openSUSE:UEFI Image File Sign Tools
There are two sign tools for the UEFI image file: pesign and sbsigntools. Here is the simple HOWTO of the usage of the two tools.
Create Your Own Certificate
Before signing any UEFI image file, you need a certificate for signing. For test, if you don't want to fiddle with openssl commands, I recommend use the script in pesign.
# ./make-certs UserName firstname.lastname@example.org all codesign 18.104.22.168.4.1.322.214.171.124
The script creates several files, but only the following files are needed: ca.crt, UserName.crt, UserName.key, and UserName.p12.
Pesign is developed by Peter Jones and maintained in his github repo. The packages for openSUSE 12.1, openSUSE 12.2, and SLE-11-SP2 are available in obs://home:gary_lin:UEFI. The package will create new user and group, 'pesign', if it doesn't exist. (Update: pesign is in openSUSE 12.3 and going to be in SLE-11-SP3 and any later version.)
Import Certificates into the NSS database
Since pesign uses NSS to manage the certificates, you have to import your certificates into the NSS database. The default NSS database path is /etc/pki/pesign, but you can also specify a database. Before manipulating the NSS database, make sure mozilla-nss-tools is installed in your system. Create the database if you don't have it.
$ mkdir certdb $ certutil -N -d certdb Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:
You can list the certificates in the database with this command:
$ certutil -L -d certdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
If your certificate were not listed, then you could start to import your certificates.
- Import the CA certificate:
$ certutil -A -n 'my CA' -d certdb -t CT,CT,CT -i ca.crt
- Import your private key:
$ pk12util -d certdb -i UserName.p12
The NSS database may request a password for the database to keep the private key. Please remember the database password deeply since it will be used later.
- Import your certificate:
$ certutil -d certdb -A -i UserName.crt -n "UserName" -t u
- Check the database
$ certutil -L -d certdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI my CA CT,C,C UserName u,u,u
Sign UEFI images
After importing your own certificate, you can start to sign the UEFI image files. There are two ways to do it: 'pesign' or 'pesign-client'.
To sign sample.efi and save as sample-signed.efi:
$ pesign -n certdb -c "UserName" -s -i sample.efi -o sample-signed.efi
Then, a password prompt will show
Enter passphrase for private key:
Since your private key was imported into the NSS database, you have to enter the database password instead of the password of your private key.
To show the signature in sample-signed.efi:
$ pesign -n certdb -S -i sample-signed.efi
The output will be similar to this:
--------------------------------------------- Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is SomeOrg No signer email address. Signing time: Tue Jul 03, 2012 There were certs or crls included. ---------------------------------------------
Besides the command "pesign", there is a pesign daemon to access the centralized key database (/etc/pki/pesign).
To start the daemon in openSUSE 12.x:
# systemctl start pesign.service
# rcpesign start
Once the daemon is started, pesign-client can get the keys through the daemon.
First, enter the password to unlock the database.
$ pesign-client -u
Then, sign the image.
$ pesign-client -c "UserName" -s -i sample.efi -o sample-signed.efi
Sbsigntools is developed by Jeremy Kerr. Per README in the sbsigntools, the program is maintained in git://kernel.ubuntu.com/jk/sbsigntool. The package for openSUSE 12.1 is available in obs://home:jejb1:UEFI
Sign the UEFI image file
To sign the UEFI image file with sbsigntools, just use the following command:
$ sbsign --key UserName.key --cert UserName.crt --output sample-signed.efi sample.efi
Verify the signed file
To verify the signature with the CA certificate:
$ sbverify --cert ca.crt sample-signed.efi Signature verification OK