## page was renamed from SecurityTeam/SecureBoot/KeyCompatibility = SecureBoot in Ubuntu (key compatibility) = ||<>|| Canonical has access to the Microsoft signing PKCS#7 file (PCA 2010) (`cdboot.pkcs`). For maximum compatibility with firmware implementing the UEFI 2.3.1 specification, Canonical should use the same format for its keys, namely PKCS#7 files, RSA2048 keys, SHA256 signatures and the CA and signing certificates/keys should also be setup similarly to Microsoft's. = Analysis = To view the PKCS#7 file from Microsoft (`cdboot.pkcs`), convert to x509 PEM format:{{{ $ openssl pkcs7 -print_certs -inform DER -in ./cdboot.pkcs -out cdboot.pem }}} At this point 'cdboot.pem' has both the signing and the CA certificates in it. While a command like `gcr-viewer` can handle this fine, you'll want to split those out into different files to use with `openssl x509`. Eg (assumes the singing certificate is manually split out into `cdboot_signing.pem` and `cdboot_ca.pem`):{{{ $ openssl x509 -in ./cdboot_signing.pem -serial -noout serial=6108B9A4000000000010 $ openssl x509 -in ./cdboot_signing.pem -sha1 -fingerprint -noout SHA1 Fingerprint=CC:90:08:D2:D4:E8:0E:B9:24:E3:AD:29:CB:08:60:0F:58:57:0C:DC $ openssl x509 -in ./cdboot_signing.pem -subject -noout subject= /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Certificate: Data: Version: 3 (0x2) Serial Number: 61:08:b9:a4:00:00:00:00:00:10 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows PCA 2010 Validity Not Before: Mar 14 21:45:50 2011 GMT Not After : Jun 14 21:55:50 2012 GMT Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d0:3c:0e:f7:c7:47:61:0d:d7:43:1e:1e:24:fe: a5:65:eb:82:39:a8:e0:65:a3:bd:07:a0:63:39:b3: 8f:14:82:27:5e:62:3a:1f:b4:66:43:8c:66:40:31: 28:88:09:c6:f9:13:4e:a8:e3:23:19:eb:d5:fc:3a: 64:a0:98:80:14:86:fa:ae:6b:7b:38:b2:0b:6d:65: 60:c4:ac:71:69:89:ef:06:56:66:ae:df:44:85:0b: f0:03:8e:f4:30:59:f1:76:a5:ae:93:44:85:59:2c: 64:a7:bf:db:0d:c3:b7:92:1a:99:fc:1b:f5:d9:11: a4:44:53:ad:4a:20:85:11:e2:56:ef:c4:bf:9e:05: 15:16:a6:96:59:c5:df:01:81:76:70:c5:c2:81:eb: 24:aa:d2:40:1a:ce:60:81:8a:89:17:5b:6f:e8:b5: ec:a1:1c:4b:6e:e8:24:9b:e0:1b:c1:22:c3:dd:7f: 81:0a:a0:00:11:0b:d0:37:df:6f:b7:47:a5:e0:73: 4b:8c:eb:b7:38:cc:bb:68:3d:ce:20:5f:65:ec:a8: a1:3e:77:84:06:55:1a:e5:ff:0d:36:03:24:c4:17: ec:13:b3:74:c4:e8:55:7b:09:68:6a:06:da:8f:94: 49:39:d9:e3:39:f3:d2:6c:04:24:24:77:e2:0a:00: 16:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Extended Key Usage: Code Signing, 1.3.6.1.4.1.311.10.3.6 X509v3 Subject Key Identifier: BA:80:E8:9B:57:CC:A9:F7:2C:9E:37:75:83:C1:4C:F4:0F:3F:8F:B4 X509v3 Authority Key Identifier: keyid:D1:4F:A9:8A:07:08:CE:F4:24:18:98:E5:00:FF:F3:D6:79:1D:37:BC X509v3 CRL Distribution Points: Full Name: URI:http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pki/certs/MicWinPCA_2010-07-06.crt X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Alternative Name: DNS:MOPR Signature Algorithm: sha256WithRSAEncryption 34:35:6e:51:66:54:f4:63:3a:6d:8a:53:24:3b:c1:26:14:84: 2f:84:b8:49:e7:fd:b5:15:4e:54:2d:41:06:5c:8b:8b:cb:07: a9:1c:4f:48:f1:ef:ce:73:72:32:09:5b:58:6c:9f:18:a9:0a: 36:be:e8:e5:e8:f0:ad:c8:be:0b:7f:97:ea:d6:bb:b8:5f:df: 61:fc:1e:e5:35:9f:5a:b8:7a:29:eb:fe:39:4e:26:28:d4:0a: 0f:04:27:d7:26:f4:47:22:ea:c5:35:cf:92:bc:d2:b0:24:9e: d8:84:e8:9a:01:c7:07:cb:ed:c0:91:d3:e1:45:d9:0d:72:d4: 86:d1:4f:82:20:4f:44:dd:42:52:a9:6f:7b:04:c4:e4:16:e9: 26:5d:4f:4f:ae:16:74:20:98:ae:6c:17:f9:78:16:00:0e:29: 32:6a:1d:90:10:d0:64:3f:14:2e:e5:51:69:3d:7b:f9:3b:d3: 67:7c:90:63:27:12:70:2c:af:8c:0b:98:73:16:73:95:35:3f: df:44:17:23:e3:98:ed:d3:83:d1:2e:0a:5f:86:08:fd:67:73: 3d:2f:6f:7c:5f:7f:93:eb:45:a7:57:ab:89:91:29:4a:2c:28: b5:46:5b:96:dd:b2:54:a9:f9:fc:25:b5:63:04:d1:bf:de:6c: 06:42:c2:47 }}} and `cdboot_ca.pem`:{{{ $ openssl x509 -in ./cdboot_ca.pem -serial -noout serial=610C6A19000000000004 $ openssl x509 -in ./cdboot_ca.pem -sha1 -fingerprint -noout SHA1 Fingerprint=C0:13:86:A9:07:49:64:04:F2:76:C3:C1:85:3A:BF:4A:52:74:AF:88 $ openssl x509 -in ./cdboot_ca.pem -subject -noout subject= /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows PCA 2010 openssl x509 -in ./cdboot_ca.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 61:0c:6a:19:00:00:00:00:00:04 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010 Validity Not Before: Jul 6 20:40:23 2010 GMT Not After : Jul 6 20:50:23 2025 GMT Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows PCA 2010 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c0:79:bb:3a:b1:f0:0f:84:b8:ad:64:2a:75:16: 73:d0:bb:07:f6:3e:0d:9d:14:e4:b1:9f:c1:c8:94: b0:38:7c:1f:d0:33:55:f5:ba:23:66:f5:2e:28:48: 53:c7:16:83:ba:f5:51:ac:7e:ac:e0:26:7f:0f:74: fc:59:95:dc:c9:c6:a2:f7:52:70:5a:2c:1d:94:ab: 19:bf:af:95:7d:af:66:a1:6f:9b:62:6e:6d:4b:bc: 2f:35:6c:de:a4:6a:63:5a:5f:fb:f3:0d:4d:61:cc: 0a:7e:31:eb:6c:0a:d0:4d:97:0f:fd:7f:38:46:e6: 8a:c7:73:69:76:55:69:96:4c:e4:d8:f0:34:eb:ba: b1:1f:ce:29:7e:c4:4f:9d:13:15:ab:13:1b:72:58: 62:56:6c:8a:81:a3:64:77:98:46:65:29:9d:83:14: a5:4c:08:a0:83:d7:23:1f:f3:5f:df:6f:2c:cf:da: 16:d8:0e:72:04:28:d8:6b:3e:f8:13:b1:7c:a2:17: 79:4f:7e:dc:3a:e4:9d:70:27:6b:bf:db:fc:1e:c7: 07:d8:c0:be:0b:93:1e:28:e0:73:6d:d2:54:e9:28: 4c:bf:6b:5d:9f:ff:5d:33:12:37:95:25:61:34:6a: 42:cb:7c:9d:3a:bb:88:59:e1:a3:42:6d:3a:50:5b: 48:d1 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.21.1: ... X509v3 Subject Key Identifier: D1:4F:A9:8A:07:08:CE:F4:24:18:98:E5:00:FF:F3:D6:79:1D:37:BC 1.3.6.1.4.1.311.20.2: . .S.u.b.C.A X509v3 Key Usage: Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4 X509v3 CRL Distribution Points: Full Name: URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.311.46.3 CPS: http://www.microsoft.com/PKI/docs/CPS/default.htm User Notice: Explicit Text: Signature Algorithm: sha256WithRSAEncryption 2e:41:a6:86:b5:06:6f:f0:80:85:fa:3b:ca:17:e9:c9:fa:e4: 39:c2:94:70:c3:64:94:c3:d8:56:a6:90:8e:fe:e4:9a:f4:6d: f5:6f:8e:53:8d:5a:a8:f3:ae:db:46:6c:be:7f:1d:54:56:1b: 3c:1d:71:c4:51:15:54:7e:bf:ee:a5:95:42:33:fd:0d:90:24: 24:e3:f9:dc:96:ca:fc:b8:ac:bf:f4:c2:39:56:b8:bb:ed:73: b3:17:dd:7e:86:50:23:8b:56:24:ca:bb:a6:1d:9a:87:2f:27: 85:e7:a1:b6:0a:9c:0d:1b:8c:f3:00:62:41:ba:48:74:87:82: fd:50:c9:f4:87:29:c3:03:aa:2b:df:1a:29:79:e8:12:24:9a: 86:ed:d0:2e:d3:40:81:f5:07:5f:33:06:54:5d:40:b5:f7:b1: 62:fd:4d:48:f7:6e:41:47:52:1c:bb:1b:c2:57:3a:a8:99:56: 93:d4:c6:de:26:a8:60:75:86:bb:ec:62:a6:f0:1d:04:45:df: 3e:a7:84:d1:5b:44:23:63:25:36:77:6f:ae:5b:dc:22:d5:14: 23:6a:41:7f:d0:42:a6:db:ef:25:7b:04:e3:d2:96:37:62:06: af:f8:1b:0f:8e:b3:39:9a:bb:89:f5:35:06:e5:a4:5b:c3:8c: 9e:37:5f:53:d1:a3:37:fd:a4:4f:e8:1b:0e:6b:76:e4:b8:8f: b0:c2:ea:fd:75:f7:2c:41:b7:9c:a3:e1:1e:05:fe:97:92:cb: 7f:59:03:6d:a8:4e:8d:4e:80:17:d4:d5:72:f6:56:e4:48:9f: a3:23:ba:06:a0:c0:8e:d1:88:4f:93:20:f2:70:5f:d8:6b:72: a3:20:49:fc:77:0c:5d:c5:c7:e1:02:0f:38:42:10:0e:db:02: ae:9a:37:1d:50:80:29:1e:a4:a7:d9:c6:9a:25:55:fd:40:ca: ad:64:10:e8:31:f9:12:54:79:1a:f2:0e:d8:d6:ab:1e:33:fe: 02:e7:26:6d:61:49:8f:f1:25:c2:8b:74:99:df:f9:93:1a:90: 1c:ee:dd:94:33:0e:42:50:db:7f:50:f8:9f:62:82:ec:a6:82: 16:7c:66:bc:ec:99:b0:c1:58:5d:a8:b0:9a:61:14:91:d1:99: 2f:49:e4:3e:81:99:d6:e6:ef:ca:e3:fd:3e:ee:ec:09:86:03: 07:0d:1b:0d:7c:eb:f4:5a:c9:95:cf:87:12:0a:5d:ec:c5:02: 92:cd:05:99:72:ca:7d:f1:2a:10:18:38:e4:31:a3:28:b4:e6: 4c:c5:52:a3:9c:6a:c7:7d:c0:71:09:04:0d:70:de:02:3f:87: ee:56:a1:ec:eb:b5:4c:85 }}} '''NOTE''': this is the CA that Microsoft explicitly said should *not* be included in KEK and db (see System.Fundamentals.Firmware.UEFISecureBoot, point 2 on page 113-114 of the Windows 8 logo requirements). The 'Subject Alternative Name' is optional and not required (it is also not listed in the Windows 8 logo requirements or the UEFI 2.3.1 specification). 'Authority Information Access' gives information relating to the CA (not required by Windows 8 logo requirements or the UEFI 2.3.1 specification). The certificate revocation list (CRL) can be used to point people to a list of our revoked certificates (not required by Windows 8 logo requirements or the UEFI 2.3.1 specification). Since UEFI firmware will presumably not be making calls over the internet to fetch the CRL, this can be considered optional. If needed, we could also provide a public URL for our CRL for each certificate by using (see 'man x509v3_config'):{{{ crlDistributionPoints=URI:http://www.canonical.com/.../example.crl }}} 1.3.6.1.4.1.311.21.1 is the Microsoft !CertSrv Infrastructurer (szOID_CERTSRV_CA_VERSION, see http://support.microsoft.com/kb/287547). This seems Microsoft-specific and is not related to anything in the UEFI 2.3.1 specification. 1.3.6.1.4.1.311.20.2 is the Microsoft Enrollment Infrastructure (szOID_ENROLL_CERTTYPE_EXTENSION, see http://support.microsoft.com/kb/287547). This seems Microsoft-specific and is not relat ed to anything in the UEFI 2.3.1 specification. Certificate Policies can be used to point people to Canonical's certificate policies. If desired, could use something like this to the '[ v3_ca ]' section (see 'man x509v3_config'):{{{ certificatePolicies=ia5org,@polsect [polsect] # Specify an actual Canonical oid here. Commenting this out results in 'Policy: # itu-t' which refers to http://www.itu.int/net/ITU-T/info/Default.aspx #policyIdentifier = 1.3.5.8 CPS.1=http://www.canonical.com/.../cps.html userNotice.1=@notice [notice] explicitText= }}} == Microsoft Chain of Trust == Microsoft's trust chain (for `cdboot.pem`) is as follows: * CN=Microsoft Windows (sha1: CC 90 08 D2 D4 E8 0E B9 24 E3 AD 29 CB 08 60 0F 58 57 0C DC) is issued/signed by: * CN=Microsoft Windows PCA 2010 (sha1: C0 13 86 A9 07 49 64 04 F2 76 C3 C1 85 3A BF 4A 52 74 AF 88) is issued/signed by: * CN=Microsoft Root Certificate Authority 2010 (sha1: 3B 1E FD 3A 66 EA 28 B1 66 97 39 47 03 A7 2C A3 40 A0 5B D5, obtained from the URI given in the CA Issuers of the CN=Microsoft Windows PCA 2010 certificate) is self-signed (the root of trust) It is believed that the intermediary CA will be in KEK and db based on the Windows 8 logo requirements (see discussion in canonical-uefi@lists.canonical.com) == Master certificate == The Microsoft signing PKCS#7 file we had access to (PCA 2010) also had the following in their master key: * 1.3.6.1.4.1.311.21.1 (see above) * 1.3.6.1.4.1.311.20.2 (see above) * X509v3 CRL Distribution Points (see above) * Full Name: URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl * Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt * Certificate Policies (see above). Microsoft's CPS entry is actually a dead link, but might point to http://www.microsoft.com/pki/rms/cps/: {{{ Policy: 1.3.6.1.4.1.311.46.3 CPS: http://www.microsoft.com/PKI/docs/CPS/default.htm User Notice: Explicit Text: }}} While optional, it might be desirable to provide a public URL to our master certificate (ie, the issuer of this certificate, which since it is self-signed, is the pem file for this certificate. NOTE: may want to use DER encoding to match Microsoft) by using (see 'man x509v3_config'):{{{ authorityInfoAccess = caIssuers;URI:http://www.canonical.com/.../master-public.pem }}} == Signing certificate == The Microsoft signing PKCS#7 file we had access to (PCA 2010) also had the following in their signing key: * X509v3 Subject Alternative Name: DNS:MOPR * X509v3 CRL Distribution Points * Full Name: URI:http://crl.microsoft.com/pki/crl/products/MicWinPCA_2010-07-06.crl * Authority Information Access: CA Issuers - URI:http://www.microsoft.com/pki/certs/MicWinPCA_2010-07-06.crt And did not have the following: * Netscape Comment: OpenSSL Generated Certificate While optional, it might be desirable to provide a public URL to our master certificate (ie, the issuer of this certificate. NOTE: may want to use DER encoding to match Microsoft) by using (see 'man x509v3_config'):{{{ authorityInfoAccess = caIssuers;URI:http://www.canonical.com/.../master-public.pem }}}