Secure boot - How to append custom certificate to db if BIOS has no such option?

certificate uefi secure-boot

I have HP 245G7 notebook. The BIOS is very basic and there does not seem to be any option from within to append my own custom certificate to db database of secure boot.

If there is an option in this model, I would like to know.

I read somewhere that only HP business laptops have such an option. When I call HP support they say HP245G7 is a business laptop. Given that and assuming that BIOS does not have such option, what are alternatives to append my own certificate (.cer file) to the db database?

Certificate is created on Windows using powershell command New-SelfSignedCertificate

enter image description here


Solution 1:

All firmware technically make this possible, they simply might not have an easy UI for that in the setup screen, requiring you take the long way around through creating the ESLs yourself in Setup Mode, but that mode is required to be available on x86.

I'll try to expand on this later, but in general you would:

  1. Switch the Secure Boot feature to "Setup Mode". This might be done as a dedicated option, or by clearing the Platform Key (PK) through the firmware.

    When the system is in Setup Mode you will be able to update db and KEK from within a running OS, without needing the secret key corresponding to the KEK or PK. For example, a Linux system or some tool running from the EFI Shell can be used to manage db.

    I have my notes for a Dell system, where I had to do this as two separate steps: first switch the system to "Setup Mode" through firmware settings, then boot into Linux and manually remove the PK contents.

    chattr -i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
efi-updatevar -k PlatformKey.key -d 0 PK

  2. Get copies of the original db and KEK lists from the "dbDefault" and "KEKDefault" EFI variables, which are required in Secure Boot implementations.

    Note: My old notes for Dell say this was not necessary because I had the specific option to activate "Setup Mode" and did not need to use the sledgehammer "Clear all keys" option, so the db and KEK retained their original values and I could just append to them.

    However, if you do end up clearing all keys (which also results in Setup Mode due to empty PK), this remains a useful option.

  3. Create a custom signature list (.esl) from dbDefault plus your custom db certificate, and add it to the db variable. Similarly, add KEKDefault plus your custom KEK certificate into KEK.

    What I found in my notes for creating this value is that cert-to-efi-sig-list and sign-efi-sig-list need to be used, with efi-updatevar then importing ot.

    However, it is also possible to append the certificates one by one to the existing 'db' or 'KEK' contents:

    chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
efi-updatevar -k MyPlatformKey.key -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -a -c KEK/MS_KEK_CA_2011.der KEK
efi-updatevar -k MyPlatformKey.key -g $(uuidgen) -a -c MyKeyExchangeKey.crt KEK

chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
efi-updatevar -k MyKeyExchangeKey.key -a -c db/MS_UEFI_CA.der db
efi-updatevar -k MyKeyExchangeKey.key -a -c db/MS_Windows_PCA.der db
efi-updatevar -k MyKeyExchangeKey.key -a -c MySigningKey.crt db

    Finally, either the original platform key or your custom one into PK, at which point the system will go out of Setup Mode into the normal User Mode.

Solution 2:

PowerShell can be used on Windows to manipulate the UEFI certificates, where the BIOS does not have the required user interface.

The following method was found in the HP manual Secure Boot Customization Guide. This requires PowerShell to be Run as Administrator.

The document contains extremely detailed descriptions of the PowerShell commands and about using the Windows signtool.exe for preparing the keys for installation.

The document itself is much too voluminous for inclusion in an answer. I only summarize below its chapter 2 for the required steps:

2 Setting up a customized Secure Boot environment
2.1 Backup existing Secure Boot configuration
2.2 Place your HP PC in Secure Boot setup mode
2.3 Obtain PK and KEK public keys
2.4 Self-signing certificates
2.4.1 Generate a new PK
2.4.2 Generate a new KEK
2.5 Install the new PK
2.5.1 PK: Create a valid SetVariable() package
2.5.2 Import PK using Windows tools
2.6 Install the new PK—signed KEK
2.6.1 KEK: Create a valid SetVariable() package
2.6.2 Import KEK Using Windows Tools
2.7 Install the New KEK—signed DB and DBX
2.8 Enable Secure Boot Once More
2.9 Add Additional Certificates to DB or DBX

Related

PCIe 3.0 x8 in PCIe 4.0 x16 [duplicate]
Looks like cron spawns a shell which in turn spawns a script; how can I get rid of the intermediate shell?
Have .bat ask for further input
HP Printer driver installation
Ubuntu: After login let user work in a container
Linux wc command
Want to extract out only alpha using ffmpeg
What does the `shell:` prefix do in the Run dialog?
Linux permissions varies between parent directory and double dots
Can I boot from a saved state such that all the programs and windows are positioned the same and are running as they were when I saved the state?
How to delete only "recently closed tabs" in Chrome?
Does Dark Souls 2 have a level cap?