mir/Hardware-and-Firmware-Security-Guidance
2
0
Fork 0
mirror of https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance synced 2025-08-29 21:57:40 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Linux.md

Browse Source 
Section 2.5 updated to change commands related to hashing EFI binaries. A sha256sum or OpenSSL digest covers the entire executable file. Secure Boot's checks look at executable portions of the EFI file -- a different hash. Therefore, pehash and hash-to-efi-sig-list are necessary Linux commands instead of sha256sum and openssl.
This commit is contained in:
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973 2023-03-14 17:03:17 -04:00 committed by GitHub
parent 0d3891968e
commit d88e578092
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
secureboot/Linux.md
View File

@ -188,13 +188,12 @@ Some drivers and installation packages have their own signing mechanism. A menti
### 2\.5. Create Hashes
There are multiple ways to create SHA-256 hashes in Linux. Hexadecimal hashes are useful for use when creating ESL files. The following commands demonstrate two different ways to create a hex hash for the GRUB bootloader:
```
openssl dgst -sha256 -hex -out grubosl.txt grubx64.efi
pesign -h -i grubx64.efi | awk 'NF{print $NF}' > grubs2s.txt
pesign -h -i grubx64.efi | cut -d " " -f 2 > grubs2s.txt
```
Binary hashes may also be created. Some UEFI Configuration implementations expect binary hashes. Use the following commands to create a binary hash of the GRUB bootloader:
```
openssl dgst -sha256 -binary -out grubosl.hsh grubx64.efi
hash-to-efi-sig-list grubx64.efi grubx64.esl | cut -d " " -f 3 > grubx64.txt
tail -c 32 grubx64.efi > grubx64.hsh
```
Finally, hashes of EFI binaries can be immediately converted into single-hash ESL files. See the following section for details.