uefisign and loader
David Cross
dcrosstech at gmail.com
Thu Oct 10 18:29:51 UTC 2019
Ok, it appears uefisign is just outright broken; after not being able to
boot even boot1 signed, I brought the signed image over to windows and used
signtool verify and got the error message:
"SignTool Error: WinVerifyTrust returned error: 0x80096010
The digital signature of the object did not verify."
This is a different error then I get form SignTool boot1.efi from an
untrusted cert (signed via SignTool) which reports:
"..A certificate chain processed, but terminated in a root certificate
which is not trusted..."
Anyone actually use uefisign successfully?
On Mon, Oct 7, 2019 at 9:29 AM David Cross <dcrosstech at gmail.com> wrote:
>
>
> On Mon, Oct 7, 2019 at 1:02 AM Warner Losh <imp at bsdimp.com> wrote:
>
>>
>>
>> On Sun, Oct 6, 2019, 10:58 PM David Cross <dcrosstech at gmail.com> wrote:
>>
>>> I've been working on getting secureboot working under freebsd (I today
>>> just
>>> finished off a REALLY rough tool that lets one tweak uefi authenticated
>>> variables under freebsd, with an eye to try to get a patch to put this
>>> into
>>> efivar). After setting the PK, the KEK, and the db, I was super excited
>>> to
>>> finally secure-boot my machine, and discovered that I could not uefisign
>>> loader. Attempting to sign loader returns a cryptic: "section points
>>> inside the headers" and then hangs in pipe-read (via siginfo). (this is
>>> under 12.0 FWIW).
>>>
>>> I am able to sign boot1, however boot1.efi doesn't handle GELI keys so
>>> its
>>> not really useful for me.
>>>
>>> Suggestions?
>>>
>>
>> Use loader.efi directly instead?
>>
>>>
>>>
> I currently do use loader.efi directly, however not being able to sign
> loader.efi directly complicates things a bit (using hash based signature
> lists for the 'db' variable); and it seems we *should* be able to sign
> loader. From some other posts on the internet it seems that at some point
> we could.
>
More information about the freebsd-hackers
mailing list