Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Save Key Manifest Public Key as an artifact #309

Open
hughsie opened this issue Oct 9, 2022 · 2 comments
Open

Save Key Manifest Public Key as an artifact #309

hughsie opened this issue Oct 9, 2022 · 2 comments
Labels
2. Important Enhancement

Comments

@hughsie
Copy link
Contributor

hughsie commented Oct 9, 2022

At the moment UEFITool just prints the Boot Policy Key Signature like this on stdout:

Boot Policy Key Signature:
Version: 10h
KeyId: 0001h
SigScheme: 0016h
Boot Policy Public Key (Exponent: 10001h):

This makes it hard for the LVFS to parse it. Ideally we'd save it in the dump directory as an artefact that we can just load as an asset like we do all the other extracted information. This would let us load the pubkey on the LVFS like we do other assets, like this:

Screenshot 2022-10-09 at 08-58-12 LVFS Component Certificates

This would then allow us to check that the Boot Policy Key isn't one that's been accidentally leaked.
@NikolajSchlej
Copy link
Collaborator

Needs to do the same with everything mentioned on Security page, i.e. not only KeyManifest, but also BootPolicy and ACMs.

@NikolajSchlej
Copy link
Collaborator

Meanwhile, I've added both SHA256 and SHA386 of KM pubkey to Security page (and UEFIExtract stdout, by that).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2. Important Enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hughsie @NikolajSchlej