Secure boot - How to append custom certificate to db if BIOS has no such option?
I have HP 245G7 notebook. The BIOS is very basic and there does not seem to be any option from within to append my own custom certificate to db database of secure boot.
If there is an option in this model, I would like to know.
I read somewhere that only HP business laptops have such an option. When I call HP support they say HP245G7 is a business laptop. Given that and assuming that BIOS does not have such option, what are alternatives to append my own certificate (.cer file) to the db database?
Certificate is created on Windows using powershell command New-SelfSignedCertificate
Solution 1:
All firmware technically make this possible, they simply might not have an easy UI for that in the setup screen, requiring you take the long way around through creating the ESLs yourself in Setup Mode, but that mode is required to be available on x86.
I'll try to expand on this later, but in general you would:
-
Switch the Secure Boot feature to "Setup Mode". This might be done as a dedicated option, or by clearing the Platform Key (PK) through the firmware.
When the system is in Setup Mode you will be able to update db and KEK from within a running OS, without needing the secret key corresponding to the KEK or PK. For example, a Linux system or some tool running from the EFI Shell can be used to manage db.
I have my notes for a Dell system, where I had to do this as two separate steps: first switch the system to "Setup Mode" through firmware settings, then boot into Linux and manually remove the
PK
contents.chattr -i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c efi-updatevar -k PlatformKey.key -d 0 PK
-
Get copies of the original db and KEK lists from the "dbDefault" and "KEKDefault" EFI variables, which are required in Secure Boot implementations.
Note: My old notes for Dell say this was not necessary because I had the specific option to activate "Setup Mode" and did not need to use the sledgehammer "Clear all keys" option, so the db and KEK retained their original values and I could just append to them.
However, if you do end up clearing all keys (which also results in Setup Mode due to empty PK), this remains a useful option.
-
Create a custom signature list (.esl) from dbDefault plus your custom db certificate, and add it to the
db
variable. Similarly, add KEKDefault plus your custom KEK certificate intoKEK
.What I found in my notes for creating this value is that
cert-to-efi-sig-list
andsign-efi-sig-list
need to be used, withefi-updatevar
then importing ot.However, it is also possible to append the certificates one by one to the existing 'db' or 'KEK' contents:
chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c efi-updatevar -k MyPlatformKey.key -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -a -c KEK/MS_KEK_CA_2011.der KEK efi-updatevar -k MyPlatformKey.key -g $(uuidgen) -a -c MyKeyExchangeKey.crt KEK chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f efi-updatevar -k MyKeyExchangeKey.key -a -c db/MS_UEFI_CA.der db efi-updatevar -k MyKeyExchangeKey.key -a -c db/MS_Windows_PCA.der db efi-updatevar -k MyKeyExchangeKey.key -a -c MySigningKey.crt db
Finally, either the original platform key or your custom one into
PK
, at which point the system will go out of Setup Mode into the normal User Mode.
Solution 2:
PowerShell can be used on Windows to manipulate the UEFI certificates, where the BIOS does not have the required user interface.
The following method was found in the HP manual Secure Boot Customization Guide. This requires PowerShell to be Run as Administrator.
The document contains extremely detailed descriptions of the PowerShell
commands and about using the Windows signtool.exe
for preparing
the keys for installation.
The document itself is much too voluminous for inclusion in an answer. I only summarize below its chapter 2 for the required steps:
2 Setting up a customized Secure Boot environment
2.1 Backup existing Secure Boot configuration
2.2 Place your HP PC in Secure Boot setup mode
2.3 Obtain PK and KEK public keys
2.4 Self-signing certificates
2.4.1 Generate a new PK
2.4.2 Generate a new KEK
2.5 Install the new PK
2.5.1 PK: Create a valid SetVariable() package
2.5.2 Import PK using Windows tools
2.6 Install the new PK—signed KEK
2.6.1 KEK: Create a valid SetVariable() package
2.6.2 Import KEK Using Windows Tools
2.7 Install the New KEK—signed DB and DBX
2.8 Enable Secure Boot Once More
2.9 Add Additional Certificates to DB or DBX