Broadcom certificate for Linux Secureboot

book

Article ID: 211120

calendar_today

Updated On:

Products

CA Virtual Privilege Manager

Issue/Introduction

To enable secureboot for PAMSC endpoint a code signing certificate is required.

 

Cause

Secureboot requires the use of signed modules to be loaded into kernel

Environment

Release : 14.x

Component : CA ControlMinder - Unix

Resolution

In order to use the PIM/PAMSC/OnePAM endpoint on a linux system using secure boot you need to import certificate into the MOK list. After installing the endpoint software the development certificate will be in the install location under the folder bin.

 

Simply run

[[email protected]]#  mokutil --import  /opt/CA/PAMSC/bin/BroadcomInc.der

    The command will prompt you to enter and confirm a password. You can use any password which will be used when the system reboots.

Reboot the system and then follow the enrollment step and enter the password that you set when you imported the certificate to update the system key ring on this boot. The password will not be required for subsequent reboot.

     Note: It is not recommended that you import a CA certificate using mokutil as this would allow secure boot to validate all signed certificates from that CA rather than the specific module you are trying to trust. This would render the UEFI secure boot to be ineffective.

Additional Information

To validate the certificate used

 

[[email protected]]# openssl x509 -in BroadcomInc.der -inform der -noout -text

WARNING: can't open config file: /usr/local/ssl/openssl.cnf

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            b4:30:26:1f:34:7f:ea:53

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=US, ST=California, L=San Jose, O=Broadcom Inc, OU=ESD, CN=PAMSC/[email protected]

        Validity

            Not Before: May 15 15:10:12 2019 GMT

            Not After : Apr 24 15:10:12 2022 GMT

        Subject: C=US, ST=California, L=San Jose, O=Broadcom Inc, OU=ESD, CN=PAMSC/[email protected]

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:c1:34:91:8a:b4:70:b3:9e:a4:6b:6b:b3:6a:5a:

                    c3:06:38:5a:ec:ef:de:2d:f9:6f:8b:a7:ff:80:7f:

                    0a:eb:74:5d:3b:6d:72:f0:db:aa:09:72:85:d3:d6:

                    a1:e6:60:62:fc:ae:d3:95:df:4b:a6:c8:db:72:40:

                    64:37:5c:e4:fe:88:10:15:18:5f:3a:4f:88:4d:aa:

                    09:56:ee:30:0b:d8:05:6e:79:7d:55:07:35:3f:a8:

                    0a:59:af:2d:6e:1b:0a:b3:3e:04:63:8c:e2:69:95:

                    a9:3a:05:fe:78:27:31:74:d8:a4:a6:c7:b8:99:12:

                    5e:63:70:9f:c8:bf:b5:86:07:6f:ab:d9:e2:8c:7c:

                    2f:f6:d1:89:f6:ff:c6:2d:5b:bf:dd:de:96:dc:de:

                    a8:c6:ef:f8:b9:3f:ff:c9:d0:d5:c5:e9:d5:f2:1c:

                    20:10:82:98:c6:8a:e1:4f:8c:1e:43:a6:9d:4f:d9:

                    98:c9:cb:b0:46:45:70:59:09:ad:4d:be:8e:2f:ad:

                    6d:94:b4:3d:e0:c3:5b:f2:9a:41:01:75:de:c8:23:

                    c1:98:68:12:d0:51:27:82:86:6a:5a:c4:28:b2:9d:

                    71:d9:17:b6:0c:2e:1d:77:1a:f8:02:ad:4f:fe:3a:

                    4a:49:e6:86:d2:a2:ac:41:a4:0d:f7:a8:b4:88:1a:

                    62:eb

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                10:D1:7B:74:59:80:63:ED:F5:78:C1:4A:D4:0E:1E:7B:33:B9:2E:4E

            X509v3 Authority Key Identifier:

                keyid:10:D1:7B:74:59:80:63:ED:F5:78:C1:4A:D4:0E:1E:7B:33:B9:2E:4E

 

            X509v3 Basic Constraints:

                CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

         64:7a:ed:62:f0:a5:21:fc:fa:8c:c0:58:6f:8b:d9:17:d5:48:

         7d:c9:03:63:ed:c4:fb:1e:db:57:fc:11:c9:12:7f:af:5f:dc:

         19:80:0a:3a:54:a7:9d:40:20:d7:0f:b1:52:1b:8b:d9:6c:08:

         36:3d:9c:7c:61:0b:0b:3d:38:fa:c6:5c:33:55:c2:05:bf:e2:

         68:c0:49:92:8f:f6:98:c5:34:e3:92:74:a9:15:fa:29:7e:8b:

         14:3e:54:6c:2c:f8:09:22:04:e9:f5:da:ae:01:c2:86:f5:3f:

         57:24:ae:86:bd:9b:8e:d4:28:be:75:c5:d1:70:92:01:b7:54:

         ad:12:18:4c:de:47:b6:47:25:e3:16:9f:56:c7:ac:48:e2:8a:

         79:fb:7f:c1:1c:ce:f9:57:32:f7:c5:81:4c:61:cb:81:e3:fb:

         82:31:5a:ea:80:56:2d:7d:bf:c5:e1:32:53:9a:54:76:39:b6:

         c4:bb:72:d1:f6:7d:06:ef:a0:15:9e:15:c2:6f:c9:c9:39:8f:

         52:3c:fb:30:32:37:5b:23:8f:2c:db:01:f5:1f:4d:06:fe:62:

         ff:8e:dc:16:6a:ed:a6:bf:cb:11:32:23:26:9d:b3:39:10:7b:

         ae:97:4d:b2:22:9e:71:fa:db:44:23:b7:5f:db:2e:ed:0a:f0:

         f7:49:f7:3c

 

 

if the mokutil utility is used on a system which cannot utilize secureboot the following message will be seen

 

[[email protected] bin]# mokutil --import  /opt/CA/PAMSC/bin/BroadcomInc.der

EFI variables are not supported on this system