VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/SecureBoot
diff options
context:
space:
mode:
Diffstat (limited to 'SecureBoot')
-rw-r--r--SecureBoot/certs/DCS_key_exchange.crtbin0 -> 1093 bytes
-rw-r--r--SecureBoot/certs/DCS_platform.crtbin0 -> 1341 bytes
-rw-r--r--SecureBoot/certs/DCS_sign.crtbin0 -> 826 bytes
-rw-r--r--SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crtbin0 -> 1556 bytes
-rw-r--r--SecureBoot/certs/MicWinProPCA2011_2011-10-19.crtbin0 -> 1499 bytes
-rw-r--r--SecureBoot/certs/readme.txt3
-rw-r--r--SecureBoot/efi_sign.bat1
-rw-r--r--SecureBoot/readme.txt13
-rw-r--r--SecureBoot/sb_set_siglists.ps122
-rw-r--r--SecureBoot/siglists/DCS_key_exchange_SigList.binbin0 -> 1137 bytes
-rw-r--r--SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.binbin0 -> 1179 bytes
-rw-r--r--SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7bin0 -> 1996 bytes
-rw-r--r--SecureBoot/siglists/DCS_platform_SigList.binbin0 -> 1385 bytes
-rw-r--r--SecureBoot/siglists/DCS_platform_SigList_Serialization.binbin0 -> 1425 bytes
-rw-r--r--SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7bin0 -> 1996 bytes
-rw-r--r--SecureBoot/siglists/DCS_sign_SigList.binbin0 -> 870 bytes
-rw-r--r--SecureBoot/siglists/DCS_sign_SigList_Serialization.binbin0 -> 910 bytes
-rw-r--r--SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7bin0 -> 1492 bytes
-rw-r--r--SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.binbin0 -> 1600 bytes
-rw-r--r--SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.binbin0 -> 1640 bytes
-rw-r--r--SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7bin0 -> 1492 bytes
-rw-r--r--SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.binbin0 -> 1543 bytes
-rw-r--r--SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.binbin0 -> 1583 bytes
-rw-r--r--SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7bin0 -> 1492 bytes
24 files changed, 39 insertions, 0 deletions
diff --git a/SecureBoot/certs/DCS_key_exchange.crt b/SecureBoot/certs/DCS_key_exchange.crt
new file mode 100644
index 0000000..80bc7ca
--- /dev/null
+++ b/SecureBoot/certs/DCS_key_exchange.crt
Binary files differ
diff --git a/SecureBoot/certs/DCS_platform.crt b/SecureBoot/certs/DCS_platform.crt
new file mode 100644
index 0000000..a7cf8ce
--- /dev/null
+++ b/SecureBoot/certs/DCS_platform.crt
Binary files differ
diff --git a/SecureBoot/certs/DCS_sign.crt b/SecureBoot/certs/DCS_sign.crt
new file mode 100644
index 0000000..f0538db
--- /dev/null
+++ b/SecureBoot/certs/DCS_sign.crt
Binary files differ
diff --git a/SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt b/SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt
new file mode 100644
index 0000000..9aa6ac6
--- /dev/null
+++ b/SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt
Binary files differ
diff --git a/SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt b/SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt
new file mode 100644
index 0000000..a6d001c
--- /dev/null
+++ b/SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt
Binary files differ
diff --git a/SecureBoot/certs/readme.txt b/SecureBoot/certs/readme.txt
new file mode 100644
index 0000000..29bed3c
--- /dev/null
+++ b/SecureBoot/certs/readme.txt
@@ -0,0 +1,3 @@
+There are two public DB entries - one for Windows and one for the UEFI Certificate Authority (CA).
+Windows DB: http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
+UEFI DB: http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
diff --git a/SecureBoot/efi_sign.bat b/SecureBoot/efi_sign.bat
new file mode 100644
index 0000000..4b4b764
--- /dev/null
+++ b/SecureBoot/efi_sign.bat
@@ -0,0 +1 @@
+signtool sign /ac %3 /f %2 /fd sha256 %1 \ No newline at end of file
diff --git a/SecureBoot/readme.txt b/SecureBoot/readme.txt
new file mode 100644
index 0000000..6e2dc43
--- /dev/null
+++ b/SecureBoot/readme.txt
@@ -0,0 +1,13 @@
+To update secure boot configuration
+1. Enter BIOS configuration
+2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
+3. Boot Windows
+4. execute from admin command prompt
+ powershell -File sb_set_siglists.ps1
+It sets in PK (platform key) - DCS_platform
+It sets in KEK (key exchange key) - DCS_key_exchange
+It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
+
+All DCS modules are protected by DCS_sign.
+All Windows modules are protected by MicWinProPCA2011_2011-10-19
+All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27 \ No newline at end of file
diff --git a/SecureBoot/sb_set_siglists.ps1 b/SecureBoot/sb_set_siglists.ps1
new file mode 100644
index 0000000..ae53ca8
--- /dev/null
+++ b/SecureBoot/sb_set_siglists.ps1
@@ -0,0 +1,22 @@
+Set-ExecutionPolicy Bypass -Force
+Import-Module secureboot
+
+Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null
+Set-SecureBootUEFI -Name KEK -Time 2015-09-11 -Content $null
+Set-SecureBootUEFI -Name db -Time 2015-09-11 -Content $null
+Set-SecureBootUEFI -Name dbx -Time 2015-09-11 -Content $null
+
+Write-Host "Setting self-signed PK..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_platform_SigList.bin -SignedFilePath siglists\DCS_platform_SigList_Serialization.bin.p7 -Name PK
+
+Write-Host "Setting PK-signed KEK..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_key_exchange_SigList.bin -SignedFilePath siglists\DCS_key_exchange_SigList_Serialization.bin.p7 -Name KEK
+
+Write-Host "Setting KEK-signed DCS cert in db..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_sign_SigList.bin -SignedFilePath siglists\DCS_sign_SigList_Serialization.bin.p7 -Name db
+
+Write-Host "Setting KEK-signed MS cert in db..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicWinProPCA2011_2011-10-19_SigList.bin -SignedFilePath siglists\MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
+
+Write-Host "Setting KEK-signed MS UEFI cert in db..."
+Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList.bin -SignedFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
diff --git a/SecureBoot/siglists/DCS_key_exchange_SigList.bin b/SecureBoot/siglists/DCS_key_exchange_SigList.bin
new file mode 100644
index 0000000..62f5cc6
--- /dev/null
+++ b/SecureBoot/siglists/DCS_key_exchange_SigList.bin
Binary files differ
diff --git a/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin
new file mode 100644
index 0000000..1cffcf0
--- /dev/null
+++ b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin
Binary files differ
diff --git a/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7
new file mode 100644
index 0000000..1e9d29a
--- /dev/null
+++ b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7
Binary files differ
diff --git a/SecureBoot/siglists/DCS_platform_SigList.bin b/SecureBoot/siglists/DCS_platform_SigList.bin
new file mode 100644
index 0000000..0b6d7e1
--- /dev/null
+++ b/SecureBoot/siglists/DCS_platform_SigList.bin
Binary files differ
diff --git a/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin
new file mode 100644
index 0000000..e8fbf79
--- /dev/null
+++ b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin
Binary files differ
diff --git a/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7 b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7
new file mode 100644
index 0000000..19cb86d
--- /dev/null
+++ b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7
Binary files differ
diff --git a/SecureBoot/siglists/DCS_sign_SigList.bin b/SecureBoot/siglists/DCS_sign_SigList.bin
new file mode 100644
index 0000000..9a3f568
--- /dev/null
+++ b/SecureBoot/siglists/DCS_sign_SigList.bin
Binary files differ
diff --git a/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin
new file mode 100644
index 0000000..de58d77
--- /dev/null
+++ b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin
Binary files differ
diff --git a/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7 b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7
new file mode 100644
index 0000000..01753a8
--- /dev/null
+++ b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7
Binary files differ
diff --git a/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin
new file mode 100644
index 0000000..413ccab
--- /dev/null
+++ b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin
Binary files differ
diff --git a/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin
new file mode 100644
index 0000000..735d962
--- /dev/null
+++ b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin
Binary files differ
diff --git a/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7
new file mode 100644
index 0000000..ed8cefd
--- /dev/null
+++ b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7
Binary files differ
diff --git a/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.bin b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.bin
new file mode 100644
index 0000000..ac542ca
--- /dev/null
+++ b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.bin
Binary files differ
diff --git a/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin
new file mode 100644
index 0000000..9138dae
--- /dev/null
+++ b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin
Binary files differ
diff --git a/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7
new file mode 100644
index 0000000..b08c60a
--- /dev/null
+++ b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7
Binary files differ