terça-feira, 6 de dezembro de 2022

openssl self signed keys secureboot ovmf howto

 openssl self signed keys secureboot ovmf howto


# link: https://projectacrn.github.io/latest/tutorials/waag-secure-boot.html


# Generate PK Using OpenSSL:

openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 365 -out PK.crt


# Country Name (2 letter code) [AU]:CN

# State or Province Name (full name) [Some-State]:Shanghai

# Locality Name (eg, city) []:Shanghai

# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intel

# Organizational Unit Name (eg, section) []:Intel

# Common Name (e.g. server FQDN or YOUR name) []:

# Email Address []:


# You can also generate the self-signed certificate from an existing key, using the openssl req command, for example:


openssl req -key testpriv.key -new -x509 -days 365 -out PK.crt


# View the content of certificate using the openssl x509 command:


openssl x509 -text -noout -in PK2.crt


# Convert certificate from PEM to DER using the openssl x509 command.

# Only a DER format encoded certificate is supported. After conversion, save PK.der for use:


openssl x509 -in PK.crt -outform der -out PK.der


# Download KEK and DB From Microsoft¶

# KEK (Key Exchange Key):

# Microsoft Corporation KEK CA 2011: allows updates to DB and DBX.

# DB (Allowed Signature database):

# Microsoft Windows Production CA 2011: This CA in the Signature Database (DB) allows Windows to boot.

# Microsoft Corporation UEFI CA 2011: Microsoft signer for third party UEFI binaries via DevCenter program.



# Use QEMU to Inject Secure Boot Keys Into OVMF¶

# We follow the openSUSE: UEFI Secure boot using qemu-kvm document to import PK, KEK, and DB into OVMF, Ubuntu 16.04 used.

# Install KVM, QEMU

# Prepare the environment

# Create a OVMFKeys working directory:

mkdir OVMFKeys


# Copy the build out OVMF binary into OVMFKeys:


cp edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_CODE.fd OVMFKeys

cp edk2/Build/OvmfX64/DEBUG_GCC5/FV/OVMF_VARS.fd OVMFKeys

copy OVMF_CODE_QEMU.fd into OVMFKeys:


cp OVMF_CODE_QEMU.fd OVMFKeys


# Make a working directory for hda-contents:


cd OVMFKeys

mkdir hda-contents


# Copy PK, KEK and DB into hda-contents:


cp PKtestDER.cer hda-contents

cp MicCorKEKCA2011_2011-06-24.crt hda-contents

cp MicWinProPCA2011_2011-10-19.crt hda-contents


# Use QEMU to inject secure boot keys

# Run qemu-system-x86_64 to launch virtual machine:


qemu-system-x86_64 -L . \

  -drive if=pflash,format=raw,readonly=on,file=OVMF_CODE_4M.fd \

  -drive if=pflash,format=raw,file=winpxe_tele_VARS.fd \

  -hda fat:floppy:rw:hda-contents \

  -net none



cat /home/mip/Documents/OVMFKeys/winpxe_tele_VARS.fd /home/mip/Documents/OVMFKeys/OVMF_CODE_4M.fd > OVMF_custom_mip_secboot.fd


# ---------------------------------------------------------------


Obtaining the key

Generate Platform Key

PK can be generated by openssh. use the following command to sign your own PK. Note that PKpriv.key is the private key and you should preserve it carefully.


$ openssl req -newkey rsa:2048 -nodes -keyout PKpriv.key -x509 -days 365 -out PK.crt

$ openssl x509 -in PK.crt -outform der -out PK.der

Download KEK and DB

You need to download KEK and DB from Microsoft Database:


Microsoft Corporation KEK CA 2011

Microsoft Windows Production CA 2011

Insert UEFI keys

Make an img file in fat32 form containing the keys

$ dd if=/dev/zero of=keys.img bs=4M

$ mkfs.vfat keys.img

# losetup /dev/loopX keys.img

# mount /dev/loopX /mnt

# cp PK.der /mnt/PK.der

# cp MicCorKEKCA2011_2011-06-24.crt /mnt/KEK.crt

# cp MicWinProPCA2011_2011-10-19.crt /mnt/DB.crt

# umount /dev/loopX

# losetup -d /dev/loopX

Insert the keys

Start a virtual machine with the img file as a storage device. Enter UEFI configuration menu and Go to secure boot configuration (Device Manager / Secure Boot Configuration / Secure Boot Mode) and change from “Standard Mode” to “Custom Mode”. After change to “Custom Mode”, “Custom Secure Boot Options” will show up, click and enter. PK Options / Enroll PK / Enroll PK Using File and do the same for KEK and DB. ommit Changes and Exit


After import PK, KEK and DB, the secure boot state is now “Enabled”.


Decorator Powershell Design Patterns

 Powershell Design Patterns Decorator ```powershell # Classe base 'Beverage' class Beverage {     [string]$description = "Unkno...