From b87fc6b140772ba3017de311c7063c259424264c Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 15 Aug 2016 17:11:31 +0200 Subject: First public release. Used by VeraCrypt 1.18. --- SecureBoot/certs/DCS_key_exchange.crt | Bin 0 -> 1093 bytes SecureBoot/certs/DCS_platform.crt | Bin 0 -> 1341 bytes SecureBoot/certs/DCS_sign.crt | Bin 0 -> 826 bytes SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt | Bin 0 -> 1556 bytes SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt | Bin 0 -> 1499 bytes SecureBoot/certs/readme.txt | 3 +++ SecureBoot/efi_sign.bat | 1 + SecureBoot/readme.txt | 13 ++++++++++++ SecureBoot/sb_set_siglists.ps1 | 22 +++++++++++++++++++++ SecureBoot/siglists/DCS_key_exchange_SigList.bin | Bin 0 -> 1137 bytes .../DCS_key_exchange_SigList_Serialization.bin | Bin 0 -> 1179 bytes .../DCS_key_exchange_SigList_Serialization.bin.p7 | Bin 0 -> 1996 bytes SecureBoot/siglists/DCS_platform_SigList.bin | Bin 0 -> 1385 bytes .../DCS_platform_SigList_Serialization.bin | Bin 0 -> 1425 bytes .../DCS_platform_SigList_Serialization.bin.p7 | Bin 0 -> 1996 bytes SecureBoot/siglists/DCS_sign_SigList.bin | Bin 0 -> 870 bytes .../siglists/DCS_sign_SigList_Serialization.bin | Bin 0 -> 910 bytes .../siglists/DCS_sign_SigList_Serialization.bin.p7 | Bin 0 -> 1492 bytes .../MicCorUEFCA2011_2011-06-27_SigList.bin | Bin 0 -> 1600 bytes ...rUEFCA2011_2011-06-27_SigList_Serialization.bin | Bin 0 -> 1640 bytes ...FCA2011_2011-06-27_SigList_Serialization.bin.p7 | Bin 0 -> 1492 bytes .../MicWinProPCA2011_2011-10-19_SigList.bin | Bin 0 -> 1543 bytes ...ProPCA2011_2011-10-19_SigList_Serialization.bin | Bin 0 -> 1583 bytes ...PCA2011_2011-10-19_SigList_Serialization.bin.p7 | Bin 0 -> 1492 bytes 24 files changed, 39 insertions(+) create mode 100644 SecureBoot/certs/DCS_key_exchange.crt create mode 100644 SecureBoot/certs/DCS_platform.crt create mode 100644 SecureBoot/certs/DCS_sign.crt create mode 100644 SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt create mode 100644 SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt create mode 100644 SecureBoot/certs/readme.txt create mode 100644 SecureBoot/efi_sign.bat create mode 100644 SecureBoot/readme.txt create mode 100644 SecureBoot/sb_set_siglists.ps1 create mode 100644 SecureBoot/siglists/DCS_key_exchange_SigList.bin create mode 100644 SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin create mode 100644 SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 create mode 100644 SecureBoot/siglists/DCS_platform_SigList.bin create mode 100644 SecureBoot/siglists/DCS_platform_SigList_Serialization.bin create mode 100644 SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7 create mode 100644 SecureBoot/siglists/DCS_sign_SigList.bin create mode 100644 SecureBoot/siglists/DCS_sign_SigList_Serialization.bin create mode 100644 SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7 create mode 100644 SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin create mode 100644 SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin create mode 100644 SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 create mode 100644 SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.bin create mode 100644 SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin create mode 100644 SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 (limited to 'SecureBoot') diff --git a/SecureBoot/certs/DCS_key_exchange.crt b/SecureBoot/certs/DCS_key_exchange.crt new file mode 100644 index 0000000..80bc7ca Binary files /dev/null and b/SecureBoot/certs/DCS_key_exchange.crt differ diff --git a/SecureBoot/certs/DCS_platform.crt b/SecureBoot/certs/DCS_platform.crt new file mode 100644 index 0000000..a7cf8ce Binary files /dev/null and b/SecureBoot/certs/DCS_platform.crt differ diff --git a/SecureBoot/certs/DCS_sign.crt b/SecureBoot/certs/DCS_sign.crt new file mode 100644 index 0000000..f0538db Binary files /dev/null and b/SecureBoot/certs/DCS_sign.crt differ diff --git a/SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt b/SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt new file mode 100644 index 0000000..9aa6ac6 Binary files /dev/null and b/SecureBoot/certs/MicCorUEFCA2011_2011-06-27.crt differ diff --git a/SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt b/SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt new file mode 100644 index 0000000..a6d001c Binary files /dev/null and b/SecureBoot/certs/MicWinProPCA2011_2011-10-19.crt differ diff --git a/SecureBoot/certs/readme.txt b/SecureBoot/certs/readme.txt new file mode 100644 index 0000000..29bed3c --- /dev/null +++ b/SecureBoot/certs/readme.txt @@ -0,0 +1,3 @@ +There are two public DB entries - one for Windows and one for the UEFI Certificate Authority (CA). +Windows DB: http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt +UEFI DB: http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt diff --git a/SecureBoot/efi_sign.bat b/SecureBoot/efi_sign.bat new file mode 100644 index 0000000..4b4b764 --- /dev/null +++ b/SecureBoot/efi_sign.bat @@ -0,0 +1 @@ +signtool sign /ac %3 /f %2 /fd sha256 %1 \ No newline at end of file diff --git a/SecureBoot/readme.txt b/SecureBoot/readme.txt new file mode 100644 index 0000000..6e2dc43 --- /dev/null +++ b/SecureBoot/readme.txt @@ -0,0 +1,13 @@ +To update secure boot configuration +1. Enter BIOS configuration +2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key. +3. Boot Windows +4. execute from admin command prompt + powershell -File sb_set_siglists.ps1 +It sets in PK (platform key) - DCS_platform +It sets in KEK (key exchange key) - DCS_key_exchange +It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27 + +All DCS modules are protected by DCS_sign. +All Windows modules are protected by MicWinProPCA2011_2011-10-19 +All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27 \ No newline at end of file diff --git a/SecureBoot/sb_set_siglists.ps1 b/SecureBoot/sb_set_siglists.ps1 new file mode 100644 index 0000000..ae53ca8 --- /dev/null +++ b/SecureBoot/sb_set_siglists.ps1 @@ -0,0 +1,22 @@ +Set-ExecutionPolicy Bypass -Force +Import-Module secureboot + +Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null +Set-SecureBootUEFI -Name KEK -Time 2015-09-11 -Content $null +Set-SecureBootUEFI -Name db -Time 2015-09-11 -Content $null +Set-SecureBootUEFI -Name dbx -Time 2015-09-11 -Content $null + +Write-Host "Setting self-signed PK..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_platform_SigList.bin -SignedFilePath siglists\DCS_platform_SigList_Serialization.bin.p7 -Name PK + +Write-Host "Setting PK-signed KEK..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_key_exchange_SigList.bin -SignedFilePath siglists\DCS_key_exchange_SigList_Serialization.bin.p7 -Name KEK + +Write-Host "Setting KEK-signed DCS cert in db..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_sign_SigList.bin -SignedFilePath siglists\DCS_sign_SigList_Serialization.bin.p7 -Name db + +Write-Host "Setting KEK-signed MS cert in db..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicWinProPCA2011_2011-10-19_SigList.bin -SignedFilePath siglists\MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true + +Write-Host "Setting KEK-signed MS UEFI cert in db..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList.bin -SignedFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true diff --git a/SecureBoot/siglists/DCS_key_exchange_SigList.bin b/SecureBoot/siglists/DCS_key_exchange_SigList.bin new file mode 100644 index 0000000..62f5cc6 Binary files /dev/null and b/SecureBoot/siglists/DCS_key_exchange_SigList.bin differ diff --git a/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin new file mode 100644 index 0000000..1cffcf0 Binary files /dev/null and b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin differ diff --git a/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 new file mode 100644 index 0000000..1e9d29a Binary files /dev/null and b/SecureBoot/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 differ diff --git a/SecureBoot/siglists/DCS_platform_SigList.bin b/SecureBoot/siglists/DCS_platform_SigList.bin new file mode 100644 index 0000000..0b6d7e1 Binary files /dev/null and b/SecureBoot/siglists/DCS_platform_SigList.bin differ diff --git a/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin new file mode 100644 index 0000000..e8fbf79 Binary files /dev/null and b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin differ diff --git a/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7 b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7 new file mode 100644 index 0000000..19cb86d Binary files /dev/null and b/SecureBoot/siglists/DCS_platform_SigList_Serialization.bin.p7 differ diff --git a/SecureBoot/siglists/DCS_sign_SigList.bin b/SecureBoot/siglists/DCS_sign_SigList.bin new file mode 100644 index 0000000..9a3f568 Binary files /dev/null and b/SecureBoot/siglists/DCS_sign_SigList.bin differ diff --git a/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin new file mode 100644 index 0000000..de58d77 Binary files /dev/null and b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin differ diff --git a/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7 b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7 new file mode 100644 index 0000000..01753a8 Binary files /dev/null and b/SecureBoot/siglists/DCS_sign_SigList_Serialization.bin.p7 differ diff --git a/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin new file mode 100644 index 0000000..413ccab Binary files /dev/null and b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin differ diff --git a/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin new file mode 100644 index 0000000..735d962 Binary files /dev/null and b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin differ diff --git a/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 new file mode 100644 index 0000000..ed8cefd Binary files /dev/null and b/SecureBoot/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 differ diff --git a/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.bin b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.bin new file mode 100644 index 0000000..ac542ca Binary files /dev/null and b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList.bin differ diff --git a/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin new file mode 100644 index 0000000..9138dae Binary files /dev/null and b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin differ diff --git a/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 new file mode 100644 index 0000000..b08c60a Binary files /dev/null and b/SecureBoot/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 differ -- cgit v1.2.3