Create three key pairs
UEFI Secure Boot is based on the following three key databases, which are used in a chain of trust: the platform key (PK), the key exchange key (KEK), and the signature database (db).¹
You create each key on the instance. To prepare the public keys in a format
that is valid for the UEFI Secure Boot standard, you create a certificate for
each key. DER defines the SSL format (binary encoding of a format).
You then convert each certificate into a UEFI signature list, which is the
binary format that is understood by UEFI Secure Boot. And finally, you sign each
certificate with the relevant key.
Topics
Prepare to create the key pairs
Before creating the key pairs, create a globally unique identifier (GUID) to be used in key generation.
-
Run the following command in a shell prompt.
uuidgen --random > GUID.txt
Key pair 1: Create the platform key (PK)
The PK is the root of trust for UEFI Secure Boot instances. The private PK is used to update the KEK, which in turn can be used to add authorized keys to the signature database (db).
The X.509 standard is used for creating the key pair. For information
about the standard, see X.509
To create the PK
-
Create the key. You must name the variable
PK.openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Platform key/" -out PK.crtThe following parameters are specified:
-
-keyout PK.key– The private key file. -
-days 3650– The number of days that the certificate is valid. -
-out PK.crt– The certificate that is used to create the UEFI variable. -
CN=– The common name (CN) for the key. You can enter the name of your own organization instead ofPlatform keyPlatform key.
-
-
Create the certificate.
openssl x509 -outform DER -in PK.crt -out PK.cer -
Convert the certificate into a UEFI signature list.
cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl -
Sign the UEFI signature list with the private PK (self-signed).
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
Key pair 2: Create the key exchange key (KEK)
The private KEK is used to add keys to the db, which is the list of authorized signatures to boot on the system.
To create the KEK
-
Create the key.
openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Key Exchange Key/" -out KEK.crt -
Create the certificate.
openssl x509 -outform DER -in KEK.crt -out KEK.cer -
Convert the certificate into a UEFI signature list.
cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl -
Sign the signature list with the private PK.
sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth
Key pair 3: Create the signature database (db)
The db list contains authorized keys that are authorized to be booted on the system. To modify the list, the private KEK is necessary. Boot images will be signed with the private key that is created in this step.
To create the db
-
Create the key.
openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Signature Database key/" -out db.crt -
Create the certificate.
openssl x509 -outform DER -in db.crt -out db.cer -
Convert the certificate into a UEFI signature list.
cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl -
Sign the signature list with the private KEK.
sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth
Sign the boot image (kernel) with the private key
For Ubuntu 22.04, the following images require signatures.
/boot/efi/EFI/ubuntu/shimx64.efi
/boot/efi/EFI/ubuntu/mmx64.efi
/boot/efi/EFI/ubuntu/grubx64.efi
/boot/vmlinuzTo sign an image
Use the following syntax to sign an image.
sbsign --key db.key --cert db.crt --output/boot/vmlinuz/boot/vmlinuz
Note
You must sign all new kernels.
/boot/vmlinuz
Refer to the documentation for your distribution to find out about your boot chain and required images.
¹ Thanks to the ArchWiki community for all of the work they have done. The commands for creating the PK, creating the KEK,
creating the DB, and signing the image are from Creating keys