How to sign your own UEFI binaries for Secure Boot

You have two options. You may use the "tried and true" methods using Ubuntu directly with sbsign and kmodsign, or use the "real" method used by Microsoft to sign binaries, with a Windows-only app.

For more details on signing binaries, see ImageSigning.

sbsign and kmodsign

sbsign allows you to sign your own custom binaries (ie. the files that would be loaded directly by firmware, be it a bootloader or a kernel).

To sign a binary using sbsign; you will need both the private and public part of a certificate in PEM format (see KeyGeneration), and some idea of a name for the output file. The source file will not be modified.

sbsign --cert path/to/cert.crt --key path/to/cert.key --output path/to/outputfile  efi_binary

To validate a signature, you will still need the public part of the signing certificate, in PEM form:

sbverify --cert path/to/cert.crt efi_binary

kmodsign is used exclusively to sign kernel modules. It also requires the signing certificates to be in a different format than sbsigntool; for kmodsign, the certificates need to be in DER format. Conveniently, if you need to use DKMS modules, an appropriate certificate may already exist in /var/lib/shim-signed/mok.

To sign a custom module, in this example with the generated MOK already available on a system:

kmodsign sha512 \
    /var/lib/shim-signed/mok/MOK.priv \
    /var/lib/shim-signed/mok/MOK.der \

Using Microsoft's signtool.exe

Warning /!\ This obviously requires access to a system running Windows.

Download signtool.exe from Microsoft, install it somewhere to disk (it is a single binary), and run it. Refer to signtool /? for help.

UEFI/SecureBoot/Signing (last edited 2017-12-05 00:40:25 by cyphermox)