As promised, here is the Linux Foundation UEFI secure boot system. This was actually released to us by Microsoft on Wednesday 6 February, but with travel, conferences and meetings I didn’t really get time to validate it all until today. The files are here
- PreLoader.efi (md5sum 4f7a4f566781869d252a09dc84923a82)
- HashTool.efi (md5sum 45639d23aa5f2a394b03a65fc732acf2)
I’ve also put together a mini-USB image that is bootable (just dd it on to any USB key; the image is gpt partitioned, so use the whole disk device). It has an EFI shell where the kernel should be and uses gummiboot to load. You can find it here (md5sum 7971231d133e41dd667a184c255b599f).
To use the mini-USB image, you have to enroll the hashes for loader.efi (in the \EFI\BOOT directory; actually gummiboot) as well as shell.efi (in the top level directory). It also includes a copy of KeyTool.efi which you have to enrol the hash of to run as well.
What Happened to KeyTool.efi?
Originally this was going to be part of our signed release kit. However, during testing Microsoft discovered that because of a bug in one of the UEFI platforms, it could be used to remove the platform key programmatically, which would rather subvert the UEFI security system. Until we can resolve this (we’ve now got the particular vendor in the loop), they declined to sign KeyTool.efi although you can, of course, authorize it by hash in the MOK variables if you want to run it.
Let me know how this goes because I’m very interested to gather feedback about what works and what doesn’t work. In particular, there’s a worry that the security protocol override might not work on some platforms, so I particularly want to know if it doesn’t work for you.