-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathFirmwareDefaults.toml
160 lines (145 loc) · 7.35 KB
/
FirmwareDefaults.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# @file
##
# Configuration for building EFI Signature Lists for UEFI Secure Boot
#
# This file will generate the EFI Signature Lists for the UEFI Secure Boot
# following https://uefi.org/specs/UEFI/2.9_A/32_Secure_Boot_and_Driver_Signing.html#signature-database
#
# The Signature Lists are used to store the signature database in the UEFI
# Each entry must have a "SignatureOwner" GUID. While the GUID is not required to be unique,
# the Microsoft HLK test will fail if the GUID overlaps with the Microsoft GUID.
# It is recommended to use your own GUID for the SignatureOwner.
#
# #pragma pack(1)
# typedef struct _EFI_SIGNATURE_DATA {
# EFI_GUID SignatureOwner;
# UINT8 SignatureData [_];
# } EFI_SIGNATURE_DATA;
#
# typedef struct _EFI_SIGNATURE_LIST {
# EFI_GUID SignatureType;
# UINT32 SignatureListSize;
# UINT32 SignatureHeaderSize;
# UINT32 SignatureSize;
# // UINT8 SignatureHeader [SignatureHeaderSize];
# // EFI_SIGNATURE_DATA Signatures [__][SignatureSize];
# } EFI_SIGNATURE_LIST;
# #pragma pack()
#
# Each Variable may contain multiple EFI_SIGNATURE_LISTs, each with a different SignatureType.
# Following is the structure of a EFI Signature List:
#
# ---┌─────────────────────────┐
# / │ SIGNATURE LIST HEADER │
# / │ │
# ┌───────────────┐ / │ │
# │ SIGNATURE │ / ├─────────────────────────┤
# │ LIST #0 │ / │ SIGNATURE HEADER │
# │ │ / │ │
# │ │ / ├─────────────────────────┤
# ├───────────────┤ / │ SIGNATURE #0 │
# │ SIGNATURE │ / │ │
# │ LIST #1 │ / ├─────────────────────────┤
# ├───────────────┤/ │ SIGNATURE #1 │
# │ SIGNATURE │ │ │
# │ LIST #2 │ ├─────────────────────────┤
# │ │ │ │
# │ │ │ │
# │ │ │ │
# │ │ │ │
# │ │ │ │
# │ │ ├─────────────────────────┤
# │ │ │ SIGNATURE #N │
# └───────────────┘\ │ │
# \____________└─────────────────────────┘
#
# Note:
# Powershell:
# Use the following command to compute the SHA1 hash of a file:
# > Get-FileHash -Algorithm SHA1 <file>
#
# Bash:
# Use the following command to compute the SHA1 hash of a file:
# > sha1sum <file>
#
# Copyright (C) Microsoft Corporation
# SPDX-License-Identifier: BSD-2-Clause-Patent
##
############################
# Default PK File Entry #
############################
[DefaultPk]
help = "Contains the Microsoft PK to enable signature database updates and binary execution."
[[DefaultPk.files]]
path = "PreSignedObjects/PK/Certificate/WindowsOEMDevicesPK.der"
sha1 = 0x3D8660C0CB2D57B189C3D7995572A552F75E48B5
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
############################
# Default Kek File Entries #
############################
[DefaultKek]
help = "Contains the Microsoft KEKs to enable signature database updates and binary execution."
[[DefaultKek.files]]
path = "PreSignedObjects/KEK/Certificates/MicCorKEKCA2011_2011-06-24.der"
url = "https://go.microsoft.com/fwlink/?LinkId=321185"
sha1 = 0x31590bfd89c9d74ed087dfac66334b3931254b30
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
[[DefaultKek.files]]
path = "PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der"
url = "https://go.microsoft.com/fwlink/?linkid=2239775"
sha1 = 0x459ab6fb5e284d272d5e3e6abc8ed663829d632b
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
###########################
# Default Db File Entries #
###########################
[DefaultDb]
help = "Contains only Microsoft certificates to verify binaries before execution. More secure than Default3PDb."
[[DefaultDb.files]]
path = "PreSignedObjects/DB/Certificates/MicWinProPCA2011_2011-10-19.der"
url = "https://go.microsoft.com/fwlink/p/?linkid=321192"
sha1 = 0x580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
[[DefaultDb.files]]
path = "PreSignedObjects/DB/Certificates/windows uefi ca 2023.der"
url = "https://go.microsoft.com/fwlink/?linkid=2239776"
sha1 = 0x45a0fa32604773c82433c3b7d59e7466b3ac0c67
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
#####################################
# Default 3rd Party Db File Entries #
#####################################
[Default3PDb]
help = "Contains Microsoft and UEFI third party certificates to verify binaries before execution. More compatible than DefaultDb."
[[Default3PDb.files]]
path = "PreSignedObjects/DB/Certificates/MicWinProPCA2011_2011-10-19.der"
url = "https://go.microsoft.com/fwlink/p/?linkid=321192"
sha1 = 0x580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
[[Default3PDb.files]]
path = "PreSignedObjects/DB/Certificates/windows uefi ca 2023.der"
url = "https://go.microsoft.com/fwlink/?linkid=2239776"
sha1 = 0x45a0fa32604773c82433c3b7d59e7466b3ac0c67
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
[[Default3PDb.files]]
path = "PreSignedObjects/DB/Certificates/MicCorUEFCA2011_2011-06-27.der"
url = "https://go.microsoft.com/fwlink/p/?linkid=321194"
sha1 = 0x46def63b5ce61cf8ba0de2e6639c1019d0ed14f3
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
[[Default3PDb.files]]
path = "PreSignedObjects/DB/Certificates/microsoft uefi ca 2023.der"
url = "https://go.microsoft.com/fwlink/?linkid=2239872"
sha1 = 0xb5eeb4a6706048073f0ed296e7f580a790b59eaa
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
[[Default3PDb.files]]
path = "PreSignedObjects/DB/Certificates/microsoft option rom uefi ca 2023.der"
url = "http://www.microsoft.com/pkiops/certs/microsoft%20option%20rom%20uefi%20ca%202023.crt"
sha1 = 0x3FB39E2B8BD183BF9E4594E72183CA60AFCD4277
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
############################
# Default Dbx File Entries #
############################
[DefaultDbx]
help = "Contains a list of revoked certificates that will not execute on this system. Filtered per Architecture (ARM, Intel)."
[[DefaultDbx.files]]
path = "PreSignedObjects/DBX/dbx_info_msft_1_14_25.json"
sha1 = 0xE0241D2F36A26F3668E7AEF287F726D0CE19CA80
signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"