system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-09-06 08:46:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

man: Add new Microsoft CAs to example

Browse source 
Also, let's use the links from the Microsoft documentation as they are
guaranteed to be stable.

Fixes: #29102
This commit is contained in:
Jan Janssen 2023-09-06 16:02:02 +02:00 committed by Luca Boccassi
parent ef65c0f6cc
commit 400229eaae
1 changed files with 28 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
man/loader.conf.xml
View file

@ -308,33 +308,43 @@
<programlisting>uuid=$(systemd-id128 new --uuid)
for key in PK KEK db; do
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.der"
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.pem"
openssl x509 -outform DER -in "${key}.pem" -out "${key}.der"
sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der"
done
for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
curl "https://www.microsoft.com/pkiops/certs/${key}" --output "${key}"
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%crt}esl" "${key}"
# See also: <ulink url="https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance">Windows Secure Boot Key Creation and Management Guidance</ulink>
curl --location \
"https://go.microsoft.com/fwlink/p/?linkid=321192" -o ms-db-2011.der \
"https://go.microsoft.com/fwlink/p/?linkid=321185" -o ms-kek-2011.der \
"https://go.microsoft.com/fwlink/p/?linkid=321194" -o ms-uefi-db-2011.der \
"https://go.microsoft.com/fwlink/p/?linkid=2239775" -o ms-kek-2023.base64 \
"https://go.microsoft.com/fwlink/p/?linkid=2239776" -o ms-db-2023.base64 \
"https://go.microsoft.com/fwlink/p/?linkid=2239872" -o ms-uefi-db-2023.base64
for key in ms-*.base64; do
base64 -d "${key}" >"${key%base64}der"
done
for key in ms-*.der; do
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output "${key%der}esl" "${key}"
done
# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
cat MicWinProPCA2011_2011-10-19.esl >>db.esl
# Optionally add Microsoft Windows certificates (needed to boot into Windows).
cat ms-db-*.esl >>db.esl
# Optionally add Microsoft Corporation UEFI CA 2011 for firmware drivers / option ROMs
# and third-party boot loaders (including shim). This is highly recommended on real
# hardware as not including this may soft-brick your device (see next paragraph).
cat MicCorUEFCA2011_2011-06-27.esl >>db.esl
# Optionally add Microsoft UEFI certificates for firmware drivers / option ROMs and third-party
# boot loaders (including shim). This is highly recommended on real hardware as not including this
# may soft-brick your device (see next paragraph).
cat ms-uefi-*.esl >>db.esl
# Optionally add Microsoft Corporation KEK CA 2011. Recommended if either of the
# Microsoft keys is used as the official UEFI revocation database is signed with this
# key. The revocation database can be updated with <citerefentry project='man-pages'><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
cat MicCorKEKCA2011_2011-06-24.esl >>KEK.esl
# Optionally add Microsoft KEK certificates. Recommended if either of the Microsoft keys is used as
# the official UEFI revocation database is signed with this key. The revocation database can be
# updated with <citerefentry project='man-pages'><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
cat ms-kek-*.esl >>KEK.esl
attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS
sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output PK.auth PK PK.esl
sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output KEK.auth KEK KEK.esl
sbvarsign --attr ${attr} --key KEK.key --cert KEK.crt --output db.auth db db.esl
sbvarsign --attr "${attr}" --key PK.key --cert PK.pem --output PK.auth PK PK.esl
sbvarsign --attr "${attr}" --key PK.key --cert PK.pem --output KEK.auth KEK KEK.esl
sbvarsign --attr "${attr}" --key KEK.key --cert KEK.pem --output db.auth db db.esl
</programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the