irik77587/README.TXT

## README.TXT
Special thanks to https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/ for all the explainations
If you want to keep microsoft keys, you will need to backup db and dbx before entering Setup Mode (Not shown here)
Later add those to db.esl just how I added mok.esl and debian_uefi_ca.esl. Steps for dbx is not shown here.
Enter into Setup Mode from fwsetup/UEFI (GRUB 2 command/Esc)

downloaded debian UEFI CA ROOT certificate
collected mok.pub from /var/lib/dkms/

/* add zswap to cmdline for systemd-boot since I have SSD */
echo "zswap.enabled=1" > /usr/lib/kernel/cmdline

/* Everything in /boot must be in fat32 partition for systemd-boot to boot the kernel */
install systemd-boot
/* ESP should be mounted on /boot or /boot should be XBOOTLDR(FAT32) formatted for systemd-boot */
bootctl remove
/* later after we obtain ASCII PEM cert we will use mok.pem and mok.key to sign systemd-boot */
sbsign --key mok.key --cert mok.pem /usr/lib/systemd/boot/efi/systemd-bootx64.efi
/* If you are wondering how did I make the mok.key, well I didn't. */
/* I simply repurposed the mok.key and mok.pub from dkms that was generated when I installed Nvidia proprietery driver */
/* I found the pair of mok in /var/lib/dkms/ */
bootctl install
This will generate signed systemd-bootx64.efi.signed by default which will be automatically *copy* the signed EFI into the ESP

DER key formats are compressed binary. Hardware likes these keys. Mokutil import these keys. But, signing softwares like ASCII formats. So, these need to be converted. Don't verify mok.pub because it is a self-signed key. It will fail verification. Instead, to check if the key is actually working, print to STDOUT in human readable form.

openssl x509 -in mok.pub -noout -text
openssl x509 -in debian-uefi-ca.der -noout -text

/* convert to software friendly PEM format */
openssl x509 -in mok.pub -out mok.pem -outform PEM
openssl x509 -in debian-uefi-ca.der -out debian-uefi-ca.pem -outform PEM

/* Convert cert to efiSignList */
cert-to-efi-sig-list debian-uefi-ca.pem debian-uefi-ca.esl
cert-to-efi-sig-list mok.pem mok.esl

install sbsigntools efitools gnu-efi
The instructions below are based on /usr/share/efitools/README

/* The first self-signed signature. PK(platform key) has highest authority */
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

/* Create a request file. Not an x509 cert file. These two are different things */
openssl req -new -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.csr -days 3650 -nodes -sha256 -addext basicConstraints=CA:TRUE
/* CA ROOT will create the x509 cert for you by signing your request */
openssl x509 -CA PK.crt -CAkey PK.key -req -in KEK.csr -out KEK.crt -days 3650 -set_serial 02
/* Did you see? The x509 command is on the second line */
/* Doing same for efivar=db */
openssl req -new -newkey rsa:2048 -subj "/CN=DB/" -keyout DB.key -out DB.csr -days 3650 -nodes -sha256 -addext basicConstraints=CA:TRUE
openssl x509 -CA PK.crt -CAkey PK.key -req -in DB.csr -out DB.crt -days 3650 -set_serial 02
/* Creating CA ROOT(method used to generate KEK.crt and DB.crt) was my personal preference */
/* The instructions in efitools only mentioned the method (Self-signed certificate) I used to generate PK.key and PK.crt */

/* convert cert into efiSignList */
cert-to-efi-sig-list PK.crt PK.esl
/* Same as signing with openssl except this is an EFI file */
sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

cert-to-efi-sig-list KEK.crt KEK.esl
sign-efi-sig-list -k KEK.key -c KEK.crt KEK KEK.esl KEK.auth

cert-to-efi-sig-list DB.crt DB.esl
cat append_db/debian-uefi-ca.esl DB.esl > _DB.esl
cat append_db/mok.esl _DB.esl > __DB.esl
mv __DB.esl _DB.esl
mv _DB.esl DB.esl
sign-efi-sig-list -k DB.key -c DB.crt DB DB.esl DB.auth

/* For safety these files are mounted as immutable. Make them mutable before loading the signature */
chattr -i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}*
sudo efi-updatevar -f PK.auth PK
sudo efi-updatevar -f KEK.auth KEK  /* This method works only in setup mode */
sudo efi-updatevar -f DB.auth db    /* This method works only in setup mode. For User mode, there is a different method */
chattr +i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}*

And reboot to see Secure Boot in effect
	Special thanks to https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/ for all the explainations
	If you want to keep microsoft keys, you will need to backup db and dbx before entering Setup Mode (Not shown here)
	Later add those to db.esl just how I added mok.esl and debian_uefi_ca.esl. Steps for dbx is not shown here.
	Enter into Setup Mode from fwsetup/UEFI (GRUB 2 command/Esc)

	downloaded debian UEFI CA ROOT certificate
	collected mok.pub from /var/lib/dkms/

	/* add zswap to cmdline for systemd-boot since I have SSD */
	echo "zswap.enabled=1" > /usr/lib/kernel/cmdline

	/* Everything in /boot must be in fat32 partition for systemd-boot to boot the kernel */
	install systemd-boot
	/* ESP should be mounted on /boot or /boot should be XBOOTLDR(FAT32) formatted for systemd-boot */
	bootctl remove
	/* later after we obtain ASCII PEM cert we will use mok.pem and mok.key to sign systemd-boot */
	sbsign --key mok.key --cert mok.pem /usr/lib/systemd/boot/efi/systemd-bootx64.efi
	/* If you are wondering how did I make the mok.key, well I didn't. */
	/* I simply repurposed the mok.key and mok.pub from dkms that was generated when I installed Nvidia proprietery driver */
	/* I found the pair of mok in /var/lib/dkms/ */
	bootctl install
	This will generate signed systemd-bootx64.efi.signed by default which will be automatically copy the signed EFI into the ESP

	DER key formats are compressed binary. Hardware likes these keys. Mokutil import these keys. But, signing softwares like ASCII formats. So, these need to be converted. Don't verify mok.pub because it is a self-signed key. It will fail verification. Instead, to check if the key is actually working, print to STDOUT in human readable form.

	openssl x509 -in mok.pub -noout -text
	openssl x509 -in debian-uefi-ca.der -noout -text

	/* convert to software friendly PEM format */
	openssl x509 -in mok.pub -out mok.pem -outform PEM
	openssl x509 -in debian-uefi-ca.der -out debian-uefi-ca.pem -outform PEM

	/* Convert cert to efiSignList */
	cert-to-efi-sig-list debian-uefi-ca.pem debian-uefi-ca.esl
	cert-to-efi-sig-list mok.pem mok.esl

	install sbsigntools efitools gnu-efi
	The instructions below are based on /usr/share/efitools/README

	/* The first self-signed signature. PK(platform key) has highest authority */
	openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256

	/* Create a request file. Not an x509 cert file. These two are different things */
	openssl req -new -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.csr -days 3650 -nodes -sha256 -addext basicConstraints=CA:TRUE
	/* CA ROOT will create the x509 cert for you by signing your request */
	openssl x509 -CA PK.crt -CAkey PK.key -req -in KEK.csr -out KEK.crt -days 3650 -set_serial 02
	/* Did you see? The x509 command is on the second line */
	/* Doing same for efivar=db */
	openssl req -new -newkey rsa:2048 -subj "/CN=DB/" -keyout DB.key -out DB.csr -days 3650 -nodes -sha256 -addext basicConstraints=CA:TRUE
	openssl x509 -CA PK.crt -CAkey PK.key -req -in DB.csr -out DB.crt -days 3650 -set_serial 02
	/* Creating CA ROOT(method used to generate KEK.crt and DB.crt) was my personal preference */
	/* The instructions in efitools only mentioned the method (Self-signed certificate) I used to generate PK.key and PK.crt */

	/* convert cert into efiSignList */
	cert-to-efi-sig-list PK.crt PK.esl
	/* Same as signing with openssl except this is an EFI file */
	sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth

	cert-to-efi-sig-list KEK.crt KEK.esl
	sign-efi-sig-list -k KEK.key -c KEK.crt KEK KEK.esl KEK.auth

	cert-to-efi-sig-list DB.crt DB.esl
	cat append_db/debian-uefi-ca.esl DB.esl > _DB.esl
	cat append_db/mok.esl _DB.esl > __DB.esl
	mv __DB.esl _DB.esl
	mv _DB.esl DB.esl
	sign-efi-sig-list -k DB.key -c DB.crt DB DB.esl DB.auth

	/* For safety these files are mounted as immutable. Make them mutable before loading the signature */
	chattr -i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}*
	sudo efi-updatevar -f PK.auth PK
	sudo efi-updatevar -f KEK.auth KEK /* This method works only in setup mode */
	sudo efi-updatevar -f DB.auth db /* This method works only in setup mode. For User mode, there is a different method */
	chattr +i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}*

	And reboot to see Secure Boot in effect