As of commit a2185c6 sign-efi-sig-list: functional version for time based updates
has the capability to construct runtime updates to the secure variables. So far I’ve managed to add extra keys to db; replace KEK and take the platform into setup mode.
The repository now contains an efi program Update.efi which can be run in User Mode (must be signed with a key in db or KEK) and supply authenticated updates to the keys. So far, I’ve only implemented time based updates for X509 keys.
In order to construct and update, you must first convert from a PEM format X509 certificate to an EFI Signature List. To do that execute
cert-to-efi-sig-list mycert.crt mycert.esl
The result will be a binary signature list in mycert.esl. Now you take this binary signature list and append the authentication header that authorises the platform to accept the key into the signature database variable db
sign-efi-sig-list -a db KEK.crt KEK.key mycert.esl db.update
And this will create a KEK signed append based update to the db variable. To apply the update, in the UEFI environment run
UpdateVars -a db db.update
And the signature will be appended.
Note that there is a trick to this. Since the current qemu platform is locked down at boot time, the timestamp associated with the variables is the time the system was booted. In order to prevent replay problems, the timestamp generated by sign-efi-sig-list is the current time plus one year. This would be unacceptable for production, but it solves the huge annoyance where you have to boot the platform, then create the update and then convey it into the platform to keep the timestamps correct.
If you wished to replace the contents of db instead of merely appending to it, remove the -a flag from both commands.
Taking the Platform into Setup Mode again
This is achieved by clearing the platform key. To do this, create an empty signature list
And use this as the basis for a non append based update of PK:
sign-efi-sig-list PK PK.crt PK.key null.esl PK.update
Note: updates to PK must be signed with the current platform key. Now apply this update to the running system
UpdateVars PK PK.update
And voila, the Platform Key will be cleared and the system reset into setup mode again.