-
Notifications
You must be signed in to change notification settings - Fork 1
Capsule Based System Firmware Update Generate Keys
Back to Capsule Based System Firmware Update
These instructions generate a new self-signed X.509 Certificate Chain for signing UEFI Capsules, using OpenSSL command line utilities as an example.
NOTE: These instructions only cover how to generate a new X.509 Certificate Chain. It is up to the product owner to properly handle and protect a the cryptographic pair of private keys and public X.509 certificates used to sign and authenticate capsule-based system firmware update images.
The OpenSSL configuration and OpenSSL commands on this page were verified using the pre-built 32-bit OpenSSL for Windows binaries, Version 1.0.2j Light. Other versions of OpenSSL may require different command flags or configuration settings.
NOTE: The steps below are based on Microsoft Windows. Linux packages for OpenSSL will typically setup the environment correctly.
set OPENSSL_HOME=c:\OpenSSL-Win32\bin
set OPENSSL_CONF=%OPENSSL_HOME%\openssl.cfg
The openssl.cfg
file must be reviewed to find the current CA path setting.
[ CA_default ]
dir = ./demoCA # Where everything is kept
The demoCA
directory may need to be initialized before our command sequence will work properly:
rmdir /s/q .\demoCA
mkdir .\demoCA
mkdir .\demoCA\newcerts
type NUL > .\demoCA\index.txt
echo 01 > .\demoCA\serial
The following steps demonstrate how to generate a three layer certificate chain (RootCA -> IntermediateCA -> SigningCert) using OpenSSL. A prefix should be used for all files referenced by OpenSSL commands. The prefix used in this demonstration is New
. Many OpenSSL commands prompt the user for input, so the OpenSSL commands below should be run one at a time.
Private key files are password protected using the -aes256
flag. The sequence of commands provided in this demonstration will prompt for a password multiple times.
The openssl req -new
command prompts the user for several pieces of information. A unique value for Common Name
must be provided for each of the three certificates generated or the process can not be completed.
openssl genrsa -aes256 -out NewRoot.key 2048
openssl req -new -x509 -days 3650 -key NewRoot.key -out NewRoot.crt
openssl x509 -in NewRoot.crt -out NewRoot.cer -outform DER
openssl x509 -inform DER -in NewRoot.cer -outform PEM -out NewRoot.pub.pem
openssl genrsa -aes256 -out NewSub.key 2048
openssl req -new -days 3650 -key NewSub.key -out NewSub.csr
openssl ca -extensions v3_ca -in NewSub.csr -days 3650 -out NewSub.crt -cert NewRoot.crt -keyfile NewRoot.key
openssl x509 -in NewSub.crt -out NewSub.cer -outform DER
openssl x509 -inform DER -in NewSub.cer -outform PEM -out NewSub.pub.pem
openssl genrsa -aes256 -out NewCert.key 2048
openssl req -new -days 3650 -key NewCert.key -out NewCert.csr
openssl ca -in NewCert.csr -days 3650 -out NewCert.crt -cert NewSub.crt -keyfile NewSub.key
openssl x509 -in NewCert.crt -out NewCert.cer -outform DER
openssl x509 -inform DER -in NewCert.cer -outform PEM -out NewCert.pub.pem
Convert the Key and Certificate for signing. The password is removed with -nodes
flag for convenience in this demonstration. If the -nodes
flag is removed, the EDK II build will prompt for a password every time a capsule is signed.
openssl pkcs12 -export -out NewCert.pfx -inkey NewCert.key -in NewCert.crt
openssl pkcs12 -in NewCert.pfx -nodes -out NewCert.pem
echo Hello World > test.bin
openssl smime -sign -binary -signer NewCert.pem -outform DER -md sha256 -certfile NewSub.pub.pem -out test.bin.p7 -in test.bin
openssl smime -verify -inform DER -in test.bin.p7 -content test.bin -CAfile NewRoot.pub.pem -out test.org.bin
Once all the steps above have been completed successfully, the following generated files are used to sign and authenticate capsule based system firmware update images.
-
NewRoot.cer
: Public key that is used to configure thegEfiSecurityPkgTokenSpaceGuid.PcdPkcs7CertBuffer
PCD value. This PCD is used by EDK II firmware to authenticate a signed system firmware update image. -
NewRoot.pub.pem
: Trusted public certificate that is passed in the--trusted-public-cert
flag of the EDK IIPkcs7Sign
utility. -
NewSub.pub.pem
: Other public certificate that is passed in the--other-public-cert
flag of the EDK IIPkcs7Sign
utility. -
NewCert.pem
: Signer private certificate that is passed in the--signer-private-cert
flag of the EDK IIPkcs7Sign
utility.