Windows 10: Secure Boot Insides on UEFI Systems

[German]Microsoft is pushing UEFI and Secure Boot for Windows 10 systems. Maybe some insides about Secure Boot on UEFI systems under Windows 10 (64 bit) are of interest.

Recently I came across a tweet from Ex Microsoft employee Michael Niehaus, who blogs about various Windows-related topics in his private blog.

In his blog post UEFI Secure Boot: Who controls what can run?, Niehaus took a look at the question of who controls what can be started. There should definitely be two entries for certificate keys in the Secure Boot db:

• Microsoft Windows Production PCA 2011. The Windows boot loader (bootmgr.efi) is signed with it, so Windows (and Windows PE) can be run with it.
• Microsoft Corporation UEFI CA 2011. This key is used by Microsoft to sign non-Microsoft UEFI boot loaders, such as those used to load Linux or other operating systems.

Technically, the CA 2011 is described as "optional," but it would be unusual for a device not to include the entry. The further discussion in the blog post may be quite helpful if you want to know what entries should be included in the db.

In a second blog post UEFI Secure Boot: Yes, again, linked in the above tweet, Niehaus goes into further detail about the Secure Boot "db" on UEFI devices. There are four UEFI variables:

• db, the "signature database." Entries here (typically certificates) determine which EFI executables are allowed to run on the device. So this is a "allowed" list.
• dbx, the "forbidden signatures database". Entries here are typically SHA256 hashes of certain UEFI binaries, i.e. things that were signed with a certificate in the "db" list but later turned out to be bad (e.g. had a security hole that compromises the firmware). So this is a "block" list.
• kek, the "key exchange key" (key exchange key). This determines who is allowed to update the signature database (the "db" and "dbx" keys). Interestingly, all UEFI binaries signed with the "kek" key can also boot on the device.
• pk, the "platform key" (platform key). The "pk" variable contains a single certificate that controls access to the "kek" and "db" variables. When this value is cleared, Secure Boot is effectively turned off (the device is put into setup mode).

UEFI allows a UEFI binary to run if the following conditions are met:

• it's signed with a key in the "db" or has its hash explicitly in the "db".
• it's signed with a key in the "kek" (seems to be unusual)
• the hash of the UEFI binary is not in the "dbx" list.

Niehaus shows in his blog post the listing of the relevant entries for a UEFI system and gives further explanations around this topic. If applicable, reading fodder for administrators who want to know more about this topic.