/opt/fog/secureboot/efitools/EnrollKeys.efi is the boot loader we will use to auto insert the updated security keys into the uefi firmware. So lets copy that file to the /tftpbootcp /opt/fog/secureboot/efitools/EnrollKeys.efi /tftpboot
The other two key files from this process that we will need is the FOG certificate private and public keys.
In the next post we will go through and sign all of the boot files needed to secure boot into FOG.