sign-efi-sig-list -a -i KEK.signed -t ‘May 13 00:00:00 UTC 2013′ KEK KEK.auth

and the -a and -t flags have to match exactly what you passed in to create KEK.forsig

If you don’t need a detached signature, it’s easier just to do it all in one go:

sign-efi-sig-list -a -c PK.crt -k PK.key KEK KEK.esl KEK.auth

You also have to be careful about the -a flag. You have to make sure that you use KeyTool update (or UpdateVars -a) because the update flag is part of the signature (if you use KeyTool replace, or UpdateVars without the -a, you have to leave the -a off the sign-efi-sig-list input).

sign-efi-sig-list -a -t ‘May 13 00:00:00 UTC 2013′ -o KEK KEK.esl KEK.forsig

would I be right in thinking that the correct way to sign the list is to do it like this:

openssl smime -sign -binary -in KEK.forsig -out KEK.signed -signer PK.crt -inkey PK.key -outform DER -md sha256

The bit I am querying is the bit at the end where I sign the KEK with the PK. I presume this is the right way to do it – so that when I run keytool it will recognise that the signature list entry has been signed by the PK?

Thanks

If at least we Europeans don’t f*cking clamp down on this… I can’t personally even see secureboot be enabled by default, ahead of disabled… in Europe.. if so, humans are game over .. nothing but meat as all US greed is about, no ethics, no morals, no values, no integrity… nothing. I was more extreme and saying ban all US products already in 99-2000 but I am always 10-15 years ahead in time to others. neo-nazism here we come ^^

What did you mean by “These files can later be used to restore the contents if something goes wrong in the updates (and because some platforms put you into setup mode by erasing the contents of all the secure variables), so save them in a safe place.”

Thanks,
Barry

If you installed the efitools package, it should have generated a signed platform key update file called PK.auth for you

Thanks,
Barry