Skip to content

Commit

Permalink
revert dbx enrollment
Browse files Browse the repository at this point in the history 
Needs to be iterated on, and preferably not work as the existing key
databases.

Reverts: 31c1228
Reverts: dae25b8

Signed-off-by: Morten Linderud <[email protected]>
  • Loading branch information
@Foxboron
Foxboron committed Nov 19, 2023
1 parent e601a32 commit ff53691
Show file tree
Hide file tree
Showing 7 changed files with 12 additions and 111 deletions.
1 change: 0 additions & 1 deletion certs/builtin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ import (
var (
efiGlobalGuid = util.EFIGUID{0x8be4df61, 0x93ca, 0x11d2, [8]uint8{0xaa, 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c}}
defaultSignatureDatabaseNames = map[string]string{
"dbx": "dbxDefault",
"db": "dbDefault",
"KEK": "KEKDefault",
"PK": "PKDefault",
Expand Down
56 changes: 2 additions & 54 deletions cmd/sbctl/enroll-keys.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ type EnrollKeysCmdOptions struct {
var (
systemEventlog = "/sys/kernel/security/tpm0/binary_bios_measurements"
enrollKeysCmdOptions = EnrollKeysCmdOptions{
Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db", "dbx"}},
Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db"}},
Export: stringset.StringSet{Allowed: []string{"esl", "auth"}},
}
enrollKeysCmd = &cobra.Command{
Expand Down Expand Up @@ -90,19 +90,12 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
return err
}

dbxPem, err := fs.ReadFile(filepath.Join(keydir, "dbx", "dbx.pem"))
if err != nil {
return err
}

// Create the signature databases
var sigdb, sigdbx, sigkek, sigpk *signature.SignatureDatabase
var sigdb, sigkek, sigpk *signature.SignatureDatabase

if !enrollKeysCmdOptions.Append {
sigdb = signature.NewSignatureDatabase()

sigdbx = signature.NewSignatureDatabase()

sigkek = signature.NewSignatureDatabase()

sigpk = signature.NewSignatureDatabase()
Expand All @@ -113,11 +106,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
return err
}

sigdbx, err = efi.Getdbx()
if err != nil {
return err
}

sigkek, err = efi.GetKEK()
if err != nil {
return err
Expand All @@ -133,10 +121,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
return err
}

if err = sigdbx.Append(signature.CERT_X509_GUID, guid, dbxPem); err != nil {
return err
}

if err = sigkek.Append(signature.CERT_X509_GUID, guid, KEKPem); err != nil {
return err
}
Expand Down Expand Up @@ -168,13 +152,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
}
sigdb.AppendDatabase(oemSigDb)

// dbx
oemSigDbx, err := certs.GetOEMCerts(oem, "dbx")
if err != nil {
return fmt.Errorf("could not enroll db keys: %w", err)
}
sigdbx.AppendDatabase(oemSigDbx)

// KEK
oemSigKEK, err := certs.GetOEMCerts(oem, "KEK")
if err != nil {
Expand All @@ -193,13 +170,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
}
sigdb.AppendDatabase(customSigDb)

// dbx
customSigDbx, err := certs.GetCustomCerts(keydir, "dbx")
if err != nil {
return fmt.Errorf("could not enroll custom dbx keys: %w", err)
}
sigdbx.AppendDatabase(customSigDbx)

// KEK
customSigKEK, err := certs.GetCustomCerts(keydir, "KEK")
if err != nil {
Expand All @@ -217,8 +187,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
switch cert {
case "db":
sigdb.AppendDatabase(builtinSigDb)
case "dbx":
sigdbx.AppendDatabase(builtinSigDb)
case "KEK":
sigkek.AppendDatabase(builtinSigDb)
case "PK":
Expand All @@ -236,11 +204,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
return err
}

sigdbx, err := sbctl.SignDatabase(sigdbx, KEKKey, KEKPem, "dbx")
if err != nil {
return err
}

sigkek, err := sbctl.SignDatabase(sigkek, PKKey, PKPem, "KEK")
if err != nil {
return err
Expand All @@ -252,9 +215,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
if err := fs.WriteFile("db.auth", sigdb, 0o644); err != nil {
return err
}
if err := fs.WriteFile("dbx.auth", sigdbx, 0o644); err != nil {
return err
}
if err := fs.WriteFile("KEK.auth", sigkek, 0o644); err != nil {
return err
}
Expand All @@ -266,9 +226,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
if err := fs.WriteFile("db.esl", sigdb.Bytes(), 0o644); err != nil {
return err
}
if err := fs.WriteFile("dbx.esl", sigdbx.Bytes(), 0o644); err != nil {
return err
}
if err := fs.WriteFile("KEK.esl", sigkek.Bytes(), 0o644); err != nil {
return err
}
Expand All @@ -285,10 +242,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
if err := sbctl.Enroll(sigdb, KEKKey, KEKPem, value); err != nil {
return err
}
case "dbx":
if err := sbctl.Enroll(sigdbx, KEKKey, KEKPem, value); err != nil {
return err
}
case "KEK":
if err := sbctl.Enroll(sigkek, PKKey, PKPem, value); err != nil {
return err
Expand All @@ -307,9 +260,6 @@ func KeySync(guid util.EFIGUID, keydir string, oems []string) error {
if err := sbctl.Enroll(sigdb, KEKKey, KEKPem, "db"); err != nil {
return err
}
if err := sbctl.Enroll(sigdbx, KEKKey, KEKPem, "dbx"); err != nil {
return err
}
if err := sbctl.Enroll(sigkek, PKKey, PKPem, "KEK"); err != nil {
return err
}
Expand Down Expand Up @@ -401,8 +351,6 @@ func customKey(hierarchy string, filePath string) error {
switch hierarchy {
case "db":
fallthrough
case "dbx":
fallthrough
case "KEK":
fallthrough
case "PK":
Expand Down
7 changes: 0 additions & 7 deletions cmd/sbctl/import-keys.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,6 @@ type ImportKeysCmdOptions struct {
Force bool
DbCert string
DbKey string
DbxCert string
DbxKey string
KEKCert string
KEKKey string
PKCert string
Expand Down Expand Up @@ -58,8 +56,6 @@ func ImportKeysFromDirectory(dir string) error {
"KEK/KEK.pem",
"db/db.key",
"db/db.pem",
"dbx/dbx.key",
"dbx/dbx.pem",
}
dir, err := filepath.Abs(dir)
if err != nil {
Expand Down Expand Up @@ -90,7 +86,6 @@ func RunImportKeys(cmd *cobra.Command, args []string) error {
Cert string
}{
{"db", importKeysCmdOptions.DbKey, importKeysCmdOptions.DbCert},
{"dbx", importKeysCmdOptions.DbxKey, importKeysCmdOptions.DbxCert},
{"KEK", importKeysCmdOptions.KEKKey, importKeysCmdOptions.KEKCert},
{"PK", importKeysCmdOptions.PKKey, importKeysCmdOptions.PKCert},
}
Expand Down Expand Up @@ -142,8 +137,6 @@ func importKeysCmdFlags(cmd *cobra.Command) {
f := cmd.Flags()
f.StringVarP(&importKeysCmdOptions.DbCert, "db-cert", "", "", "Database (db) certificate")
f.StringVarP(&importKeysCmdOptions.DbKey, "db-key", "", "", "Database (db) key")
f.StringVarP(&importKeysCmdOptions.DbxCert, "dbx-cert", "", "", "Forbidden Database (dbx) certificate")
f.StringVarP(&importKeysCmdOptions.DbxKey, "dbx-key", "", "", "Forbidden Database (dbx) key")
f.StringVarP(&importKeysCmdOptions.KEKCert, "kek-cert", "", "", "Key Exchange Key (KEK) certificate")
f.StringVarP(&importKeysCmdOptions.KEKKey, "kek-key", "", "", "Key Exchange Key (KEK) key")
f.StringVarP(&importKeysCmdOptions.PKCert, "pk-cert", "", "", "Platform Key (PK) certificate")
Expand Down
21 changes: 1 addition & 20 deletions cmd/sbctl/reset.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ type resetCmdOptions struct {

var (
resetCmdOpts = resetCmdOptions{
Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db", "dbx"}},
Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db"}},
}
resetCmd = &cobra.Command{
Use: "reset",
Expand Down Expand Up @@ -53,10 +53,6 @@ func resetKeys() error {
if err := resetDB(paths...); err != nil {
return err
}
case "dbx":
if err := resetDBX(paths...); err != nil {
return err
}
case "KEK":
if err := resetKEK(paths...); err != nil {
return err
Expand Down Expand Up @@ -85,19 +81,6 @@ func resetDB(certPaths ...string) error {
return nil
}

func resetDBX(certPaths ...string) error {
KEKKey := filepath.Join(sbctl.KeysPath, "KEK", "KEK.key")
KEKPem := filepath.Join(sbctl.KeysPath, "KEK", "KEK.pem")

if err := resetDatabase(KEKKey, KEKPem, "dbx", certPaths...); err != nil {
return err
}

logging.Ok("Removed Fobidden Signature Database!")
logging.Println("Use `sbctl enroll-keys` to enroll the Forbidden Signature Database again.")
return nil
}

func resetKEK(certPaths ...string) error {
PKKey := filepath.Join(sbctl.KeysPath, "PK", "PK.key")
PKPem := filepath.Join(sbctl.KeysPath, "PK", "PK.pem")
Expand Down Expand Up @@ -146,8 +129,6 @@ func resetDatabase(signerKey, signerPem string, efivar string, certPaths ...stri
switch efivar {
case "db":
db, err = efi.Getdb()
case "dbx":
db, err = efi.Getdbx()
case "KEK":
db, err = efi.GetKEK()
case "PK":
Expand Down
20 changes: 1 addition & 19 deletions cmd/sbctl/rotate-keys.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ type RotateKeysCmdOptions struct {

var (
rotateKeysCmdOptions = RotateKeysCmdOptions{
Partial: stringset.StringSet{Allowed: []string{hierarchy.PK.String(), hierarchy.KEK.String(), hierarchy.Db.String(), hierarchy.Dbx.String()}},
Partial: stringset.StringSet{Allowed: []string{hierarchy.PK.String(), hierarchy.KEK.String(), hierarchy.Db.String()}},
}
rotateKeysCmd = &cobra.Command{
Use: "rotate-keys",
Expand All @@ -44,7 +44,6 @@ type Keys struct {
PK *KeyCertPair
KEK *KeyCertPair
Db *KeyCertPair
Dbx *KeyCertPair
}

func ReadKeysFromDir(src string) (*Keys, error) {
Expand All @@ -66,10 +65,6 @@ func ReadKeysFromDir(src string) (*Keys, error) {
return &k, err
}

k.Dbx, err = ReadPair(src, hierarchy.Dbx)
if err != nil {
return &k, err
}
return &k, err
}

Expand Down Expand Up @@ -105,8 +100,6 @@ func rotateCerts(hiera hierarchy.Hierarchy, oldCert, newCert []byte, keyCertPair
sl, err = efi.GetKEK()
case hierarchy.Db:
sl, err = efi.Getdb()
case hierarchy.Dbx:
sl, err = efi.Getdbx()
}

if err != nil {
Expand Down Expand Up @@ -208,10 +201,6 @@ func rotateAllKeys(backupDir, newKeysDir string) error {
return fmt.Errorf("could not rotate db: %v", err)
}

if err := rotateCerts(hierarchy.Dbx, oldKeys.Dbx.Cert, newKeys.Dbx.Cert, newKeys.KEK); err != nil {
return fmt.Errorf("could not rotate db: %v", err)
}

logging.Ok("Enrolled new keys into UEFI!")

if err := SignAll(); err != nil {
Expand Down Expand Up @@ -267,13 +256,6 @@ func rotateKey(hiera string, keyPath, certPath string) error {

importKeyDst = sbctl.DBKey
importCertDst = sbctl.DBCert
case hierarchy.Dbx.String():
if err := rotateCerts(hierarchy.Dbx, oldKeys.Dbx.Cert, newCert, oldKeys.KEK); err != nil {
return fmt.Errorf("could not rotate dbx: %v", err)
}

importKeyDst = sbctl.DBXKey
importCertDst = sbctl.DBXCert
}

logging.Ok("Enrolled new key of hierarchy %s into UEFI!", hiera)
Expand Down
8 changes: 4 additions & 4 deletions docs/sbctl.8.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ EFI signing commands

*-c*, *--custom*;;
Enroll custom KEK and db certificates from "/usr/share/secureboot/keys/custom/KEK/",
"/usr/share/secureboot/keys/custom/db/" and "/usr/share/secureboot/keys/custom/dbx/",
"/usr/share/secureboot/keys/custom/db/",
respectively.

*-f*, *--firmware-builtin*;;
Expand Down Expand Up @@ -99,7 +99,7 @@ EFI signing commands
*-p*, *--partial*;;
Enroll keys only for the hierarchy specified.

Valid values are: db, dbx, KEK, PK.
Valid values are: db, KEK, PK.

*--custom-bytes*;;
Enroll a custom bytefile provided by its path to the efivar specified by partial.
Expand Down Expand Up @@ -168,7 +168,7 @@ EFI signing commands
*-p*, *--partial*;;
Reset keys only for the hierarchy specified.

Valid values are: db, dbx, KEK, PK.
Valid values are: db, KEK, PK.

**rotate-keys**::
Rotate the secure boot keys and replace them with newly generated keys.
Expand All @@ -181,7 +181,7 @@ EFI signing commands
*-p*, *--partial*;;
Rotate keys only for the hierarchy specified.

Valid values are: db, dbx, KEK, PK.
Valid values are: db, KEK, PK.

*-k*, *--key-file*;;
Key file to be appended for the specified hierarchy.
Expand Down
10 changes: 4 additions & 6 deletions keys.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@ var (
KEKCert = filepath.Join(KeysPath, "KEK", "KEK.pem")
DBKey = filepath.Join(KeysPath, "db", "db.key")
DBCert = filepath.Join(KeysPath, "db", "db.pem")
DBXKey = filepath.Join(KeysPath, "dbx", "dbx.key")
DBXCert = filepath.Join(KeysPath, "dbx", "dbx.pem")
DBPath = filepath.Join(DatabasePath, "files.db")

GUIDPath = filepath.Join(DatabasePath, "GUID")
Expand Down Expand Up @@ -241,10 +239,10 @@ var SecureBootKeys = []struct {
Key: "db",
Description: "Database Key",
},
{
Key: "dbx",
Description: "Forbidden Database Key",
},
// {
// Key: "dbx",
// Description: "Forbidden Database Key",
// },
}

// Check if we have already intialized keys in the given output directory
Expand Down

0 comments on commit ff53691

Please sign in to comment.