There are two sign tools for the UEFI image file: pesign and sbsigntools. Here is the simple HOWTO of the usage of the two tools.

Create Your Own Certificate

Before signing any UEFI image file, you need a certificate for signing. For test, if you don't want to fiddle with openssl commands, I recommend use the script in pesign.

# ./make-certs UserName nobody@example.org all codesign 1.3.6.1.4.1.311.10.3.1

The script creates several files, but only the following files are needed: ca.crt, UserName.crt, UserName.key, and UserName.p12.

pesign

Pesign is developed by Peter Jones and maintained in his github repo. The packages for openSUSE 12.1, openSUSE 12.2, and SLE-11-SP2 are available in obs://home:gary_lin:UEFI. The package will create new user and group, 'pesign', if it doesn't exist. (Update: pesign is in openSUSE 12.3 and going to be in SLE-11-SP3 and any later version.)

Import Certificates into the NSS database

Since pesign uses NSS to manage the certificates, you have to import your certificates into the NSS database. The default NSS database path is /etc/pki/pesign, but you can also specify a database. Before manipulating the NSS database, make sure mozilla-nss-tools is installed in your system. Create the database if you don't have it.

$ mkdir certdb $ certutil -N -d certdb Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password:

You can list the certificates in the database with this command:

$ certutil -L -d certdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI

If your certificate were not listed, then you could start to import your certificates.

Import the CA certificate:

$ certutil -A -n 'my CA' -d certdb -t CT,CT,CT -i ca.crt

Import your private key:

$ pk12util -d certdb -i UserName.p12

The NSS database may request a password for the database to keep the private key. Please remember the database password deeply since it will be used later.

Import your certificate:

$ certutil -d certdb -A -i UserName.crt -n "UserName" -t u

Check the database

$ certutil -L -d certdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI my CA CT,C,C UserName u,u,u

Sign UEFI images

After importing your own certificate, you can start to sign the UEFI image files. There are two ways to do it: 'pesign' or 'pesign-client'.

'pesign'

To sign sample.efi and save as sample-signed.efi:

$ pesign -n certdb -c "UserName" -s -i sample.efi -o sample-signed.efi

Then, a password prompt will show

Enter passphrase for private key:

Since your private key was imported into the NSS database, you have to enter the database password instead of the password of your private key.

To show the signature in sample-signed.efi:

$ pesign -n certdb -S -i sample-signed.efi

The output will be similar to this:

--------------------------------------------- Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is SomeOrg No signer email address. Signing time: Tue Jul 03, 2012 There were certs or crls included. ---------------------------------------------

'pesign-client'

Besides the command "pesign", there is a pesign daemon to access the centralized key database (/etc/pki/pesign).

To start the daemon in openSUSE 12.x:

# systemctl start pesign.service

In SLE-11-SP2:

# rcpesign start

Once the daemon is started, pesign-client can get the keys through the daemon.

First, enter the password to unlock the database.

$ pesign-client -u

Then, sign the image.

$ pesign-client -c "UserName" -s -i sample.efi -o sample-signed.efi

Sbsigntools is developed by Jeremy Kerr. Per README in the sbsigntools, the program is maintained in git://kernel.ubuntu.com/jk/sbsigntool. The package for openSUSE 12.1 is available in obs://home:jejb1:UEFI

Sign the UEFI image file

To sign the UEFI image file with sbsigntools, just use the following command:

$ sbsign --key UserName.key --cert UserName.crt --output sample-signed.efi sample.efi

Verify the signed file

To verify the signature with the CA certificate:

$ sbverify --cert ca.crt sample-signed.efi Signature verification OK

See also