KeyGeneration

SecureBoot in Ubuntu (Canonical key generation)

Introduction

Canonical has access to the Microsoft signing PKCS#7 file (PCA 2010) (cdboot.pkcs) and its characteristics are being mimicked during key generation.

Initial setup

  1. Install the necessary packages (example assumes 1.0.1-2ubuntu2 on Ubuntu 12.04):

    $ sudo apt-get install openssl
  2. Create the Certificate Authority directory and defaults:

    $ mkdir -m 0700 private              # location of private keys
    $ mkdir SecureBootCA
    $ mkdir SecureBootCA/newcerts SecureBootCA/crl
    $ touch SecureBootCA/index.txt
    $ echo "01" > SecureBootCA/serial
    $ echo "01" > SecureBootCA/crlnumber
  3. Create the ./SecureBootCA/openssl.cnf to have (adjust crlDistributionPoints accordingly if 'http://www.canonical.com/secure-boot-master-ca.crl' is not the URL we want to use for the CRL (and adjust this page)):

    #
    # OpenSSL configuration file for supporting Secure Boot for Canonical Ltd.
    # Please see /usr/lib/ssl/openssl.cnf, 'man x509v3_config', 'man ca' and
    # 'man req' for details.
    #
    
    # This definition stops the following lines choking if HOME isn't
    # defined.
    HOME                    = .
    RANDFILE                = $ENV::HOME/.rnd
    
    # Extra OBJECT IDENTIFIER info:
    oid_section             = new_oids
    
    [ new_oids ]
    # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
    # Add a simple OID like this:
    # testoid1=1.2.3.4
    # Or use config file substitution like this:
    # testoid2=${testoid1}.5.6
    
    
    ####################################################################
    [ ca ]
    default_ca      = CA_default            # The default ca section
    
    ####################################################################
    [ CA_default ]
    
    dir             = ./SecureBootCA        # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept
    crl_dir         = $dir/crl              # Where the issued crl are kept
    database        = $dir/index.txt        # database index file.
    #unique_subject = no                    # Set to 'no' to allow creation of
                                            # several ctificates with same subject.
    new_certs_dir   = $dir/newcerts         # default place for new certs.
    
    certificate     = $dir/cacert.pem       # The CA certificate
    serial          = $dir/serial           # The current serial number
    crlnumber       = $dir/crlnumber        # the current crl number
                                            # must be commented out to leave a V1 CRL
    crl             = $dir/crl.pem          # The current CRL
    private_key     = $dir/private/cakey.pem # The private key
    RANDFILE        = $dir/private/.rand    # private random number file
    
    x509_extensions = usr_cert              # The extentions to add to the cert
    
    # Comment out the following two lines for the "traditional"
    # (and highly broken) format.
    name_opt        = ca_default            # Subject Name options
    cert_opt        = ca_default            # Certificate field options
    
    # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
    # so this is commented out by default to leave a V1 CRL.
    # crlnumber must also be commented out to leave a V1 CRL.
    # crl_extensions        = crl_ext
    
    default_days    = 10956                 # how long to certify for (30 years)
    default_crl_days= 90                    # how long before next CRL
    default_md      = default               # use public key default MD
    preserve        = no                    # keep passed DN ordering
    
    # A few difference way of specifying how similar the request should look
    # For type CA, the listed attributes must be the same, and the optional
    # and supplied fields are just that :-)
    policy          = policy_match
    
    # For the CA policy
    [ policy_match ]
    countryName             = match
    stateOrProvinceName     = match
    organizationName        = match
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    # For the 'anything' policy
    # At this point in time, you must list all acceptable 'object'
    # types.
    [ policy_anything ]
    countryName             = optional
    stateOrProvinceName     = optional
    localityName            = optional
    organizationName        = optional
    organizationalUnitName  = optional
    commonName              = supplied
    emailAddress            = optional
    
    ####################################################################
    
    
    [ req ]
    default_bits            = 2048
    default_keyfile         = privkey.pem
    distinguished_name      = req_distinguished_name
    attributes              = req_attributes
    x509_extensions = v3_ca # The extentions to add to the self signed cert
    
    # This sets a mask for permitted string types. There are several options.
    # default: PrintableString, T61String, BMPString.
    # pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
    # utf8only: only UTF8Strings (PKIX recommendation after 2004).
    # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
    # MASK:XXXX a literal mask value.
    # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
    string_mask = utf8only
    
    # req_extensions = v3_req # The extensions to add to a certificate request
    
    
    [ req_distinguished_name ]
    countryName                     = Country Name (2 letter code)
    countryName_default             = GB
    countryName_min                 = 2
    countryName_max                 = 2
    
    stateOrProvinceName             = State or Province Name (full name)
    stateOrProvinceName_default     = Isle of Man
    
    localityName                    = Locality Name (eg, city)
    localityName_default            = Douglas
    
    0.organizationName              = Organization Name (eg, company)
    0.organizationName_default      = Canonical Ltd.
    
    organizationalUnitName          = Organizational Unit Name (eg, section)
    #organizationalUnitName_default  = Secure Boot
    
    commonName                      = Common Name (e.g. server FQDN or YOUR name)
    commonName_max                  = 64
    
    emailAddress                    = Email Address
    emailAddress_max                = 64
    
    # SET-ex3                       = SET extension number 3
    
    
    [ req_attributes ]
    challengePassword               = A challenge password
    challengePassword_min           = 4
    challengePassword_max           = 20
    
    unstructuredName                = An optional company name
    
    
    [ usr_cert ]
    # These extensions are added when 'ca' signs a request.
    
    # This goes against PKIX guidelines but some CAs do it and some software
    # requires this to avoid interpreting an end user certificate as a CA.
    
    basicConstraints=critical,CA:FALSE
    
    extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
    
    # This will be displayed in Netscape's comment listbox.
    nsComment                       = "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    [ v3_req ]
    
    # Extensions to add to a certificate request
    
    basicConstraints = critical,CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    
    [ v3_ca ]
    
    # Extensions for a typical CA
    
    
    # PKIX recommendation.
    
    subjectKeyIdentifier=hash
    
    authorityKeyIdentifier=keyid:always,issuer
    
    basicConstraints = critical,CA:true
    
    keyUsage = digitalSignature, cRLSign, keyCertSign
    
    # Include email address in subject alt name: another PKIX recommendation
    # subjectAltName=email:copy
    # Copy issuer details
    # issuerAltName=issuer:copy
    
    # DER hex encoding of an extension: beware experts only!
    # obj=DER:02:03
    # Where 'obj' is a standard or added object
    # You can even override a supported extension:
    # basicConstraints= critical, DER:30:03:01:01:FF
    
    crlDistributionPoints=URI:http://www.canonical.com/secure-boot-master-ca.crl
    
    [ crl_ext ]
    
    # CRL extensions.
    # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
    
    # issuerAltName=issuer:copy
    authorityKeyIdentifier=keyid:always
    
    
    [ proxy_cert_ext ]
    # These extensions should be added when creating a proxy certificate
    
    basicConstraints=critical,CA:FALSE
    
    # This will be displayed in Netscape's comment listbox.
    nsComment                       = "OpenSSL Generated Certificate"
    
    # PKIX recommendations harmless if included in all certificates.
    subjectKeyIdentifier=hash
    authorityKeyIdentifier=keyid,issuer
    
    # This stuff is for subjectAltName and issuerAltname.
    # Import the email address.
    # subjectAltName=email:copy
    # An alternative to produce certificates that aren't
    # deprecated according to PKIX.
    # subjectAltName=email:move
    
    # Copy subject details
    # issuerAltName=issuer:copy
    
    #nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
    #nsBaseUrl
    #nsRevocationUrl
    #nsRenewalUrl
    #nsCaPolicyUrl
    #nsSslServerName
    
    # This really needs to be in place for it to be a proxy certificate.
    proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

Master certificate/key

Private

The master private key should not be encrypted, since we are dividing the key into 7 shards (specify '-aes256' to require the key be aes256 encrypted (requires password)).

  1. Create the private key:

    $ openssl genrsa -out ./private/master-private.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...................................+++
    ...................+++
    e is 65537 (0x10001)
  2. Check the private key:

    $ openssl rsa -in ./private/master-private.key -check -noout
    RSA key ok
  3. [optional] Create a hash of the key:

    $ openssl sha256 -out ./private/master-private.key.sha256 ./private/master-private.key

Public

Default values for certificates come from the 'req_distinguished_name' of SecureBootCA/openssl.conf. All fields except 'Common Name (CN)' (and email, which can be left blank) should match in all certificates in the certificate chain.

  1. Create self-signed master certificate good for 30 years (openssl does not permit creating a certificate without an expiration date. This is set to the arbitrarily high 30 years as this should outlive the reasonable lifetime of a system with secure boot without updating its db with an updated certificate from Canonical):

    $ openssl req -x509 -config ./SecureBootCA/openssl.cnf -days 10956 -sha256 -new -key ./private/master-private.key -out master-public.pem
    Country Name (2 letter code) [GB]:<use default>
    State or Province Name (full name) [Isle of Man]:<use default>
    Locality Name (eg, city) [Douglas]:<use default>
    Organization Name (eg, company) [Canonical Ltd.]:<use default>
    Organizational Unit Name (eg, section) []:<leave blank>
    Common Name (e.g. server FQDN or YOUR name) []:Canonical Ltd. Master Certificate Authority
    Email Address []:<leave blank>
  2. Verify the certificate output for correctness (output is for example purposes):

    $ openssl x509 -in master-public.pem -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 18395472014686033076 (0xff49d8557f0014b4)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
            Validity
                Not Before: Mar 28 20:03:15 2012 GMT
                Not After : Mar 27 20:03:15 2042 GMT
            Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:cb:c6:46:eb:7d:20:02:be:17:08:27:b6:50:a7:
                        2e:44:46:1e:ab:e5:53:38:b1:3f:ff:0c:7e:6d:2f:
                        ad:71:f3:cc:14:05:7d:e2:c0:79:5d:07:e2:b3:21:
                        18:2b:52:ab:07:30:3a:9a:29:26:9a:51:5d:04:0c:
                        68:b5:cb:92:e6:57:ac:a3:fe:20:b7:3b:e9:f3:37:
                        03:73:90:c0:0b:a6:2e:0d:cf:66:8a:ed:16:5d:9e:
                        7b:76:ba:53:00:4d:b0:da:af:23:f4:5f:97:ba:65:
                        0b:2c:0f:ff:ae:6b:42:18:4b:05:51:51:1c:ab:e1:
                        73:40:f7:6c:15:47:86:91:35:06:47:6f:49:dc:25:
                        af:6c:96:df:33:bb:49:7a:c5:3e:97:0b:6d:6e:bf:
                        95:2f:12:25:aa:86:26:ae:44:26:b5:dc:ce:e1:6b:
                        5d:b6:28:a4:23:d2:b5:55:ce:d7:b7:94:8d:80:76:
                        88:86:11:7f:90:42:c9:1b:c2:00:5a:27:47:1b:92:
                        95:ec:17:ac:1f:d0:d0:e8:0b:b7:8f:f8:dd:0d:3c:
                        79:08:9c:88:18:95:fb:ef:cc:f9:6c:87:31:e3:3f:
                        76:51:cc:2f:9f:7e:93:9d:3f:f4:6b:6a:ca:01:7c:
                        09:29:fb:c5:15:98:b5:b7:5e:76:bc:df:e2:42:23:
                        4e:11
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    7A:47:09:1F:3B:23:3F:AD:CD:58:EA:49:78:3D:90:E2:30:44:7E:3F
                X509v3 Authority Key Identifier: 
                    keyid:7A:47:09:1F:3B:23:3F:AD:CD:58:EA:49:78:3D:90:E2:30:44:7E:3F
    
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: 
                    Digital Signature, Certificate Sign, CRL Sign
                X509v3 CRL Distribution Points: 
    
                    Full Name:
                      URI:http://www.canonical.com/secure-boot-master-ca.crl
    
        Signature Algorithm: sha256WithRSAEncryption
             b1:7f:36:33:d1:2a:d5:76:cb:9a:ac:b9:9f:8b:0f:8f:8b:1c:
             1e:8a:81:e4:75:f5:8b:88:c0:17:62:0d:31:33:9e:d1:2a:28:
             ff:91:f2:5e:40:61:61:5b:f9:c2:d7:36:75:26:df:9c:c5:67:
             11:29:5d:5c:3b:aa:07:e4:e1:75:be:cd:04:04:b0:f7:0d:ed:
             4d:7c:e2:b7:67:05:31:88:0d:69:a4:84:63:dd:10:62:57:6e:
             ca:27:54:e9:c9:c7:b3:18:21:8f:71:7d:69:dd:4d:d2:36:e5:
             14:fb:f8:7d:c6:3b:44:2f:c6:06:76:8d:81:8a:93:39:b2:49:
             91:9f:d8:e1:1c:0e:f8:f4:d2:b0:4a:b5:a7:e6:b0:3a:38:30:
             57:94:58:ee:15:f9:8e:1d:20:85:02:12:a0:ac:c5:a2:ab:2b:
             21:45:c4:27:83:60:c8:83:e0:b7:b5:92:c8:f9:8f:db:03:7a:
             77:f6:5b:76:03:86:f6:24:53:6a:5c:8e:09:dd:d8:f5:b6:8f:
             7f:07:2c:d7:b0:f2:d8:61:07:0e:74:28:f7:57:ed:00:ec:3f:
             05:31:ea:e5:6d:ad:a4:1a:48:a0:92:c7:d0:7d:51:e8:56:25:
             9d:28:b5:6f:ac:9c:64:97:ae:a8:a6:30:8d:f9:4a:fa:e2:40:
             f9:63:66:63
  3. Verify the master certificate is signed with its private key:

    $ openssl verify ./master-public.pem
    ./master-public.pem: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
    error 18 at 0 depth lookup:self signed certificate
    OK
  4. Export the master public key:

    $ openssl x509 -pubkey -in ./master-public.pem -noout > ./master-public.pubkey
  5. Verify the master public key (modulus should match the modulus from master-public.pem):

    $ openssl rsa -pubin -in ./master-public.pubkey -text -noout
    Public-Key: (2048 bit)
    Modulus:
        00:cb:c6:46:eb:7d:20:02:be:17:08:27:b6:50:a7:
        2e:44:46:1e:ab:e5:53:38:b1:3f:ff:0c:7e:6d:2f:
        ad:71:f3:cc:14:05:7d:e2:c0:79:5d:07:e2:b3:21:
        18:2b:52:ab:07:30:3a:9a:29:26:9a:51:5d:04:0c:
        68:b5:cb:92:e6:57:ac:a3:fe:20:b7:3b:e9:f3:37:
        03:73:90:c0:0b:a6:2e:0d:cf:66:8a:ed:16:5d:9e:
        7b:76:ba:53:00:4d:b0:da:af:23:f4:5f:97:ba:65:
        0b:2c:0f:ff:ae:6b:42:18:4b:05:51:51:1c:ab:e1:
        73:40:f7:6c:15:47:86:91:35:06:47:6f:49:dc:25:
        af:6c:96:df:33:bb:49:7a:c5:3e:97:0b:6d:6e:bf:
        95:2f:12:25:aa:86:26:ae:44:26:b5:dc:ce:e1:6b:
        5d:b6:28:a4:23:d2:b5:55:ce:d7:b7:94:8d:80:76:
        88:86:11:7f:90:42:c9:1b:c2:00:5a:27:47:1b:92:
        95:ec:17:ac:1f:d0:d0:e8:0b:b7:8f:f8:dd:0d:3c:
        79:08:9c:88:18:95:fb:ef:cc:f9:6c:87:31:e3:3f:
        76:51:cc:2f:9f:7e:93:9d:3f:f4:6b:6a:ca:01:7c:
        09:29:fb:c5:15:98:b5:b7:5e:76:bc:df:e2:42:23:
        4e:11
    Exponent: 65537 (0x10001)

CRL

  1. Generate the (currently empty) CRL list for this CA:

    $ openssl ca -md sha256 -cert ./master-public.pem -keyfile ./private/master-private.key -config ./SecureBootCA/openssl.cnf -gencrl -out ./SecureBootCA/crl/secure-boot-master-ca.crl.pem
    Using configuration from ./SecureBootCA/openssl.cnf
  2. Verify the CRL:

    $ openssl crl -text -in ./SecureBootCA/crl/secure-boot-master-ca.crl.pem
    Certificate Revocation List (CRL):
            Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority 2012
            Last Update: Mar 28 22:21:05 2012 GMT
            Next Update: Jun 26 22:21:05 2012 GMT
            CRL extensions:
                X509v3 CRL Number: 
                    1
    No Revoked Certificates.
        Signature Algorithm: sha256WithRSAEncryption
             48:fb:de:6a:27:70:0b:83:88:79:d4:90:18:04:99:12:e5:b9:
             59:20:32:2b:37:8e:a5:e2:dc:27:90:0d:2c:40:47:3a:5e:2c:
             c6:63:d1:de:e1:61:0a:6b:9c:d3:1d:02:90:ee:63:ec:73:4c:
             36:a9:e6:19:8b:3d:24:25:4a:0b:d2:07:83:3c:78:d0:8d:33:
             78:92:33:2d:da:6d:38:73:88:52:16:ea:d9:13:dc:62:02:cd:
             0f:fa:13:03:da:93:4d:c2:a7:23:f0:2a:e5:6e:e6:2d:35:c8:
             42:0f:e7:50:ee:08:2a:d5:33:e6:ed:e4:fd:f6:c6:76:4e:07:
             53:51:4a:f2:5d:bb:a2:a5:28:41:2f:75:ef:7f:ad:c9:78:37:
             e4:2f:3a:47:22:f2:3a:0a:c5:6e:c2:10:d6:86:7c:28:ae:23:
             f3:ed:84:ba:be:dc:1d:58:3d:c2:a0:e9:7f:48:d8:75:3f:4b:
             00:05:02:a9:a5:7c:23:50:ec:03:44:ad:22:fd:ef:e9:22:53:
             6f:a8:a7:f8:fb:bc:5b:7e:67:73:bf:fb:96:32:63:8c:25:a9:
             56:5c:52:3f:95:a6:1c:fa:fb:d8:0b:59:2d:e6:83:17:db:84:
             29:16:1b:6b:6c:7c:0e:c4:32:75:85:b7:57:b0:fb:e7:86:af:
             3e:4c:b8:dd
    -----BEGIN X509 CRL-----
    MIIB4zCBzAIBATANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCR0IxFDASBgNV
    BAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQKDA5DYW5v
    bmljYWwgTHRkLjE5MDcGA1UEAwwwQ2Fub25pY2FsIEx0ZC4gTWFzdGVyIENlcnRp
    ZmljYXRlIEF1dGhvcml0eSAyMDEyFw0xMjAzMjgyMjIxMDVaFw0xMjA2MjYyMjIx
    MDVaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEASPveaidwC4OI
    edSQGASZEuW5WSAyKzeOpeLcJ5ANLEBHOl4sxmPR3uFhCmuc0x0CkO5j7HNMNqnm
    GYs9JCVKC9IHgzx40I0zeJIzLdptOHOIUhbq2RPcYgLND/oTA9qTTcKnI/Aq5W7m
    LTXIQg/nUO4IKtUz5u3k/fbGdk4HU1FK8l27oqUoQS9173+tyXg35C86RyLyOgrF
    bsIQ1oZ8KK4j8+2Eur7cHVg9wqDpf0jYdT9LAAUCqaV8I1DsA0StIv3v6SJTb6in
    +Pu8W35nc7/7ljJjjCWpVlxSP5WmHPr72AtZLeaDF9uEKRYba2x8DsQydYW3V7D7
    54avPky43Q==
    -----END X509 CRL-----
  3. Convert to DER format:

    $ openssl crl -in ./SecureBootCA/crl/secure-boot-master-ca.crl.pem -outform DER -out ./SecureBootCA/crl/secure-boot-master-ca.crl
  4. Verify the DER-encoded CRL:

    $ openssl crl -text -inform DER -in ./SecureBootCA/crl/secure-boot-master-ca.crl 
    Certificate Revocation List (CRL):
            Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority 2012
            Last Update: Mar 28 22:21:05 2012 GMT
            Next Update: Jun 26 22:21:05 2012 GMT
            CRL extensions:
                X509v3 CRL Number: 
                    1
    No Revoked Certificates.
        Signature Algorithm: sha256WithRSAEncryption
             48:fb:de:6a:27:70:0b:83:88:79:d4:90:18:04:99:12:e5:b9:
             59:20:32:2b:37:8e:a5:e2:dc:27:90:0d:2c:40:47:3a:5e:2c:
             c6:63:d1:de:e1:61:0a:6b:9c:d3:1d:02:90:ee:63:ec:73:4c:
             36:a9:e6:19:8b:3d:24:25:4a:0b:d2:07:83:3c:78:d0:8d:33:
             78:92:33:2d:da:6d:38:73:88:52:16:ea:d9:13:dc:62:02:cd:
             0f:fa:13:03:da:93:4d:c2:a7:23:f0:2a:e5:6e:e6:2d:35:c8:
             42:0f:e7:50:ee:08:2a:d5:33:e6:ed:e4:fd:f6:c6:76:4e:07:
             53:51:4a:f2:5d:bb:a2:a5:28:41:2f:75:ef:7f:ad:c9:78:37:
             e4:2f:3a:47:22:f2:3a:0a:c5:6e:c2:10:d6:86:7c:28:ae:23:
             f3:ed:84:ba:be:dc:1d:58:3d:c2:a0:e9:7f:48:d8:75:3f:4b:
             00:05:02:a9:a5:7c:23:50:ec:03:44:ad:22:fd:ef:e9:22:53:
             6f:a8:a7:f8:fb:bc:5b:7e:67:73:bf:fb:96:32:63:8c:25:a9:
             56:5c:52:3f:95:a6:1c:fa:fb:d8:0b:59:2d:e6:83:17:db:84:
             29:16:1b:6b:6c:7c:0e:c4:32:75:85:b7:57:b0:fb:e7:86:af:
             3e:4c:b8:dd
    -----BEGIN X509 CRL-----
    MIIB4zCBzAIBATANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCR0IxFDASBgNV
    BAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQKDA5DYW5v
    bmljYWwgTHRkLjE5MDcGA1UEAwwwQ2Fub25pY2FsIEx0ZC4gTWFzdGVyIENlcnRp
    ZmljYXRlIEF1dGhvcml0eSAyMDEyFw0xMjAzMjgyMjIxMDVaFw0xMjA2MjYyMjIx
    MDVaoA4wDDAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEASPveaidwC4OI
    edSQGASZEuW5WSAyKzeOpeLcJ5ANLEBHOl4sxmPR3uFhCmuc0x0CkO5j7HNMNqnm
    GYs9JCVKC9IHgzx40I0zeJIzLdptOHOIUhbq2RPcYgLND/oTA9qTTcKnI/Aq5W7m
    LTXIQg/nUO4IKtUz5u3k/fbGdk4HU1FK8l27oqUoQS9173+tyXg35C86RyLyOgrF
    bsIQ1oZ8KK4j8+2Eur7cHVg9wqDpf0jYdT9LAAUCqaV8I1DsA0StIv3v6SJTb6in
    +Pu8W35nc7/7ljJjjCWpVlxSP5WmHPr72AtZLeaDF9uEKRYba2x8DsQydYW3V7D7
    54avPky43Q==
    -----END X509 CRL-----
  5. This file should now be installed in the URI specified in crlDistributionPoints.

Signing certificate/key

The procedure documents the process for generating the Ubuntu secure boot signing key. This certificate/key pair is used by Launchpad to sign secure boot images (eg, the bootloader).

Private

The signing private key should not be encrypted (no password):

  1. Create the private key:

    $ openssl genrsa -out ./private/archive-subkey-private.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...............................+++
    .................................+++
    e is 65537 (0x10001)
  2. Check the private key:

    $ openssl rsa -in ./private/archive-subkey-private.key -check -noout
    RSA key ok
  3. [optional] Create a hash of the private key:

    $ openssl sha256 -out ./private/archive-subkey-private.key.sha256 ./private/archive-subkey-private.key

Public

Default values for certificates come from the 'req_distinguished_name' of SecureBootCA/openssl.conf. All fields except 'Common Name (CN)' (and email, which can be left blank) should match in all certificates in the certificate chain.

  1. Generate a certificate signing request (CSR) for our signing key to be signed by our master private key:

    $ openssl req -sha256 -new -config ./SecureBootCA/openssl.cnf -key ./private/archive-subkey-private.key -out ./archive-subkey-public.csr
    Country Name (2 letter code) [GB]:<use default>
    State or Province Name (full name) [Isle of Man]:<use default>
    Locality Name (eg, city) [Douglas]:<use default>
    Organization Name (eg, company) [Canonical Ltd.]:<use default>
    Organizational Unit Name (eg, section) []:Secure Boot
    Common Name (e.g. server FQDN or YOUR name) []:Canonical Ltd. Secure Boot Signing
    Email Address []:<leave blank>
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:<optional password>
    An optional company name []:<leave blank>
  2. Verify CSR for our signing key for correctness (output is for example purposes):

    $ openssl req -in archive-subkey-public.csr -text -noout -verify
    verify OK
    Certificate Request:
        Data:
            Version: 0 (0x0)
            Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:ad:68:a8:94:88:09:1c:c7:03:b3:8a:0d:89:27:
                        54:1d:16:2f:83:7b:fa:7b:70:74:df:6c:1f:af:18:
                        71:53:2f:6f:46:0c:ab:ad:f1:75:1b:0f:e5:bc:5a:
                        99:44:6c:80:45:26:4a:05:bd:01:8e:91:65:4c:37:
                        eb:38:69:b0:91:67:8f:0e:3f:b8:dc:da:a7:ea:a7:
                        86:cc:87:98:d8:10:07:64:01:1d:da:dc:ef:97:a0:
                        37:34:8d:69:0d:6d:d5:da:f7:3f:e2:e3:e2:6c:23:
                        ae:97:43:3b:11:9a:c0:3a:2f:26:8b:8b:1a:92:5a:
                        78:bb:0c:df:cc:19:d0:ad:f0:2e:31:d7:7f:d7:94:
                        36:9b:77:26:06:33:43:5e:cf:e8:d9:54:31:5f:08:
                        dc:40:d5:c1:ba:04:51:de:d7:f6:a9:58:20:da:cc:
                        f5:9f:4f:ef:bf:73:52:77:42:ca:ca:5f:d8:16:89:
                        2c:f5:e5:34:10:69:f6:44:3e:45:f2:92:78:8f:7c:
                        23:a7:ab:24:a0:ef:1b:7d:51:d0:d2:6b:d2:8e:65:
                        08:e6:b5:9a:bb:2c:7a:cf:09:3f:6a:a8:e6:58:b1:
                        33:0a:ce:49:36:84:93:28:40:05:e2:e1:0b:27:c4:
                        19:49:17:e5:c9:e1:6f:fa:1a:1a:ca:8d:af:f5:3e:
                        a8:c9
                    Exponent: 65537 (0x10001)
            Attributes:
                challengePassword        :unable to print attribute
        Signature Algorithm: sha256WithRSAEncryption
             08:e2:29:d1:d7:a3:ca:a5:c9:55:84:b9:e6:a5:d8:02:3f:7f:
             2b:d0:31:93:31:17:83:41:eb:ab:96:4a:9d:dc:6a:41:cb:ab:
             b4:06:26:89:f8:ff:18:4a:ae:ac:11:f1:ec:97:15:03:a8:b1:
             9a:10:9d:96:64:f2:d9:e7:e4:8f:fc:4d:6d:e9:08:77:8a:20:
             ec:24:17:64:dc:bd:43:3c:15:e3:b6:2c:24:70:4c:68:c4:29:
             85:9f:a8:a9:07:48:b9:45:71:4d:d1:3a:43:9e:f0:3a:e2:8c:
             dc:be:12:45:3b:2c:92:ef:c5:cb:6a:b6:4a:7d:d7:6f:ef:03:
             31:7e:a6:1e:8c:0f:77:da:5a:3b:b7:dd:86:30:9b:92:50:fb:
             92:cb:41:d4:be:5e:62:28:ab:fe:76:18:c1:e8:53:a3:5f:66:
             93:a1:18:0b:50:a8:f8:3e:48:c7:9a:aa:ff:11:12:06:01:a6:
             d9:a2:b2:74:ce:3f:4e:07:af:3d:80:99:43:51:2e:7e:d2:b2:
             aa:36:52:08:7a:8e:df:06:3a:50:c5:eb:b8:bf:64:d5:b4:9f:
             2f:17:7c:32:af:95:a1:5f:35:bb:80:84:d7:6a:bf:6c:ab:25:
             cb:63:b1:47:17:14:c9:e8:66:2f:3d:23:d9:f1:b3:8f:5b:11:
             db:cc:0b:3c
  3. Sign the CSR for our signing key with the master private key and create the certificate (if you specified a master password, you will be prompted for it):

    $ openssl ca -md sha256 -cert ./master-public.pem -keyfile ./private/master-private.key -config ./SecureBootCA/openssl.cnf -out ./archive-subkey-public.crt -in ./archive-subkey-public.csr
    Using configuration from ./SecureBootCA/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
    ...
    Certificate is to be certified until Mar 27 20:13:14 2042 GMT (10956 days)
    Sign the certificate? [y/n]: y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
  4. Verify certificate for correctness (output is for example purposes):

    $ openssl x509 -in archive-subkey-public.crt -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
            Validity
                Not Before: Mar 28 20:13:14 2012 GMT
                Not After : Mar 27 20:13:14 2042 GMT
            Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:ad:68:a8:94:88:09:1c:c7:03:b3:8a:0d:89:27:
                        54:1d:16:2f:83:7b:fa:7b:70:74:df:6c:1f:af:18:
                        71:53:2f:6f:46:0c:ab:ad:f1:75:1b:0f:e5:bc:5a:
                        99:44:6c:80:45:26:4a:05:bd:01:8e:91:65:4c:37:
                        eb:38:69:b0:91:67:8f:0e:3f:b8:dc:da:a7:ea:a7:
                        86:cc:87:98:d8:10:07:64:01:1d:da:dc:ef:97:a0:
                        37:34:8d:69:0d:6d:d5:da:f7:3f:e2:e3:e2:6c:23:
                        ae:97:43:3b:11:9a:c0:3a:2f:26:8b:8b:1a:92:5a:
                        78:bb:0c:df:cc:19:d0:ad:f0:2e:31:d7:7f:d7:94:
                        36:9b:77:26:06:33:43:5e:cf:e8:d9:54:31:5f:08:
                        dc:40:d5:c1:ba:04:51:de:d7:f6:a9:58:20:da:cc:
                        f5:9f:4f:ef:bf:73:52:77:42:ca:ca:5f:d8:16:89:
                        2c:f5:e5:34:10:69:f6:44:3e:45:f2:92:78:8f:7c:
                        23:a7:ab:24:a0:ef:1b:7d:51:d0:d2:6b:d2:8e:65:
                        08:e6:b5:9a:bb:2c:7a:cf:09:3f:6a:a8:e6:58:b1:
                        33:0a:ce:49:36:84:93:28:40:05:e2:e1:0b:27:c4:
                        19:49:17:e5:c9:e1:6f:fa:1a:1a:ca:8d:af:f5:3e:
                        a8:c9
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Extended Key Usage: 
                    Code Signing, 1.3.6.1.4.1.311.10.3.6
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    94:59:E5:48:B9:EC:D6:29:10:C3:89:FE:21:E2:B0:78:BA:EB:07:C5
                X509v3 Authority Key Identifier: 
                    keyid:7A:47:09:1F:3B:23:3F:AD:CD:58:EA:49:78:3D:90:E2:30:44:7E:3F
    
        Signature Algorithm: sha256WithRSAEncryption
             84:6b:b6:45:61:eb:6a:9d:56:e0:00:1e:e8:4a:bd:b7:b2:e5:
             72:08:19:1b:fb:8e:1c:cd:80:99:dd:d1:ec:0a:1f:c3:f8:57:
             03:35:36:67:f4:f8:b3:a3:c3:28:23:24:af:24:13:4c:de:3e:
             a9:e8:22:cd:12:92:c6:6c:24:dd:f7:a9:56:67:4b:7b:dd:f8:
             ce:c7:36:8f:bc:7a:c9:b1:cb:5e:ea:4a:75:d7:a0:6f:0a:78:
             76:f7:00:cf:c6:2a:50:51:d7:20:52:20:5c:8f:b0:ad:66:a7:
             00:32:ce:81:01:74:bd:5b:1a:1b:f7:15:fb:e2:16:e6:9b:b4:
             07:a3:e5:66:8c:2f:e7:7d:48:6d:44:9e:b2:4d:00:bb:93:ad:
             b6:1f:5b:f2:92:8a:6a:2f:5a:63:5a:f0:3c:3c:fd:5f:ff:57:
             3c:4a:d9:7a:5e:d3:ed:34:b3:43:87:fc:46:32:38:63:aa:74:
             1c:86:73:91:b1:d5:6b:28:cd:a7:37:83:9d:2c:02:cc:31:60:
             6b:d1:db:5d:c1:af:ad:75:37:69:99:fc:3a:ec:6c:ba:e7:31:
             00:92:c2:e1:45:4a:4d:b3:e9:d9:9c:6b:cd:07:2f:fb:eb:ab:
             07:a9:c7:23:45:9f:52:af:18:23:7d:ed:bb:eb:09:c4:19:a7:
             15:33:4d:dd
  5. Verify the certificate chain (that the signing certificate is signed by the master):

    $ openssl verify -CAfile ./master-public.pem ./archive-subkey-public.crt
    ./archive-subkey-public.crt: OK
  6. The following will need to be used by the signing tool, so store them somewhere safe:
    • ./archive-subkey-public.crt
    • ./private/archive-subkey-private.key
    This should also be saved (but separately from the above) for submission to other CAs. It is not needed by the signing tool:
    • archive-subkey-public.csr

Prepare certificates for OEMs (KEK and db)

OpenSSL by default creates certificates in PEM format. For maximum interoperability with OEMs we want to create an DER encoded PKCS#7 certificate. This certificate should include only the master certificate.

  1. Commercial engineering has stated that OEMs want a DER encoded x509 certificate. To create this, do:

    $ openssl x509 -inform PEM -in master-public.pem -outform DER -out master-public.der
  2. Then verify with:

    $ openssl x509 -in ./master-public.der -inform DER -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 18395472014686033076 (0xff49d8557f0014b4)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
            Validity
                Not Before: Mar 28 20:03:15 2012 GMT
                Not After : Mar 27 20:03:15 2042 GMT
            Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:cb:c6:46:eb:7d:20:02:be:17:08:27:b6:50:a7:
                        2e:44:46:1e:ab:e5:53:38:b1:3f:ff:0c:7e:6d:2f:
                        ad:71:f3:cc:14:05:7d:e2:c0:79:5d:07:e2:b3:21:
                        18:2b:52:ab:07:30:3a:9a:29:26:9a:51:5d:04:0c:
                        68:b5:cb:92:e6:57:ac:a3:fe:20:b7:3b:e9:f3:37:
                        03:73:90:c0:0b:a6:2e:0d:cf:66:8a:ed:16:5d:9e:
                        7b:76:ba:53:00:4d:b0:da:af:23:f4:5f:97:ba:65:
                        0b:2c:0f:ff:ae:6b:42:18:4b:05:51:51:1c:ab:e1:
                        73:40:f7:6c:15:47:86:91:35:06:47:6f:49:dc:25:
                        af:6c:96:df:33:bb:49:7a:c5:3e:97:0b:6d:6e:bf:
                        95:2f:12:25:aa:86:26:ae:44:26:b5:dc:ce:e1:6b:
                        5d:b6:28:a4:23:d2:b5:55:ce:d7:b7:94:8d:80:76:
                        88:86:11:7f:90:42:c9:1b:c2:00:5a:27:47:1b:92:
                        95:ec:17:ac:1f:d0:d0:e8:0b:b7:8f:f8:dd:0d:3c:
                        79:08:9c:88:18:95:fb:ef:cc:f9:6c:87:31:e3:3f:
                        76:51:cc:2f:9f:7e:93:9d:3f:f4:6b:6a:ca:01:7c:
                        09:29:fb:c5:15:98:b5:b7:5e:76:bc:df:e2:42:23:
                        4e:11
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    7A:47:09:1F:3B:23:3F:AD:CD:58:EA:49:78:3D:90:E2:30:44:7E:3F
                X509v3 Authority Key Identifier: 
                    keyid:7A:47:09:1F:3B:23:3F:AD:CD:58:EA:49:78:3D:90:E2:30:44:7E:3F
    
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: 
                    Digital Signature, Certificate Sign, CRL Sign
                X509v3 CRL Distribution Points: 
    
                    Full Name:
                      URI:http://www.canonical.com/secure-boot-master-ca.crl
    
        Signature Algorithm: sha256WithRSAEncryption
             b1:7f:36:33:d1:2a:d5:76:cb:9a:ac:b9:9f:8b:0f:8f:8b:1c:
             1e:8a:81:e4:75:f5:8b:88:c0:17:62:0d:31:33:9e:d1:2a:28:
             ff:91:f2:5e:40:61:61:5b:f9:c2:d7:36:75:26:df:9c:c5:67:
             11:29:5d:5c:3b:aa:07:e4:e1:75:be:cd:04:04:b0:f7:0d:ed:
             4d:7c:e2:b7:67:05:31:88:0d:69:a4:84:63:dd:10:62:57:6e:
             ca:27:54:e9:c9:c7:b3:18:21:8f:71:7d:69:dd:4d:d2:36:e5:
             14:fb:f8:7d:c6:3b:44:2f:c6:06:76:8d:81:8a:93:39:b2:49:
             91:9f:d8:e1:1c:0e:f8:f4:d2:b0:4a:b5:a7:e6:b0:3a:38:30:
             57:94:58:ee:15:f9:8e:1d:20:85:02:12:a0:ac:c5:a2:ab:2b:
             21:45:c4:27:83:60:c8:83:e0:b7:b5:92:c8:f9:8f:db:03:7a:
             77:f6:5b:76:03:86:f6:24:53:6a:5c:8e:09:dd:d8:f5:b6:8f:
             7f:07:2c:d7:b0:f2:d8:61:07:0e:74:28:f7:57:ed:00:ec:3f:
             05:31:ea:e5:6d:ad:a4:1a:48:a0:92:c7:d0:7d:51:e8:56:25:
             9d:28:b5:6f:ac:9c:64:97:ae:a8:a6:30:8d:f9:4a:fa:e2:40:
             f9:63:66:63

At this point, several files exist for the Master public component:

  • Default for OEMs: master-public.der (DER-encoded x509 certificate)

  • master-public.pem (x509 PEM-encoded certificate)
  • master-public.pubkey (the RSA2048 public key)

If a DER-formatted PKCS#7 certificate is needed, run:

$ openssl crl2pkcs7 -nocrl -certfile ./master-public.pem -outform DER -out master-public.pkcs7
$ openssl pkcs7 -in ./master-public.pkcs7 -inform DER -text -print_certs -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 18395472014686033076 (0xff49d8557f0014b4)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Mar 28 20:03:15 2012 GMT
            Not After : Mar 27 20:03:15 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:c6:46:eb:7d:20:02:be:17:08:27:b6:50:a7:
                    2e:44:46:1e:ab:e5:53:38:b1:3f:ff:0c:7e:6d:2f:
                    ad:71:f3:cc:14:05:7d:e2:c0:79:5d:07:e2:b3:21:
                    18:2b:52:ab:07:30:3a:9a:29:26:9a:51:5d:04:0c:
                    68:b5:cb:92:e6:57:ac:a3:fe:20:b7:3b:e9:f3:37:
                    03:73:90:c0:0b:a6:2e:0d:cf:66:8a:ed:16:5d:9e:
                    7b:76:ba:53:00:4d:b0:da:af:23:f4:5f:97:ba:65:
                    0b:2c:0f:ff:ae:6b:42:18:4b:05:51:51:1c:ab:e1:
                    73:40:f7:6c:15:47:86:91:35:06:47:6f:49:dc:25:
                    af:6c:96:df:33:bb:49:7a:c5:3e:97:0b:6d:6e:bf:
                    95:2f:12:25:aa:86:26:ae:44:26:b5:dc:ce:e1:6b:
                    5d:b6:28:a4:23:d2:b5:55:ce:d7:b7:94:8d:80:76:
                    88:86:11:7f:90:42:c9:1b:c2:00:5a:27:47:1b:92:
                    95:ec:17:ac:1f:d0:d0:e8:0b:b7:8f:f8:dd:0d:3c:
                    79:08:9c:88:18:95:fb:ef:cc:f9:6c:87:31:e3:3f:
                    76:51:cc:2f:9f:7e:93:9d:3f:f4:6b:6a:ca:01:7c:
                    09:29:fb:c5:15:98:b5:b7:5e:76:bc:df:e2:42:23:
                    4e:11
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                7A:47:09:1F:3B:23:3F:AD:CD:58:EA:49:78:3D:90:E2:30:44:7E:3F
            X509v3 Authority Key Identifier: 
                keyid:7A:47:09:1F:3B:23:3F:AD:CD:58:EA:49:78:3D:90:E2:30:44:7E:3F

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl

    Signature Algorithm: sha256WithRSAEncryption
         b1:7f:36:33:d1:2a:d5:76:cb:9a:ac:b9:9f:8b:0f:8f:8b:1c:
         1e:8a:81:e4:75:f5:8b:88:c0:17:62:0d:31:33:9e:d1:2a:28:
         ff:91:f2:5e:40:61:61:5b:f9:c2:d7:36:75:26:df:9c:c5:67:
         11:29:5d:5c:3b:aa:07:e4:e1:75:be:cd:04:04:b0:f7:0d:ed:
         4d:7c:e2:b7:67:05:31:88:0d:69:a4:84:63:dd:10:62:57:6e:
         ca:27:54:e9:c9:c7:b3:18:21:8f:71:7d:69:dd:4d:d2:36:e5:
         14:fb:f8:7d:c6:3b:44:2f:c6:06:76:8d:81:8a:93:39:b2:49:
         91:9f:d8:e1:1c:0e:f8:f4:d2:b0:4a:b5:a7:e6:b0:3a:38:30:
         57:94:58:ee:15:f9:8e:1d:20:85:02:12:a0:ac:c5:a2:ab:2b:
         21:45:c4:27:83:60:c8:83:e0:b7:b5:92:c8:f9:8f:db:03:7a:
         77:f6:5b:76:03:86:f6:24:53:6a:5c:8e:09:dd:d8:f5:b6:8f:
         7f:07:2c:d7:b0:f2:d8:61:07:0e:74:28:f7:57:ed:00:ec:3f:
         05:31:ea:e5:6d:ad:a4:1a:48:a0:92:c7:d0:7d:51:e8:56:25:
         9d:28:b5:6f:ac:9c:64:97:ae:a8:a6:30:8d:f9:4a:fa:e2:40:
         f9:63:66:63

Backup the CA configuration

The 'SecureBootCA/' directory and master public certificates should be backed up to be used again in disaster recovery or when creating OEM-specific keys. Eg:

$ cp -av master* SecureBootCA/
'master-public.der' -> 'SecureBootCA/master-public.der'
'master-public.pem' -> 'SecureBootCA/master-public.pem'
'master-public.pkcs7' -> 'SecureBootCA/master-public.pkcs7'
'master-public.pubkey' -> 'SecureBootCA/master-public.pubkey'
$ tar -zcvf ~/SecureBootCA.tar.gz ./SecureBootCA/
./SecureBootCA/
./SecureBootCA/index.txt.old
./SecureBootCA/serial
./SecureBootCA/crl/
./SecureBootCA/crl/secure-boot-master-ca.crl.pem
./SecureBootCA/crl/secure-boot-master-ca.crl
./SecureBootCA/newcerts/
./SecureBootCA/newcerts/01.pem
./SecureBootCA/crlnumber
./SecureBootCA/openssl.cnf
./SecureBootCA/crlnumber.old
./SecureBootCA/index.txt
./SecureBootCA/index.txt.attr
./SecureBootCA/serial.old
./SecureBootCA/master-public.der
./SecureBootCA/master-public.pem
./SecureBootCA/master-public.pkcs7
./SecureBootCA/master-public.pubkey

This backup should be given to anyone who is authorized to generate new keys.

WinQual certificate

The WinQual program uses a different method. Please see SecurityTeam/SecureBoot/WinQual for details.

GUID

Canonical also needs to generate a unique GUID for the entry in db (EFI_CERT_X509_GUID). This can be generated with the uuidgen command. Commercial engineering generated this one:

e40ac46d-e82e-4c9c-a314-0fc7b2008710

This is the RFC4122 representation of the GUID, which includes the bytes exactly in the order that they appear above. Specifically, a byte array for this GUID is defined as:

const unsigned char canonical_guid_bytes[] = {
        0xe4, 0x0a, 0xc4, 0x6d, 0xe8, 0x2e, 0x4c, 0x9c,
        0xa3, 0x14, 0x0f, 0xc7, 0xb2, 0x00, 0x87, 0x10,
};

Or, if you're using libuuid:

UUID_DEFINE(canonical_guid, \
        0xe4, 0x0a, 0xc4, 0x6d, 0xe8, 0x2e, 0x4c, 0x9c, \
        0xa3, 0x14, 0x0f, 0xc7, 0xb2, 0x00, 0x87, 0x10);

However, if you're using the UEFI constructs for defining GUIDs, you need to specify some fields in little-endian form. This is how you'd represent the Canonical GUID in the syntax used by the UEFI specification:

#define CANONICAL_GUID \
        {0x6dc40ae4, 0x2ee8, 0x9c4c, \
        {0xa3,0x14,0x0f,0xc7,0xb2,0x00,0x87,0x10}}

The kernel's EFI_GUID macro follows this behaviour. To use the Canonical GUID in kernel code:

#define CANONICAL_GUID    \
     EFI_GUID(0x6dc40ae4, 0x2ee8, 0x9c4c, \
        0xa3, 0x14, 0x0f, 0xc7, 0xb2, 0x00, 0x87, 0x10)

So far, there's been no need to define UEFI GUIDs on a big-endian system. In those cases, we'll need to byte-swap the (already-byte-swapped) values that appear in the specification.

Producing the EFI Signature List

If you want to produce a Platform Key (PK) that is importable into the system trust store, you need to signed signed key lists.

Install efitools to get cert-to-efi-sig-list and sign-efi-sig-list. Use the UUID above to generate the key list for the Certificate Authority:

cert-to-efi-sign-list -g e40ac46d-e82e-4c9c-a314-0fc7b2008710 master-public.pem master-public.esl
sign-efi-sig-list -k private/master-private.key -c master-public.pem PK master-public.esl master-public.auth

To allow the key to be removed later, you also need to generate an empty signed update:

rm -f remove-master-public.esl
touch remove-master-public.esl
sign-efi-sig-list -k private/master-private.key -c master-public.pem PK remove-master-public.esl remove-master-public.auth

You should now be able to install them using KeyTool. If you need to work with a vendor to include this key, please see the next point.

Image signing procedure

Please see:

UEFI/SecureBoot/KeyManagement/KeyGeneration (last edited 2020-03-03 21:24:06 by cjwatson)