-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathbuild_chipsec.htm
45 lines (45 loc) · 3.13 KB
/
build_chipsec.htm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
<h1 id="usb-key-building-for-chipsec-and-secureboot-checks">USB key building for chipsec and secureboot checks</h1>
<pre><code>A Help to build your own ChipSec and SecureBoot USB keys</code></pre>
<p>The created USB key can boot in either of the following modes:</p>
<ol type="1">
<li>a live Debian distribution to launch <strong>ChipSec</strong> on the computer to analyze</li>
<li>a tool to import your own trust keys and to check importation, as well as <strong>SecureBoot</strong> keys to import,</li>
</ol>
<h2 id="linux-tools-to-install-before-generating-the-usb-keys">Linux Tools to install before generating the USB keys</h2>
<pre><code> sudo apt-get install debootstrap
sudo apt-get install sbsigntool
sudo apt-get install efitools</code></pre>
<h2 id="tool-to-build-the-usb-key-create-chipsec.sh">Tool to build the USB key: create-chipsec.sh</h2>
<blockquote>
<p><strong>Note:</strong> Some sub scripts require access to sudo commands.</p>
</blockquote>
<p>The script supports writing to a block device (<code>/dev/sdc</code> for example) or a standard file, which can be later copied to a USB drive using <code>dd</code>.</p>
<p>Plug a new USB key (attached on /dev/sdc in this case).</p>
<pre><code>./create-chipsec.sh /dev/sdc</code></pre>
<p>Unplug the USB key.</p>
<h2 id="test-the-system">Test the system</h2>
<p>Plug the key, start the computer and pick one of the two boot modes.</p>
<h3 id="live-debian-distribution">Live Debian distribution</h3>
<ol type="1">
<li>boot on the USB key, then at the bootloader prompt start “Debian GUN/Linux”</li>
<li>when finished booting, login as root (no password)</li>
<li>if you need an alternate keyboard, use eg. <code>loadkeys fr</code>.</li>
<li>from the root terminal, launch ChipSec with <code>chipsec_main.py</code>.</li>
<li>alternately you can run the dump_system.sh script which will also gather information about the machine (hardware present, firmware versions et.c)</li>
</ol>
<h3 id="efi-tool">EFI Tool</h3>
<ol type="1">
<li>Go the BIOS/Firmware configuration and set the platform to SecureBoot enabled and reset to Setup Mode.</li>
<li>Boot on USB key, then at the bootloader prompt either:
<ul>
<li>start “Keytool” directly, which lets you execute binaries from its menu,</li>
<li>OR start “EFI Shell” and launch EFI binaries from EFI shell (eg. launch <code>EFI/keytool/KeyTool.efi</code> to import trust keys).</li>
</ul></li>
<li>From the EFI shell, you can identify the USB key letter storing the binaries with commmands “fs0:” or “fs1:” or fsX: … then “dir”. Within Keytool, the drives will have names instead. The USB key should be named “ESP”, but you can confirm it by browsing its content through the “Execute Binary” menu.</li>
<li>With Keytool, import the following files from the <code>EFI/keys</code> folder (in that order): <code>DBX.esl</code>, <code>DB.esl</code>, <code>KEK.esl</code> and <code>PK.auth</code>. Importing the PK will set the platform to User mode.</li>
<li>Restart the platform:
<ul>
<li>the shell should run since it’s signed with trust anchor to the PK;</li>
<li><code>HelloWorld.efi</code> should not run since it’s unsigned.</li>
</ul></li>
</ol>