Date:	Sat, 21 Jul 2012 13:28:42 +0100
From:	James Bottomley <James.Bottomley@...senPartnership.com>
To:	linux-efi@...r.kernel.org
Cc:	linux-kernel <linux-kernel@...r.kernel.org>
Subject: efitools rpm up on opensuse build service: contains useful tools
 for taking control of UEFI secure boot platforms

All the tools are in the git repository

http://git.kernel.org/?p=linux/kernel/git/jejb/efitools.git;a=summary

But for ease of consumption, this is now packaged and build by the
opensuse build server as installable rpm files.

http://download.opensuse.org/repositories/home:/jejb1:/UEFI/openSUSE_12.1/

If you install the efitools-0.1.rpm package, it will automatically
provision you with Platform Key, Key Exchange Key and db key.  The
README file in /usr/share/efitools/ explains what’s going on, but you
can also do a quick lockdown of your UEFI plaform (or simply boot out
the old keys) if you copy all the efi files in /usr/share/efitools/efi/
and the *.auth files from /usr/share/efitools/keys/ into a partition
accessible to the efi boot loader.  Then in Setup Mode (must be Setup
Mode to alter the keys) do

UpdateVars db db.auth
UpdateVars KEK KEK.auth
UpdateVars PK PK.auth

After the PK update, the platform should once again be in user mode.
Verify by trying to run the HelloWorld efi binary (should fail) and it’s
signed counterpart HelloWorld-signed (should print Hello World!).

I've also summarised the current state, plus a useful collection of odd
information on my blog:

http://blog.hansenpartnership.com/

James


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists