Re: Setting Secure Boot Variables

[Bill Paul <wpaul@windriver.com>]

Of all the gin joints in all the towns in all the world, Zach Smith had to 
walk into mine at 09:38:33 on Monday 07 August 2017 and say:

> Is there any way I can pre-set the values for the PK, KEK, certificate,
> etc. for using Secure Boot?

Can you clarify what you mean a little?

I'm assuming you have a bunch of machines that come from the manufacturer with 
UEFI firmware, and you want to know how to load UEFI secure boot keys on them 
prior to deployment. Is that right, or did you have something else in mind?

You can typically load secure boot keys from USB thumb drive, but the UI for 
doing this is not defined by the spec and as such it can vary from vendor to 
vendor.

The only way I can think of to create an automated loading scheme that will 
work on any platform is to write your own UEFI application. Setting secure 
boot keys is basically done using the SetVariable() API. I'm pretty sure there 
are some code examples out there that illustrate how this is done.

Unfortunately one complication is that in order to manually set the UEFI keys, 
the system must be set to custom mode, and that usually requires going into 
the setup menu (i.e. to establish "physical presence"). This means you have to 
boot each system up and press a button somewhere. In some cases it may require 
you to open the case and set a switch or jumper. It's possible the system may 
come from the vendor with keys already loaded, which means you'll have to put 
the system into custom mode in order to delete/replace them.

Once you're in custom mode, you can execute your custom app to reset the keys. 
You should load the db and dbx databases first, then the KEK, and then finally 
the PK. Once the PK is set, the system should transition to secure mode. From 
then on, changing the PK/KEK/db/dbx variables will require digitally signed 
updates or else you'll have to set the system back to custom mode again.

If you are the vendor of the machines, you could manually set up one system, 
make a copy of the flash image and then duplicate that on to all others.

-Bill
 
> I have found an array in SecurityPkg/Tcg/Tcg2Dxe/Tcg2Dxe.c that seems to
> use variable names which are defined in
> MdePkg/Include/Guid/GlobalVariable.h, but I haven't been able to locate any
> way to associate these names with key values. Is this possible? I am trying
> to automate the setup of Secure Boot and its keys.
> 
> Thanks,
> 
> Zach
> _______________________________________________
> edk2-devel mailing list
> edk2-devel@lists.01.org
> https://lists.01.org/mailman/listinfo/edk2-devel

-- 
=============================================================================
-Bill Paul            (510) 749-2329 | Senior Member of Technical Staff,
                 wpaul@windriver.com | Master of Unix-Fu - Wind River Systems
=============================================================================
   "I put a dollar in a change machine. Nothing changed." - George Carlin
=============================================================================