uefisign and loader

Warner Losh imp at bsdimp.com
Mon Oct 7 05:02:57 UTC 2019


On Sun, Oct 6, 2019, 10:58 PM David Cross <dcrosstech at gmail.com> wrote:

> I've been working on getting secureboot working under freebsd (I today just
> finished off a REALLY rough tool that lets one tweak uefi authenticated
> variables under freebsd, with an eye to try to get a patch to put this into
> efivar).  After setting the PK, the KEK, and the db, I was super excited to
> finally secure-boot my machine, and discovered that I could not uefisign
> loader.  Attempting to sign loader returns a cryptic: "section points
> inside the headers" and then hangs in pipe-read (via siginfo). (this is
> under 12.0 FWIW).
>
> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its
> not really useful for me.
>
> Suggestions?
>

Use loader.efi directly instead?

Warner

> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>


More information about the freebsd-hackers mailing list