What is SecureBoot and how can I enable it?

In Standard Boot process, when turning on the computer the first step executed is POST-Power On Self-Test, then BIOS is initialized. At this stage hardware is initialized and its firmware is loaded to the memory.
Subsequently the bootloader is called. The problem is that firmware, bootloader and other components loaded until then are not verified.

In Secure Boot process, after passing the POST test, UEFI firmware is loaded.
UEFI firmware is responsible, during the boot process, for verifying components (UEFI drivers, EFI Shell applications, boot manager, UEFI bootloaders etc.) before they are loaded.

INDEX


Glossary

PK-Platform Key, establishes a trust relationship between the platform owner and the platform firmware.
KEK-Key Exchange Key, establishes a trust relationship between the operating system and the platform firmware.
db-Authorized Signature Database, contains public keys and certificates that represent trusted firmware components and operating system loaders.
dbx-Forbidden Signature Database, contains hashes of malicious and vulnerable components as well as compromised keys and certificates and blocks execution of those malicious components.
GUID-Globally Unique Identifier, a 128-bit number used to identify information in computer systems.
DER-Distinguished Encoding Rules, format containing the X.509 certificate in binary form.
PFX-Personal Information Exchange, signs digitally applications.
PVK-Private Key File, signs digitally applications (similar to PFX format).
ESL-EFI Signature List, certificates’ format KeyTool and/or firmware.
AUTH certificates format with authentication header (i.e. a signed certificate update file) for KeyTool and/or firmware.


What about Linux?

How can I generate my own keys?

In order to generate your own keys, you should install OpenSSLefitools and sbsigntool, if not present:

sudo apt-get install openssl

Make sure that the Secure Boot is disabled:

mokutil --sb-state

Create a GUID for owner identification:

uuidgen --random > GUID.txt

Create a Platform Key with OpenSSL

Open a new terminal and execute the following commands:

openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 365 -subj "/CN=My Platform Key/" -out PK.crt openssl x509 -outform DER -in PK.crt -out PK.cer cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
  • openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 365 -subj "/CN=My Platform Key/" -out PK.crt generates a self-signed certificate. In this particular case the certificate will be valid for 365 days, but typing a proper number under the heading -days, a different period of validity will enter into force. Under the heading -subj "/CN= … /" you can insert the name you prefer. This name will appear in the Certificate Legend section in your BIOS;

  • openssl x509 -outform DER -in PK.crt -out PK.cer changes the PEM format certificate PK.crt into the DER format certificate for firmware PK.cer. This format is the one you should update on your BIOS;

  • cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl changes the PEM format certificate PK.crt into a certificate in EFI Signature List PK.esl;

  • sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth produces an output file with an authentication header for direct update to a secure variable PK.auth. Please note that PK.auth is signed by the private key in PEM format PK.key and the related signing certificate PK.crt.

Create a Key Exchange Key with OpenSSL

Open a new terminal and execute the following commands:

openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 365 -subj "/CN=My Key Exchange Key/" -out KEK.crt openssl x509 -outform DER -in KEK.crt -out KEK.cer cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth

Create an Authorized Signatures Database with OpenSSL

Open a new terminal and execute the following commands:

openssl req -newkey rsa:2048 -nodes -keyout db.key -new -x509 -sha256 -days 365 -subj "/CN=My Signature Database Key/" -out db.crt openssl x509 -outform DER -in db.crt -out db.cer cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth

As mentioned above, the steps to generate the KEK and the db are really close to the ones described for the PK. However, it is necessary to underline that the output file KEK.auth is signed by PK.key, while the output file db.auth is signed by KEK.key.

How can I sign bootloaders?

We strongly recomend copying your bootx64.efi and renaming it bootx64_default.efi, for instance. If something goes wrong during the Secure Boot start up process, you will be able to restore your EFI Shell deleting the old signed bootx64.efi and renaming bootx64_default.efi as bootx64.efi.

Open a new terminal from the folder containing your own keys.

Now it is necessary to open a terminal as super user.

To sign your EFI Shell execute the following commands:

sbsign --key db.key --cert db.crt --output /media/seco/EFISHELL/EFI/Boot/bootx64.efi /media/seco/EFISHELL/EFI/Boot/bootx64.efi sbverify --cert db.crt /media/seco/EFISHELL/EFI/boot/bootx64.efi

The command sbverify allows to control which certificate is related to your XXX.efi.
Likewise, to sign your grubx64.efi execute the following commands:

We strongly recommend you copying your grubx64.efi and renaming it as grubx64_default.efi, for instance. Open a new terminal as super user and type the right directory cd /boot/efi/EFI/ubuntu/. Here execute cp grubx64.efi grubx64_default.efi and then mv grubx64_default.efi home/seco/Desktop/SBLinux.

sbsign --key db.key --cert db.crt --output /boot/efi/EFI/ubuntu/grubx64.efi /boot/efi/EFI/ubuntu/grubx64.efi

How can I update my keys?

There are two possible ways to update the keys you just generated in your BIOS (so to enable Secure Boot):

  1. Enter your BIOS and follow the instructions contained in How can I update my keys on BIOS?

  2. Open a new terminal as super user and execute the following commands:

mokutil --password mokutil --enable-validation

The password you insert here will be needed also in the next steps.

mokutil --import /home/seco/Desktop/SBLinux/PK.cer mokutil --import /home/seco/Desktop/SBLinux/KEK.cer mokutil --import /home/seco/Desktop/SBLinux/db.cer

Rebooting your system, enter your BIOS; under the Security menu, select the Secure Boot option and enable it (Restore Factory Keys is enough)

The MOK Management screen will be displayed before Linux. Now you can confirm the keys you want to enroll through Enroll MOK, as shown in the pictures below.

Continue the boot. Your system will start autonomously.

Now you can verify that Secure Boot is on through:

mokutil --sb-state

How can I sign drivers and update BIOS?

The following example will show you how to update your BIOS.

The Secure Boot must be off. Just once you will have signed and included your module in the appropriate list, the Secure Boot will be enabled as shown in How can I update my keys?.

Create a new folder named Bios_Updater, containing bios_updater_x64.sh (or bios_updater_x32.sh), afulnx_64 (or afulnx_32) and the BIOS you want to update mynewbios.bin. To sign your driver or application, first of all make sure to have all the authorisations. To verify it, open a new terminal and type the following command ls -l *. If a similar message appears

at the moment afulnx_64 will not run because you have to set all executable flag through:

chmod +x *

Alternatively, if it is necessary to set executable flag just for a specific element, type chmod +x element_name as super user.

(gcc), build-essentialmake and libelf-dev must be installed.

Build AFU driver executing the following command:

./afulnx_64 /MAKEDRV

The driver will be generated in the current directory with the name amifldrv_mod.o.
Open a new terminal as super user from the folder containing your generated keys. Sign your amifldrv_mod.o executing the following commands:

usr/src/kernels/$(uname -r)/scripts/sign-file sha256 db.key db.cer /home/seco/Desktop/Bios_updater/amifldrv_mod.o

By typing uname -r you will get to know your Kernel version and include it directly.

The format .cer is the only admitted to sign your module.

Now enable Secure Boot following the instructions in How can I update my keys? or How can I update my keys on BIOS? and reboot the system. Install the signed driver using insmod and verify that font amifldrv_od.o has been loaded through lsmod.

Open a new terminal as super user and execute the following command:

./bios_updater_x64.sh mynewbios.bin

Enter your BIOS and verify if it has been updated.


What about Windows?


How can I generate my own keys?

In order to generate your own keys, you should install Windows SDK, if not present. Windows SDK contains, in particular, makecert.exesigntool.exepvk2pfx.exe and certmgr.exe that will be usefull for our purposes. Using Windows 10, these applications are in the directory C:\Program Files (x86)\Windows Kits\10\bin\....

Please, install Windows 8 SDK from https://developer.microsoft.com/it-it/windows/downloads/sdk-archive . This version has all the applications above mentioned.

Create a new folder containing these applications.
Make sure that the Secure Boot is disabled (your status is Setup mode). Open your Start menu, type System Information and launch it.

Create a Platform Key with makecert

Open a new command prompt as adiministrator from the Secure Boot folder and execute the following command:

makecert.exe -n "CN=My Platform Key" -r -sv PK.pvk PK.cer -a sha256

where:

  • -n "CN=Your Name" gives the name Your name to your certificate;

  • -r generates a self-signed certificate;

  • -sv specifies the PVK file related to the private key;

  • -a specifies the algorithm used (by defult is sha1).

Automatically, new windows will be displayed and you will have to type a password. Subsequently your PK.pvk and PK.cer will be created.

If you want to specify the period of validity of your certificate execute the following command:

  • makecert.exe -n "CN=My Platform Key" -r -sv PK.pvk PK.cer -a sha256 -b 01/01/2020 -e 12/31/2022

where:

  • -b MM/DD/YY describes the beginning of the certificate;

  • -e MM/DD/YY describes the end of the certificate.

Create a Key Exchange Key with makecert

makecert.exe -n "CN=My Key Exchange Key" -iv PK.pvk -ic PK.cer -sv KEK.pvk KEK.cer -a sha256

where:

  • -iv downloads the issuer's PVK private key file;

  • -ic specifies the certificate.

Create an Authorized Signatures Database with makecert

makecert.exe -n "CN=My Signature Database Key" -iv KEK.pvk -ic KEK.cer -sv db.pvk db.cer -a sha256

Transform your db.pvk in PFX format executing the following commands:

pvk2pfx.exe -pvk db.pvk -pi your_password -spc db.cer -pfx db.pfx -f

your_password is the password mentioned above.

Opening your XXX.cer, similar windows will be displayed.

In order to validate these certificates, we use the Certificate Manager Tool certmgr.exe that manages certificates, certificate trust lists(CTLs), and certificate revocation lists (CRLs).
Execute the following commands:

certmgr.exe /add /c PK.cer /s my certmgr.exe /c /add /c PK.cer /s root

Automatically, new windows will be displayed and you will have to accept.

How can I sign bootloaders?

We strongly recomend you copying your bootx64.efi and renaming it as bootx64_default.efi, for instance. If something goes wrong during the Secure Boot start up process, you will be able to restore your EFI Shell deleting the old signed bootx64.efi and renaming bootx64_default.efi as bootx64.efi.

Open a new command prompt as administrator from the folder containing your own keys. To sign your EFI Shell execute the following commands:

signtool.exe sign /ac db.cer /f db.pfx /p your_password /fd SHA256 D:\EFI\Boot\bootx64.efi

How can I update my keys?

Enter your BIOS. From the Security menu select the Secure Boot option.
In the Secure Boot sub-menu select the option Custom under Secure Boot Customization. Then select Key Management. Select Restore DB Defaults. At this stage, under Authorized Signatures two keys will be displayed (selecting Details you will be able to see them): Microsoft Corporation UEFI CA 2011 and Microsoft Windows Production PCA 2011.

The one you need to let Windows start is Microsoft Windows Production PCA 2011. Select Delete option, press No (otherwise you will delete both the keys) and choice Microsoft Corporation UEFI CA 2011. To update the keys just generated in your BIOS (so to enable Secure Boot), enter your BIOS and follow the instructions contained in How can I update my keys on BIOS?

To add the db.cer you have created, you have to select Append, otherwise your db.cer will replace Microsoft Windows Production PCA 2011.

Now you can verify that Secure Boot is on: open a new Windows PowerShell as administrator and execute the following command:

Confirm-SecureBootUEFI

How can I update BIOS?

If you use Windows it is not necessary to sign drivers. However, we will show you how to update your BIOS. Create a new folder named Bios_Updater containing bios_updater_x64.bat (or bios_updater_x32.bat),  AFUWINx64.EXE (or AFUWINx32.EXE) and the BIOS you want to update mynewbios.bin.

Open a new cmd and update your BIOS through the following command:

bios_updater.bat mynewbios.bin

Enter your BIOS and verify if it has been updated.


How can I update my keys on BIOS?

The certificates PK.cer, KEK.cer and db.cer are ready to be included in your BIOS. Add them in your USB keys and reboot the system.
Now enter your BIOS. From the Security menu, select the Secure Boot option.

In the Secure Boot sub-menu select the option Custom under Secure Boot Customization. Then select Key Management.

Add your Platform Key following these instructions:

  • Select Platform Key (PK) and click Update;

  • When a message appears, press No;

  • Select the USB key containing your keys;

  • Select the folder where your keys are;

  • Select the option PK.cer;

  • Select Public Key Certificate;

  • When a message appears, select Yes;

PK has been successfully added.

In the same way, add your KEK.cer and db.cer.

If you want to include just a key, you have to select Update. Otherwise, if you want to add more keys in a section, you have to select Append.

Once you will have added your certificates, your status will change from Setup Mode to User Mode.

Now save the configuration and reboot the system.


Notes

  • To make sure to have exclusive access to your signed BIOS, you have to set your own password. Enter your BIOS. From the Security menu select the Setup Administrator Password option and type your password.

  • dbx with latest revocation certificate list is required to be present in all Windows 10 ready out-of-box systems. Default dbx variable contains latest version of Microsoft revocation package with SHA256 Certifcates with the hashes that have already been revoked.
    So, set default dbx. From Secure Boot sub-menu select Restore Factory Keys, automatically Forbidden Signatures will be updated.

  • OpenSSL exists also for Windows and it can be downloaded here. However, the steps to follow to create your keys with OpenSSL are quite different from the ones presented for Linux in How can I generate my own keys?.

  • If Secure Boot is on with default keys, new Linux distributions are automatically signed with them during their installation (in particular the shimx64.efi file is signed). So both Windows and Linux will start correctly.

  • In How can I generate my own keys? we have created the XXX.auth. It can be updated to your BIOS in place of the XXX.cer, as alreday described in How can I update my keys on BIOS?
    But if you are updating your XXX. auth keys from BIOS you have just to configure them as Authenticated Variable in place of Public Key Certificate.