2012年7月12日 星期四

While Secure Boot Active run Shell Application

As you know, secure boot is one of the crucial features that MS Win8 emphasize on. To protect the entire system since the boot time. Albeit secure boot feature is not explicitly exclude tradition CSM, but current IBV implementation put secure boot under CSMless mode. This will lead to user can not boot from USB dongle into DOS to access traditional tools like IRU or flash rom. Instead, UEFI shell kick in. But there's some tricky steps to enable boot to UEFI shell when secure boot enable.

  • You need to generate a certificate. To achieve this, you need to install latest Windows Kit. Under it's install directory find an executable file named "makecert.exe" depend on your working computer's X86 or X64. execute following command.


makecert -n "CN=PkRoot" -r -sv PkRoot.pvk PkRoot.cer
You can replace "PkRoot" whatever name you like. This will generate a private key and a certificate. Remember the password you type.
  • Then proceed to generate Kek key and certificate using the platform key you just generated.
makecert -n "CN= KekRoot " -iv PkRoot.pvk -ic PkRoot.cer -sv KekRoot.pvk KekRoot.cer
Also memorize Kek key password. It will be used to sign efi applications.

  • Transform kek private key to pfx format (PKCS#12)
pvk2pfx.exe –pvk KekRoot.pvk –pi xxx –spc KekRoot.cer –pfx KekRoot.pfx –f
xxx is the password for kek private key.

  • Now you can use KekRoot.cer and KekRoot.pfx to sign whatever efi application or driver you want to execute on your platform. Command as below.
SignTool.exe sign /ac KekRoot.cer /f KekRoot.pfx /p xxx /fd sha256 MyDriver.efi
xxx still be password of Kekroot.pvk

But there's one VERY critical step left.

  • You need to include the KekRoot.cer to your BIOS image and put it in ALLOW certificate. Different IBV should probably have different ways to include ALLOW certificate. You should check with your IBV for detail.
Ok. Now you can run your shell applications in your USB CFD. Remember that the first application you should sign is your bootIA32.efi/bootX64.efi! Enjoy!
張貼者: 沒有留言:
標籤:
訂閱: 文章 (Atom)