uefisign and loader

David Cross dcrosstech at gmail.com
Mon Oct 7 04:58:34 UTC 2019


I've been working on getting secureboot working under freebsd (I today just
finished off a REALLY rough tool that lets one tweak uefi authenticated
variables under freebsd, with an eye to try to get a patch to put this into
efivar).  After setting the PK, the KEK, and the db, I was super excited to
finally secure-boot my machine, and discovered that I could not uefisign
loader.  Attempting to sign loader returns a cryptic: "section points
inside the headers" and then hangs in pipe-read (via siginfo). (this is
under 12.0 FWIW).

I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its
not really useful for me.

Suggestions?


More information about the freebsd-hackers mailing list