<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@vertical+block@f8338d3590764f6590957f7fcb7dd9dd" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@4546ff81da3e4c5b93aa3845e230b559">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@4546ff81da3e4c5b93aa3845e230b559" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><h2>Alpine configuration</h2>
<p>Since we are using Alpine Linux Live ISO, we need some adjustments, so it allows us to install packages.</p>
<div class="codehilite">
<pre><span></span><code>ip link <span class="nb">set</span> eth0 up
udhcpc
<span class="nb">echo</span> <span class="s2">"nameserver 8.8.8.8"</span> > /etc/resolv.conf
<span class="nb">echo</span> <span class="s2">"http://dl-cdn.alpinelinux.org/alpine/v3.16/main"</span> >> /etc/apk/repositories
apk update
apk add sbsigntool
</code></pre>
</div>
<p>There are multiple applications in this package, but in this course we are only interested in <code>sbvarsign</code>.</p>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@2c654f1a672a4434b3410e3bc846ff54">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@2c654f1a672a4434b3410e3bc846ff54" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@e74e1893597c43b1824a4ca0a4d79a65">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@e74e1893597c43b1824a4ca0a4d79a65" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@vertical+block@af7e3f2e1cdd4bbf8931dda27f05199d" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@b5b3493ccfde4e1ba6b9e23fbd69e18f">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@b5b3493ccfde4e1ba6b9e23fbd69e18f" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><p>As we learned in this section we have to create EFI_VARIABLE_AUTHENTICATION_2 descriptor. <code>sbvarsign</code> tool will help us with that, but we need to provide required dependencies.</p>
<h2>Generate private key and associated certificate.</h2>
<div class="codehilite">
<pre><span></span><code>openssl req -new -x509 -newkey rsa:2048 -subj <span class="s2">"/CN=OST2 Arch4021/"</span> -keyout Arch4021.key -out Arch4021.crt -days <span class="m">3650</span> -nodes -sha256
</code></pre>
</div>
<ul>
<li>Meaning of above parameters is as follows:
<ul>
<li><code>req -new -x509</code> - generate X.509 certificate</li>
<li><code>-newkey rsa:2048</code> - generate RSA private key with 2048 bits size</li>
<li><code>-subj "/CN=OST2 Arch4021/"</code> - sets subject name for created certificate</li>
<li><code>-keyout Arch4021.key</code> - file to write private key</li>
<li><code>-out Arch4021.crt</code> - file to write cerificate</li>
<li><code>-days 3650</code> - number of days to certify the certificate for</li>
<li><code>-nodes</code> - do not encrypt private key</li>
<li><code>-sha256</code> - use SHA256 digest</li>
</ul></li>
</ul>
<div class="codehilite">
<pre><span></span><code>openssl x509 -in Arch4021.crt -out Arch4021.cer -outform DER
</code></pre>
</div>
<ul>
<li>Convert X.509 certificate into DER format understood by UEFI.</li>
</ul>
<h2>Generate random GUID</h2>
<div class="codehilite">
<pre><span></span><code><span class="nv">guid</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>cat /proc/sys/kernel/random/uuid<span class="k">)</span><span class="s2">"</span>
</code></pre>
</div>
<h2>Create some content for variable</h2>
<div class="codehilite">
<pre><span></span><code><span class="nb">echo</span> <span class="s2">"hello OST2 Arch4021"</span> > var.data
</code></pre>
</div>
<h2>Create UEFI authenticated variable</h2>
<div class="codehilite">
<pre><span></span><code>sbvarsign -v --key Arch4021.key --cert Arch4021.crt --include-attrs --guid <span class="nv">$guid</span> --attr NON_VOLATILE,BOOTSERVICE_ACCESS,RUNTIME_ACCESS OST2_Arch4021 var.data
</code></pre>
</div>
<ul>
<li><code>-v</code> - show structure of generated output file <code>var.data.signed</code></li>
<li><code>--key Arch4021.key</code> - signing key (PEM-encoded RSA private key).</li>
<li><code>--cert Arch4021.crt</code> - DER encoded X.509 certificate.</li>
<li><code>--include-attrs</code> - include attrs at beginning of output file.</li>
<li><code>--guid $guid</code> - UEFI GUID for the variable.</li>
<li><code>--attr NON_VOLATILE,BOOTSERVICE_ACCESS,RUNTIME_ACCESS</code> - variable attributes, <code>TIME_BASED_AUTHENTICATED_WRITE_ACCESS</code> is always included, when using <code>sbvarsign</code>.</li>
<li><code>OST2_Arch4021</code> - variable name.</li>
<li><code>var.data</code> - serialized variable attributes, EFI_VARIABLE_AUTHENTICATION_2 descriptor and variable content.</li>
</ul>
<h2>Save UEFI authenticated variable through efivarfs</h2>
<div class="codehilite">
<pre><span></span><code>dd <span class="k">if</span><span class="o">=</span>var.data.signed <span class="nv">of</span><span class="o">=</span><span class="s2">"/sys/firmware/efi/efivars/OST2_Arch4021-</span><span class="nv">$guid</span><span class="s2">"</span> <span class="nv">bs</span><span class="o">=</span><span class="k">$(</span>stat -c %s var.data.signed<span class="k">)</span>
</code></pre>
</div>
<h2>Save Arch4021.key and Arch4021.crt</h2>
<p>Simplest way is just <code>cat</code> and copy paste output to some editor, so later those file could be recreated.</p>
<h2>Check varibles is saved as non-volatile</h2>
<div class="codehilite">
<pre><span></span><code>cat /sys/firmware/efi/efivars/OST2_Arch4021-<span class="nv">$guid</span>
</code></pre>
</div>
<p>Power off QEMU and boot again to check if variable persist.</p>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@d1c719430d204c3cb350ad39e04694e6">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@d1c719430d204c3cb350ad39e04694e6" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@95c189370e4943e1b5417a77c664a41c">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@95c189370e4943e1b5417a77c664a41c" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>
<div class="xblock xblock-public_view xblock-public_view-vertical" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-init="VerticalStudentView" data-runtime-class="LmsRuntime" data-runtime-version="1" data-block-type="vertical" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@vertical+block@ccecefa880f848239fea4552e9f2f619" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="vert-mod">
<div class="vert vert-0" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@7d11f0584bbb42629c5cfbac41c310bc">
<div class="xblock xblock-public_view xblock-public_view-markdown" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="markdown" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@markdown+block@7d11f0584bbb42629c5cfbac41c310bc" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="markdown_xblock"><h2>Unauthorized update test</h2>
<p>Let's generate new set of keys and try if those unauthorized keys can update our variable.</p>
<div class="codehilite">
<pre><span></span><code>openssl req -new -x509 -newkey rsa:2048 -subj <span class="s2">"/CN=OST2 Arch4021 BAD/"</span> -keyout Arch4021_bad.key -out Arch4021_bad.crt -days <span class="m">3650</span> -nodes -sha256
</code></pre>
</div>
<div class="codehilite">
<pre><span></span><code>openssl x509 -in Arch4021_bad.crt -out Arch4021_bad.cer -outform DER
</code></pre>
</div>
<p>Set <code>guid</code> shell environment variable to the one which is used by our <code>OST2_Arch4021</code> variable.
New variable content:</p>
<div class="codehilite">
<pre><span></span><code><span class="nb">echo</span> <span class="s2">"goodbay OST2 Arch4021"</span> > var.data
</code></pre>
</div>
<p>Generate signed data:</p>
<div class="codehilite">
<pre><span></span><code>sbvarsign -v --key Arch4021_bad.key --cert Arch4021_bad.crt --include-attrs --guid <span class="nv">$guid</span> --attr NON_VOLATILE,BOOTSERVICE_ACCESS,RUNTIME_ACCESS OST2_Arch4021 var.data
</code></pre>
</div>
<p>Try to write:</p>
<div class="codehilite">
<pre><span></span><code>dd <span class="k">if</span><span class="o">=</span>var.data.signed <span class="nv">of</span><span class="o">=</span><span class="s2">"/sys/firmware/efi/efivars/OST2_Arch4021-</span><span class="nv">$guid</span><span class="s2">"</span> <span class="nv">bs</span><span class="o">=</span><span class="k">$(</span>stat -c %s var.data.signed<span class="k">)</span>
</code></pre>
</div>
<p>It should return <code>"Permission denied"</code>.
If you get <code>"Operation not permitted"</code> please remember that to modify variables in efivarfs you have to remove immutable attribute from variable file.</p>
<h2>Let's try to update variables content with valid key</h2>
<p>Now let's use authorized key and certificate saved in exercise #2 and check if updating variable is possible.</p>
</div>
</div>
</div>
<div class="vert vert-1" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@603cb2d33ce44c36b68626b1a3f1d4ca">
<div class="xblock xblock-public_view xblock-public_view-done" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="done" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@done+block@603cb2d33ce44c36b68626b1a3f1d4ca" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="True">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Completion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
<div class="vert vert-2" data-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@b27131a6d5fa4c3c818285ed89202bc1">
<div class="xblock xblock-public_view xblock-public_view-discussion" data-course-id="course-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1" data-block-type="discussion" data-usage-id="block-v1:OpenSecurityTraining2+Arch4021_intro_UEFI+2023_v1+type@discussion+block@b27131a6d5fa4c3c818285ed89202bc1" data-request-token="6853cae6fe9e11eeabb30242ac12000b" data-graded="True" data-has-score="False">
<div class="page-banner"><div class="alert alert-warning"><span class="icon icon-alert fa fa fa-warning" aria-hidden="true"></span><div class="message-content">Discussion is only accessible to enrolled learners. Sign in or register, and enroll in this course to view it.</div></div></div>
</div>
</div>
</div>
<script type="text/javascript">
(function (require) {
require(['/static/js/dateutil_factory.be68acdff619.js?raw'], function () {
require(['js/dateutil_factory'], function (DateUtilFactory) {
DateUtilFactory.transform('.localized-datetime');
});
});
}).call(this, require || RequireJS.require);
</script>
<script>
function emit_event(message) {
parent.postMessage(message, '*');
}
</script>
</div>