out /boot/efi/EFI/Grub/grub圆4_signed.efi Īs shown above, be careful to NOT sign in place with osslsigncode. osslsigncode sign -cert db.crt -key db.key \ exe files, so you're not required to use sbsign specifically – you can can use alternative tools such as osslsigncode or even the Windows signtool.exe. Note that Secure Boot uses exactly the same "Authenticode" format for signing. Possible cause: Older versions of sbsign did not correctly recalculate the PE/COFF header checksum, which causes some firmwares to reject the resulting file. and finally: # sbverify -cert db.crt /boot/efi/EFI/Grub/grub圆4.efi and: # sbverify -list /boot/efi/EFI/Grub/grub圆4.efi then: # sbsign -key db.key -cert db.crt \ Signing the image(s) looks like this: # sbverify -list /boot/efi/EFI/Grub/grub圆4.efi So based on this behavior, the current configuration ( efi-readvars output above) which Secure Boots Windows successfully, and other things that I've noticed but cannot recall, I think that my Secure Boot variables should be set properly.Īll of my trial and error was the motivation for my previous question about removing attached signatures, because I didn't want to keep stacking signatures on images every time I created new keys or (re)signed an image.I have tried this several different ways. If I disable Secure Boot, Windows Boot Manager is again available. Interestingly enough, Windows Boot Manager will be absent from the boot menu, yet my "invalid" choices (KeyTool, Grub) are still present. For instance, if I don't install Microsoft's keys, I can't boot Windows with Secure Boot enabled. I've also done some other testing and verification. I have verified that this configuration persists, and that this successfully boots Windows with Secure Boot enabled. Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784bĬ=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011 Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784bĬ=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011Ĭ=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784bĬ=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011Ĭ=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root Here's an example of the Secure Boot variables after (what I believe is) a successful installation: # efi-readvar The result is always same, failure to boot an image signed with my keys. As well as the different tools to install the keys, such as KeyTool, efi-updatevar, and my BIOS's key management interface. I've made several attempts at this, using the various commands and arguments from the mentioned sites. The result is a red, curses-style box with the text: In short, my problem is that after installing my keys, images that I sign fail to boot. The first two apply to my situation better, because I wish to keep the Microsoft signatures installed, but Rod Smith's site is a wealth of information. This system is a Dell XPS 8700 (circa 2015) with an American Megatrends firmware/BIOS, plus a few standard hardware upgrades. AMI-specific features like NCBs, ROM_AREA structure and other things like that can't be implemented by me because of the NDA I have.I've been trying to configure UEFI Secure Boot to use my own keys for a dual boot (Windows 10 + Linux) system.If someone wants to write an unpacker for such crappy files - I will be glad to use it. ![]() The program is meant to work with BIOS images, not some vendor-specific BIOS update files, that is why some of that update file either cant be opened at all or return errors on reconstruction.It's on my high priority features list, so I hope it will be corrected soon. Some images may not work after modification because of no FIT table support implemented yet.Some images has non-standard calculation of base address of TE images, so the program can rebase them incorrectly after modifications.Don't rush it, because reconstruction process can also generate some usefull messages, which will be lost if you open the reconstructed file immediatelly. If anything goes wrong on the reconstruction, an error will pop up, otherwise the program will prompt if you need to open the reconstructed file. After you've finished the modifications, you need to initiate image reconstruction using Save image file command from the File menu.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |