Opened 8 years ago

Last modified 5 years ago

#13024 assigned task

EFI - Signed loader binary

Reported by: kallisti5 Owned by: nobody
Priority: normal Milestone: Unscheduled
Component: System/Boot Loader/EFI Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

This stuff tears at my soul.

If UEFI secure boot ever becomes "force enabled" on a large amount of hardware we'll have to go through this process to sign our EFI loader. While I don't think a large number of machines out there require secure boot... this documents the process to get an EFI loader signed by Microsoft.

Here are the steps by someone who got a shim for grub signed:

I don't believe that it's possible without Windows for the final upload - it really needs Silverlight. Running IE under Wine may be sufficient, but I couldn't be bothered. Anyway.
Go to sysdev.microsoft.com and log in with a Live account.
- Follow the link to the Verisign (now Symantec) page for creating a new company account. Ignore the use of the word company - you can do this as an individual.
- Follow the instructions and purchase an individual key for code signing. You'll be emailed a form to attach a copy of your notarised ID to, so get that filled in and signed and send them back a copy by email.
- Export the key from your browser as a .p12 file.
- Go back to sysdev.microsoft.com and download the zip file containing winsign.exe. Use pesign or sbsign and the key you exported to sign this file, and then upload it to sysdev.microsoft.com to enable your account.
- Sign the legal agreements - this just involves you typing your name into a box.
- Put the file you want to get signed into a cab file. lcab will do this,
- Sign the cab file with your Verisign key. osslsigncode will do this.
- Upload the file to sysdev.microsoft.com. The uploader is Silverlight for no obviously good reason.
- Wait for the upload to be processed. I think this happens a couple of times a week, so be prepared to wait a few days (I had to)
- You'll get an email when signing is complete. Download the cab file and use cabextract to retrieve your signed binary.
- Total cost is $99 plus however much it costs to get something notarised where you are.

More information about signing and key management is here: https://github.com/marineam/efitools

An alternate (More "free") strategy would be to use KeyTool.efi to inject our own "Haiku keys" into the UEFI bios of a Haiku machine... but that seem a little drastic. I wonder if we'll ever get a KeyTool.efi signed by Microsoft.

I hate secure boot... hopefully a more open ecosystem catches on (maybe a standard "open source" community key?)

Change History (2)

comment:1 by axeld, 8 years ago

Owner: changed from axeld to nobody
Status: newassigned

comment:2 by pulkomandy, 5 years ago

Component: System/Boot LoaderSystem/Boot Loader/EFI
Note: See TracTickets for help on using tickets.