diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2018-07-06 23:23:30 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2018-07-06 23:24:30 +0200 |
commit | 201936e98a36ae5027ad4ac351d4d7a2fc1f1f8d (patch) | |
tree | 5d7187d0d1af1fe68d486fc8de653284d0740b61 | |
parent | a4777ed826176ba30339fe9c5687ccd14e8265e5 (diff) | |
download | VeraCrypt-DCS-201936e98a36ae5027ad4ac351d4d7a2fc1f1f8d.tar.gz VeraCrypt-DCS-201936e98a36ae5027ad4ac351d4d7a2fc1f1f8d.zip |
Change the order of setting EFI variables so that PK is updated last in order to have maximum compatibility (cf https://wiki.archlinux.org/index.php/Secure_Boot#Enroll_keys_in_firmware, thanks to Alexander B. for suggesting this)
-rw-r--r-- | SecureBoot/sb_set_siglists.ps1 | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/SecureBoot/sb_set_siglists.ps1 b/SecureBoot/sb_set_siglists.ps1 index ce79833..d7f6baa 100644 --- a/SecureBoot/sb_set_siglists.ps1 +++ b/SecureBoot/sb_set_siglists.ps1 @@ -3,21 +3,15 @@ Import-Module secureboot try
{
- Set-SecureBootUEFI -Name PK -Time 2018-07-05T00:00:00Z -Content $null
- Set-SecureBootUEFI -Name KEK -Time 2018-07-05T00:00:00Z -Content $null
- Set-SecureBootUEFI -Name db -Time 2018-07-05T00:00:00Z -Content $null
Set-SecureBootUEFI -Name dbx -Time 2018-07-05T00:00:00Z -Content $null
+ Set-SecureBootUEFI -Name db -Time 2018-07-05T00:00:00Z -Content $null
+ Set-SecureBootUEFI -Name KEK -Time 2018-07-05T00:00:00Z -Content $null
+ Set-SecureBootUEFI -Name PK -Time 2018-07-05T00:00:00Z -Content $null
}
catch
{
}
-Write-Host "Setting self-signed PK..."
-Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\DCS_platform_SigList.bin -SignedFilePath siglists\DCS_platform_SigList_Serialization.bin.p7 -Name PK
-
-Write-Host "Setting PK-signed KEK..."
-Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\DCS_key_exchange_SigList.bin -SignedFilePath siglists\DCS_key_exchange_SigList_Serialization.bin.p7 -Name KEK
-
Write-Host "Setting KEK-signed content of dbx..."
Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\dbx_list_SigList.bin -SignedFilePath siglists\dbx_list_SigList_Serialization.bin.p7 -Name dbx
@@ -35,6 +29,7 @@ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\MicCorUE # as displayed by dumpEfiVars tool
############### Acer ###############
+# Write-Host "Setting KEK-signed Acer certs in db..."
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Acer_2012-05-31_SigList.bin -SignedFilePath siglists\Acer_2012-05-31_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Acer_Database_2013-07-10_SigList.bin -SignedFilePath siglists\Acer_Database_2013-07-10_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Acer_db_Manufacture_2015-06-17_SigList.bin -SignedFilePath siglists\Acer_db_Manufacture_2015-06-17_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
@@ -44,17 +39,21 @@ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\MicCorUE # Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Acer_DisablePW_2012-12-31_SigList.bin -SignedFilePath siglists\Acer_DisablePW_2012-12-31_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
############### ASUS ###############
+# Write-Host "Setting KEK-signed ASUS certs in db..."
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\ASUSTeK_MotherBoard_SW_Key_Certificate_2011-12_27_SigList.bin -SignedFilePath siglists\ASUSTeK_MotherBoard_SW_Key_Certificate_2011-12_27_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\ASUSTeK_Notebook_SW_Key_Certificate_2011-12_27_SigList.bin -SignedFilePath siglists\ASUSTeK_Notebook_SW_Key_Certificate_2011-12_27_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Canonical_Master_CA_2012_04_12_SigList.bin -SignedFilePath siglists\Canonical_Master_CA_2012_04_12_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
############### DELL ###############
+# Write-Host "Setting KEK-signed Dell cert in db..."
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Dell_UEFI_DB_2016_06_03_SigList.bin -SignedFilePath siglists\Dell_UEFI_DB_2016_06_03_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
############### HP ###############
+# Write-Host "Setting KEK-signed HP cert in db..."
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\HP_UEFI_Secure_Boot_2013_DB_key_2013_08_23_SigList.bin -SignedFilePath siglists\HP_UEFI_Secure_Boot_2013_DB_key_2013_08_23_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
############### Lenovo ###############
+# Write-Host "Setting KEK-signed Lenovo certs in db..."
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Lenovo_1T110-1415ISK-2016-02-17_SigList.bin -SignedFilePath siglists\Lenovo_1T110-1415ISK-2016-02-17_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Lenovo_DCU31-80E31-80_2015-03-03_SigList.bin -SignedFilePath siglists\Lenovo_DCU31-80E31-80_2015-03-03_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Lenovo_ThinkPad_Product_CA_2012-06-29_SigList.bin -SignedFilePath siglists\Lenovo_ThinkPad_Product_CA_2012-06-29_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
@@ -65,8 +64,14 @@ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\MicCorUE ############### Toshiba ###############
+# Write-Host "Setting KEK-signed Toshiba certs in db..."
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Toshiba_Corporation_Utility_CA_2012-08-10_SigList.bin -SignedFilePath siglists\Toshiba_Corporation_Utility_CA_2012-08-10_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Toshiba_QCI_2012-07-24_SigList.bin -SignedFilePath siglists\Toshiba_QCI_2012-07-24_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\Toshiba_QCI_Shell_2012-07-24_SigList.bin -SignedFilePath siglists\Toshiba_QCI_Shell_2012-07-24_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
+Write-Host "Setting PK-signed KEK..."
+Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\DCS_key_exchange_SigList.bin -SignedFilePath siglists\DCS_key_exchange_SigList_Serialization.bin.p7 -Name KEK
+
+Write-Host "Setting self-signed PK..."
+Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath siglists\DCS_platform_SigList.bin -SignedFilePath siglists\DCS_platform_SigList_Serialization.bin.p7 -Name PK
|