验证 EFI 二进制文件的签名

tag-icon tag-icon uefi secure-boot
验证 EFI 二进制文件的签名

我正在探索 UEFI 安全启动,并且想要验证已签名二进制文件的证书。

下面的代码显示确实存在一些签名:

sbverify --list  $BOOT/EFI/BOOT/BOOTX64.EFI
warning: data remaining[1171248 vs 1334816]: gaps between PE/COFF sections?                   
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

我想使用完全错误的证书来验证该签名,并希望验证失败。在下面的步骤中,我创建一个随机证书并尝试用它验证二进制签名:

openssl genpkey -algorithm RSA -out random-private-key.pem
openssl req -new -x509 -key random-private-key.pem -out random-certificate.pem -days 365 -subj "/C=US/ST=California/L=San Francisco/O=My Organization/OU=My Unit/CN=mydomain.com"
sbverify --cert random-certificate.pem  $BOOT/EFI/BOOT/BOOTX64.EFI

# Output:
# warning: data remaining[1171248 vs 1334816]: gaps between PE/COFF sections?
# Signature verification OK

这是:

  • 误报 - 二进制文件不可能由刚刚创建的随机证书签名
  • 我误解了sbverify标志
  • 闯入sbverify

有谁知道确认 EFI 二进制文件签名的方法吗?

答案1

你可以用 做两件事sbverify

  • 列出并比较 *.efi 可执行文件和其他签名代码(如 Linux 内核)的所有发行者:
[root@alma8-vm admin]# sbverify --list /boot/efi/EFI/almalinux/grubx64.efi
signature 1
image signature issuers:
 - /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36
image signature certificates:
 - subject: /serialNumber=5561017/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/C=US/ST=Florida/O=AlmaLinux OS Foundation
   issuer:  /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36
 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36
   issuer:  /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46
 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46
   issuer:  /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services

[root@alma8-vm admin]# sbverify --list /boot/vmlinuz-4.18.0-477.27.2.el8_8.x86_64
signature 1
image signature issuers:
 - /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36
image signature certificates:
 - subject: /serialNumber=5561017/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/C=US/ST=Florida/O=AlmaLinux OS Foundation
   issuer:  /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36
 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36
   issuer:  /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46
 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46
   issuer:  /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
  • 验证签名
[root@alma8-vm admin]# sbverify /boot/efi/EFI/almalinux/grubx64.efi
Signature verification OK
[root@alma8-vm admin]# sbverify /boot/vmlinuz-4.18.0-477.27.2.el8_8.x86_64
Signature verification OK

列出发行人的通用名称(没有其公钥指纹)并不能帮助我们解决信任问题。论证也没有--cert <certfile>

我建议的验证是从下载签名证书扇贝属并将其与嵌入的证书进行比较。唉!

[root@alma8-vm admin]# sbverify --cert sectigo-ev.crt /boot/efi/EFI/almalinux/grubx64.efi
Signature verification OK
[root@alma8-vm admin]# sbverify --cert bogus.crt /boot/efi/EFI/almalinux/grubx64.efi
Signature verification OK

我们并不是唯一有这些担忧的人,开发商没有回应https://groups.io/g/sbsigntools/message/57

相关内容