2

I'm exploring UEFI secure boot and want to verify the certificates of the signed binaries.

The code below shows there are indeed some signatures present:

sbverify --list $BOOT/EFI/BOOT/BOOTX64.EFI warning: data remaining[1171248 vs 1334816]: gaps between PE/COFF sections? signature 1 image signature issuers: - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 image signature certificates: - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

I want to verify that signature using a totally wrong certificate, and am expecting the verification to fail. In the steps below I create a random certificate and attempt to verify the binary signature with it:

openssl genpkey -algorithm RSA -out random-private-key.pem openssl req -new -x509 -key random-private-key.pem -out random-certificate.pem -days 365 -subj "/C=US/ST=California/L=San Francisco/O=My Organization/OU=My Unit/CN=mydomain.com" sbverify --cert random-certificate.pem $BOOT/EFI/BOOT/BOOTX64.EFI # Output: # warning: data remaining[1171248 vs 1334816]: gaps between PE/COFF sections? # Signature verification OK

This is either a:

  • false positive - no way the binary is signed by the just created random cert
  • I'm misunderstanding the sbverify flags
  • Bug in sbverify

Does anyone know a method for confirming the signature of an EFI binary?

Improve this question

1 Answer 1

Reset to default
0

You can do two things with sbverify:

  • List & compare all issuers for *.efi executables, and other signed code like the Linux kernel:
[root@alma8-vm admin]# sbverify --list /boot/efi/EFI/almalinux/grubx64.efi signature 1 image signature issuers: - /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36 image signature certificates: - subject: /serialNumber=5561017/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/C=US/ST=Florida/O=AlmaLinux OS Foundation issuer: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36 issuer: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46 issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services 
[root@alma8-vm admin]# sbverify --list /boot/vmlinuz-4.18.0-477.27.2.el8_8.x86_64 signature 1 image signature issuers: - /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36 image signature certificates: - subject: /serialNumber=5561017/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/C=US/ST=Florida/O=AlmaLinux OS Foundation issuer: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing CA EV R36 issuer: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46 - subject: /C=GB/O=Sectigo Limited/CN=Sectigo Public Code Signing Root R46 issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
  • Verify the signature
[root@alma8-vm admin]# sbverify /boot/efi/EFI/almalinux/grubx64.efi Signature verification OK [root@alma8-vm admin]# sbverify /boot/vmlinuz-4.18.0-477.27.2.el8_8.x86_64 Signature verification OK

Listing the common name of the issuers, without their public key fingerprint, does not help us resolve trust issues. Neither does the --cert <certfile> argument.

The verification I suggest would be to download the signing certificate from Sectigo and use that to compare it to the embedded certificate. Alas!

[root@alma8-vm admin]# sbverify --cert sectigo-ev.crt /boot/efi/EFI/almalinux/grubx64.efi Signature verification OK [root@alma8-vm admin]# sbverify --cert bogus.crt /boot/efi/EFI/almalinux/grubx64.efi Signature verification OK

We are not the only ones having these concerns, the developer did not respond to https://groups.io/g/sbsigntools/message/57

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.