mir/Hardware-and-Firmware-Security-Guidance
2
0
Fork 0
mirror of https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance synced 2025-08-22 01:57:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source 
First pass at updating the secure boot content. Mentioned 2023 certs and new ESL parsers.
This commit is contained in:
43313EB9AA87E7039F8F3948282E61C0CB12372C5499884609A01B2BCA37B973 2024-12-06 20:01:30 -05:00 committed by GitHub
parent 75270dd06b
commit e532b1e48a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
secureboot/README.md
View File

@ -19,7 +19,7 @@ Default configurations of Secure Boot focus on securing the boot chain of compon
## Windows
The Windows Secure Boot ecosystem is managed by Microsoft. Most machines feature a Microsoft KEK, Microsoft Windows Production
CA DB certificate, and UEFI Third Party Marketplace CA 2011 DB certificate. Most hardware and software intended for use with
CA DB certificate, and UEFI Third Party Marketplace CA 2011 DB certificate. Certificates from 2011 are in the process of being phased out in favor of 2023 certificates. Both 2011 and 2023 certificates may coexist on devices during the transition. Most hardware and software intended for use with
Windows already come with compatibile Secure Boot signatures. Use customization commands in this section to:
- Add support for an operating system or hypervisor that lacks Secure Boot signatures (e.g. older versions of Windows; some Linux distrubutions)
@ -64,5 +64,11 @@ Secure Boot can be customized via the UEFI Configuration interfaces provided on
### [hex-hashes-to-esl](hex-hashes-to-esl.c)
This hash handler differs from the utility offered in the efi-tools package by focusing on externally created hashes. Examples of hashes to input into this program include hashes produced by a UEFI configuration interface, hashes provided by a system vendor, and hashes copied from another machine. This program does not accept and hash EFI binariess -- all hashing operations must be done outside the program.
### [esl-parser](esl-parser.c)
Backing up Secure Boot values can result in lengthy ESL or binary files (that are probably already in ESL format) containing numerous hashes and/or certificates. Parsers primarily exist for Linux platforms. This parser differs from the offerings in efi-tools by being developed for use on Windows with Secure Boot binary files produced by PowerShell.
### ESL Parser
An ESL is an Extensible Firmware Interface (EFI) Signature List (ESL) file. Each ESL contains at least one certificate or hash used by UEFI Secure Boot. Some ESL files contain many certificates and hashes stored in ESL structures appended to each other. Tools exist to create ESL files or export Secure Boot data into ESL files. NSA has developed several ESL parsers to help with extracting certificates and hashes from ESL files.
- [Python ESL parser](esl-parser.py)
- [PowerShell ESL Parser](esl-parser.ps1) (Windows only)
- [C code ESL parser](esl-parser.c) (deprecated)
Each parser takes an ESL file as input. The parser will export certificates in DER format as well as hashes in HSH format (binary SHA-256). The parsers have been tested against ESL files generated by UEFI configuration interfaces, EFI boot utilities, and command line backup tools.