:::success # SSN Lab 2: UEFI Secure Boot **Name: Daniil Sinelnik** ::: ## Task 1 Firmware Databases 1. Since `efitools` doesn't exist on workstation, i have installed with command: `sudo apt install efitools`. I have used `efi-readvar -v db -o db` from `efitools` to extract signatures from `db` variable. It showed me the object length as follows: `Variable db, length 4600`. After that in the same package i have used `sig-list-to-certs` that is useful to extract x509 certificates from signatures list. It showed me that there are 3 different files named: `db-0.der`, `db-1.der` and `db-2.der`. The certificate located in `db-0.der` I have converted x509 certificate into readable format using `openssl x509`. Also i used `grep` the output to find particular string. This is the output for all comands that i have described above. <center>   </center> 2. The root certificates indicates by simillarity of the Authority Key Identifier and Subject Key Identifier, if they are the same, therefore it is root certificate. Information about that i have found on [wikipedia](https://en.wikipedia.org/wiki/Root_certificate). <center>  Subject Key Identifier  Authority Key Identifier </center> <center>  `efi-readvar` output </center> * * `PK` means `Platform Key`. It ensures the relationship platform Firmware and the platform owner. Owner of the key can make new `Key Exchange Keys` and change ownership of the Firmware. * * `KEK` means `Key Exchange Keys`. Establishes trust relationship between operating system and Firmware platform. * * `db` is a database of trusted signatures. Executable file of the `EFI` allowed only if signatures matches with specified variable in `db`. * * `dbx` is a database signatures that identifies executables that shouldn't run even in case if signatures match. * * `MoKLists` stores the list of Machine Owner keys. At the `shim` level MOKs are necessary to perform the validation of drivers and kernel. where the keys from `db` perform validation the initial boot level. ## Task 2 1. The system really boots the shim bootloader first, it visible in the `BootOrder` by id `0000`. To get this info i have used `efibootmgr -v`. <center>  </center> As well we can see that `Boot0000` named as `ubuntu`. The rest of the string shows that it boots from a file with a path: `\EFI/ubuntu//shimx64.efi`. But i couldn't find such path, because it is mounted to the `/boot/efi/EFI/ubuntu/shimx64.efi` Here is the file <center>  </center> 2. Extracting signatures from `shimx64.efi` file. <center>  </center> Line that says `image signature issuer` indicates that the file was signed by `Microsoft Certificate`. Verification that i have used the certificate, i have extracted in the `task 1`. I need to convert `DER` format to `PEM` format. And after that i have used it to verify the signature on the bootloader. Here is an output, `sbverify` was used. <center>  </center> :::warning What's the exact name of the part if the binary where the actual signature is stored? ::: Page 6 of the [document](https://www.symbolcrash.com/wp-content/uploads/2019/02/Authenticode_PE-1.pdf) says that the actual signatures are stored in the `Attribute Certificate Table` section of the binary. :::warning In what standard cryptographic format is the signature data stored? ::: It stores in the SignedData structure. It's defined in the PKCS #7 format. Meanwhile the certificates are located in the `certificates` field in this data structure. :::warning To extract the signature data from the binary, one needs to determine the exact location and size of this data in the binary. This information is stored in the Data Directories section of the Optional Header of the executable, as shown in Figure 1 of the specification. To retrieve location and size you can used the pyew package, as follows: - Start pyew from the command line with the full name of the shim binary as argument. - Wait for the pyew prompt to appear (it will do an analysis on the binary which you can interrupt with Ctrl-C if it takes too long) - Type pyew.pe.OPTIONAL HEADER.DATA DIRECTORY to get a listing of all data directory entries. - Locate the one called IMAGE DIRECTORY ENTRY SECURITY. The location and size are given as the “VirtualAddress:” and “Size:” fields. ::: I have installed `python2` and run `pyew.py`, `using python-pip`. I already installed `git` before this lab. Then i have used `git clone` to download the package and install `capstone`. <center>  </center> Run `pyew` on `shim`. It analyzed and then i have queried the field that was required to find by the task and found it. <center>  </center> :::warning Extract the signature data from the shim binary using dd. Add 8 bytes to the location as given in the data directory to skip over the Microsoft WIN CERTIFICATE structure header (see page 14 of the specification if you are interested). ::: I have used the virtual address that i have got in the previous step. The address `0x000e8270` is the beginning of the section where certificates located. <center>  </center> I have used `dd` in order to read `PKCS#7` certificates from binary <center>  </center> * `bs` specifies the block size. * `skip` we need to specify to skip specific blocks of the input file before reading. My address in hexadecimal was `0x000e8270`, it equals to decimal `950896` and + `8 bytes`, therefore it is: `950904`. * `count` specifies how many blocks we need to read from the file. `0x2568` = `9576` in decimal(this virtual address was retreived from the IMAGE_DIRECTORY_ENTRY_SECURITY). :::warning Show the subject and issuer of all X.509 certificates stored in the signature data. Draw a diagram relating these certificates to the “Microsoft Corporation UEFI CA” certificate. ::: :::spoiler Mistakes that i have made durring last step I have spent 2 hours on realising what's goin wrong and why do i have such error while reading the file via `openssl` <center>  </center> After 2 hours i have realized that i converted wrong hexadecimal to decimal. Here is a screnshoot where i have converted into wrong decimal <center>  </center> Take a look at the `count=8504`, `8504` was a mistake. ::: # I have used `openssl pkcs7 -inform DER -print_certs -in dump -text | egrep "Subject:|Issuer:"`. `egrep` helped me to filter and find just `Issuer` and `Subject`. <center>  </center> The output was the same 2 certificates that were shown during `Task 1`. The 3-rd one was with this certificate. Now the chain looks like this. <center>  </center> P.S. The lab was really interesting, i was really enjoing the time spent on the workstation, it was interesting. Thanks.