-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for signing EFI executable with certificate chain #19
Comments
I've been reworking the signing code recently so the linked code is soon obsolete. https://github.com/Foxboron/go-uefi/blob/master/authenticode/authenticode.go#L128 If you give a complete example on how you would like this to work, I can try and work something out. But I would need help to validate the behaviour. |
Hi @Foxboron, Thanks for the quick response. So basically, we want to generate an EFI executable providing the private key of a certificate for signing it and the certificate that needs to be embedded into the executable is not a self-signed one, so it means we need to provide the whole certificate chain (in my case just the cA and the certificate). So that, what we want is that the method for signing EFI executables ( I see you even have already Regarding testing I do have baremetal hardware where i'm testing running Secure Boot system by generating my own ISOs, so I should be able to test it. |
Are you expecting |
Not needed. So here a useful schema of what we want to achieve (not UEFI): https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/secure-boot-image-authentication_11.30.16.pdf (page 7) We want to sign the UEFI executables with a certificate chain, where only the root cA is embedded into the signatureDB. So this would mean for validation that the other certificates of the chain must be embedded in the binary, so that UEFI can iterate over the chain to reach the root cA. |
Unless there is an example of a properly signed binary I can compare against, or another form of example, I'm can't promise I'll look at it within any reasonable timeframe. |
Hi @Foxboron I just learned that
|
Ah, yes. That makes things a lot easier. Should probably have checked that myself :) |
Hello,
We are using
go-uefi
library to generate UEFI executables in order to achieve Secure Boot on our systems. However, our UKI certificate we want to provide for creating the Signature is a certificate bundle/chain. However, as it is now it only supports to pass a single certificate object:SignEFIExecutable
Is there a way we could provide a certificate chain?
The text was updated successfully, but these errors were encountered: