Updating PK, KEK, db and dbx in user mode

As of commit a2185c6 sign-efi-sig-list: functional version for time based updates


has the capability to construct runtime updates to the secure variables.  So far I’ve managed to add extra keys to db; replace KEK and take the platform into setup mode.

The Basics

The repository now contains an efi program Update.efi which can be run in User Mode (must be signed with a key in db or KEK) and supply authenticated updates to the keys.  So far, I’ve only implemented time based updates for X509 keys.

In order to construct and update, you must first convert from a PEM format X509 certificate to an EFI Signature List.  To do that execute

cert-to-efi-sig-list mycert.crt mycert.esl

The result will be a binary signature list in mycert.esl.  Now you take this binary signature list and append the authentication header that authorises the platform to accept the key into the signature database variable db

sign-efi-sig-list -a db KEK.crt KEK.key mycert.esl db.update

And this will create a KEK signed append based update to the db variable.  To apply the update, in the UEFI environment run

UpdateVars -a db db.update

And the signature will be appended.

Note that there is a trick to this.  Since the current qemu platform is locked down at boot time, the timestamp associated with the variables is the time the system was booted.  In order to prevent replay problems, the timestamp generated by sign-efi-sig-list is the current time plus one year.  This would be unacceptable for production, but it solves the huge annoyance where you have to boot the platform, then create the update and then convey it into the platform to keep the timestamps correct.

If you wished to replace the contents of db instead of  merely appending to it, remove the -a flag from both commands.

Taking the Platform into Setup Mode again

This is achieved by clearing the platform key.  To do this, create an empty signature list

> null.esl

And use this as the basis for a non append based update of PK:

sign-efi-sig-list PK PK.crt PK.key null.esl PK.update

Note: updates to PK must be signed with the current platform key.  Now apply this update to the running system

UpdateVars PK PK.update

And voila, the Platform Key will be cleared and the system reset into setup mode again.

One thought on “Updating PK, KEK, db and dbx in user mode

  1. Ian Dewar

    I have a ‘ Microsoft Corporation UEFI CA 2011 ‘ key in ‘ Authorized Signatures ‘ in the bios of a Lenovo Thinkcentre M720s desktop PC.
    Would it be this which is preventing the successful Windows 10 1803 v3.0 PC build imaging?
    I keep getting a task sequence error ‘ Set up BIOS ‘
    The owner GUID is 77fa9abd-0359-4d32-bd60-28f4e78f784b and is a duplicate of the ‘ Microsoft Windows Production PCA 2011 ‘


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.