Read firmware boot keys & save to files
Clay Daniels
clay.daniels.jr at gmail.com
Mon Nov 4 23:02:24 UTC 2019
FreeBSD has several nice programs dealing with boot keys & certs, including:
OpenSSL/LibreSSL
GnuPG/gpg
efivar
I keep trying to get any of these to read the contents of the firmware boot
keys and save them to files. I'm talking about four files, PK, KEK, DB, DBX
and maybe a fifth, the MOK (Machine Owners Key).
My newer 2019 machine's bios does a good job of saving then, my older 2014
machine does not even list them except to call them "HP Keys".
Some linux distros have a nice little tool named efi-readvar, which is part
of a larger package named efitools by James Bottomley, that does a nice job
of both reading and saving them to files.
Microsoft's Powershell has a Get-SecureBootUEFI command that saves to a
file, but I never tried to read them there, as it was mostly for a backup.
The reason for my question is that before one starts to mess with your bios
keys, you probably want to back them up on a thumbdrive. And I'm interested
in doing it totally (well mostly) with FreeBSD.
Clay
More information about the freebsd-questions
mailing list