UEFI Secure Boot variables protection not yet tested

[miczyg1]

Managing UEFI Secure Boot variables using OS tools like efitools does not work as intended. According to Debian manpages it should be possible to remove PK if owning the private key enrolled currently as PK: https://manpages.debian.org/testing/efitools/efi-updatevar.1.en.html

However, for some reason it does not want to pass:

One may say that the protection works, but to the extent that nothing can be done once PK is enrolled.

It will have to be investigated and eventually fixed in the next phase of Sovereign Boot Provisioning Wizard project.

[pietrushnic]

sbl has something like key rotation. I wonder if that would be helpful. Another debugging approach could be manually making the variable using sbvarsign.

[miczyg1]

sbl has something like key rotation. I wonder if that would be helpful. Another debugging approach could be manually making the variable using sbvarsign.

I used the cert-to-efi-sig-list and sign-efi-sig-list which should be equivalent to what sbvarsign does.

I guess It would be wise to try out all possible utilities out there.

[Ingo-Albrecht]

Have a look at lsattr /sys/firmware/efi/efivars/PK*, the immutability is not unset automatically.

[miczyg1]

Have a look at lsattr /sys/firmware/efi/efivars/PK*, the immutability is not unset automatically.

Yes, you are right. I also found the magic command unlocking the access here: https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

chattr -i /sys/firmware/efi/efivars/{PK,KEK,db}*

When this is invoked before writing new PK or deleting existing one, no error returned. Thanks !

[miczyg1]

Dasharo/open-source-firmware-validation#1023

The protections work as expected.