uefisign and loader
David Cross
dcrosstech at gmail.com
Mon Oct 7 13:29:20 UTC 2019
On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <imp at bsdimp.com> wrote:
>
>
> On Sun, Oct 6, 2019, 10:58 PM David Cross <dcrosstech at gmail.com> wrote:
>
>> I've been working on getting secureboot working under freebsd (I today
>> just
>> finished off a REALLY rough tool that lets one tweak uefi authenticated
>> variables under freebsd, with an eye to try to get a patch to put this
>> into
>> efivar). After setting the PK, the KEK, and the db, I was super excited
>> to
>> finally secure-boot my machine, and discovered that I could not uefisign
>> loader. Attempting to sign loader returns a cryptic: "section points
>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
>> under 12.0 FWIW).
>>
>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so its
>> not really useful for me.
>>
>> Suggestions?
>>
>
> Use loader.efi directly instead?
>
>>
>>
I currently do use loader.efi directly, however not being able to sign
loader.efi directly complicates things a bit (using hash based signature
lists for the 'db' variable); and it seems we *should* be able to sign
loader. From some other posts on the internet it seems that at some point
we could.
More information about the freebsd-hackers
mailing list