Create certificates for signing boot images for UEFI Secure Boot

[HW42]

The problem you're addressing (if any)

For for UEFI Secure Boot we need to create certificates (root and intermediates) to sign boot images. See #8026. Creating a sub-issue since the discussion in the parent issue is already rather crowded.

For now this is only about the certificates for signing boot code that will be included into shim and/or UEFI firmware. At some point we might also want to maintain a KEK CA, but for now I don't see the need.

The solution you'd like

@marmarek already prepared candidates:

Here are certificate candidates, please check if all is okay:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:f2:0d:07:e2:f8:4f:c5:90:a2:47:98:34:e1:cd:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Qubes OS Secure Boot CA
        Validity
            Not Before: Jan  9 16:02:01 2025 GMT
            Not After : Jan 19 03:14:07 2037 GMT
        Subject: CN=Qubes OS Secure Boot CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:d9:45:44:5d:da:67:b7:be:20:9c:62:56:a7:
                    bf:91:ea:c4:5c:2d:08:db:a3:47:01:16:25:ba:90:
                    0e:f6:55:ae:78:23:3f:2e:95:bd:b7:46:b0:10:79:
                    ce:28:14:fa:3a:bc:25:91:f5:fc:61:76:21:28:48:
                    fb:75:f8:89:66:a0:96:f2:76:fa:b7:5d:37:bc:8b:
                    84:2d:55:57:cc:dd:e0:51:31:e3:d4:71:e3:ff:2f:
                    3b:5a:a1:36:91:28:92:9e:61:21:ea:b5:99:20:48:
                    dc:a3:8b:9a:17:74:e4:06:42:a9:91:9e:db:26:40:
                    cc:16:34:d5:59:b5:b6:75:e6:30:2b:bd:7e:88:86:
                    fc:8b:1c:a8:0d:f2:f6:bb:49:a6:3a:a5:f2:30:a4:
                    0d:04:ea:92:ee:76:a5:bd:2d:a2:b0:42:fd:a7:c8:
                    8d:f0:2e:2d:a4:f3:1b:72:6b:7b:d2:98:54:33:4a:
                    3d:40:71:44:9f:85:1e:b9:1f:af:4a:07:ae:30:c1:
                    c4:a7:92:9b:1c:d2:05:e6:f4:c0:1a:18:e2:33:21:
                    37:ed:f2:85:e7:20:62:16:a7:f4:6c:f2:e8:71:88:
                    64:b6:ed:a2:0d:b4:2c:e3:49:14:85:b1:a9:65:4e:
                    8d:d4:0f:86:06:10:05:7e:26:05:90:7a:ae:00:31:
                    d0:a5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:https://www.qubes-os.org/
            X509v3 Authority Key Identifier: 
                6A:90:3F:3C:BE:64:A6:3E:7A:AD:4F:8B:71:AE:F6:10:A8:AB:7F:80
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                6A:90:3F:3C:BE:64:A6:3E:7A:AD:4F:8B:71:AE:F6:10:A8:AB:7F:80
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        6b:8f:4a:87:4b:c4:aa:f6:af:2f:a0:ce:cd:b5:e2:59:d6:6e:
        de:c1:ac:f2:fa:01:7e:ad:de:7f:57:8e:17:8c:fb:e9:74:6b:
        2a:0f:ba:4f:25:e9:e2:82:89:ec:b1:a7:49:6e:9d:90:fa:39:
        e2:5d:47:bd:b6:7a:b4:85:09:08:e6:3d:fd:3c:d0:62:6d:d9:
        68:de:f5:6b:ef:c6:9e:ee:85:ef:29:51:00:c2:00:16:64:44:
        2a:cf:01:f9:ee:5f:47:7a:cb:e9:9d:e3:5a:07:f5:48:46:37:
        e7:6f:4c:7f:e4:a3:82:8a:35:60:23:56:bd:55:7b:ec:10:11:
        20:3c:90:2c:17:7f:71:4d:40:1a:4d:3b:e3:e4:a8:ef:8f:2d:
        a1:79:e1:7d:a2:d9:2c:e4:5b:e2:ea:d3:fa:49:a4:95:5f:1f:
        6b:ab:9e:5f:ce:2c:7a:55:b5:ca:3e:03:40:35:7b:f1:a3:f6:
        9f:df:38:e7:7a:f6:a6:1c:58:45:7c:47:6f:af:38:b7:f1:f9:
        06:0c:e8:c0:af:31:ea:c1:63:22:87:33:6d:19:3c:a0:38:96:
        39:2e:95:40:1e:60:0c:cd:09:6c:f9:3c:d8:54:4d:da:b0:e3:
        e5:72:3f:8e:af:be:6f:cf:76:20:c5:03:95:f3:1c:d5:ee:c1:
        91:e2:27:87
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIRAIjyDQfi+E/FkKJHmDThzbcwDQYJKoZIhvcNAQELBQAw
IjEgMB4GA1UEAxMXUXViZXMgT1MgU2VjdXJlIEJvb3QgQ0EwHhcNMjUwMTA5MTYw
MjAxWhcNMzcwMTE5MDMxNDA3WjAiMSAwHgYDVQQDExdRdWJlcyBPUyBTZWN1cmUg
Qm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM7ZRURd2me3
viCcYlanv5HqxFwtCNujRwEWJbqQDvZVrngjPy6VvbdGsBB5zigU+jq8JZH1/GF2
IShI+3X4iWaglvJ2+rddN7yLhC1VV8zd4FEx49Rx4/8vO1qhNpEokp5hIeq1mSBI
3KOLmhd05AZCqZGe2yZAzBY01Vm1tnXmMCu9foiG/IscqA3y9rtJpjql8jCkDQTq
ku52pb0torBC/afIjfAuLaTzG3Jre9KYVDNKPUBxRJ+FHrkfr0oHrjDBxKeSmxzS
Beb0wBoY4jMhN+3yhecgYhan9Gzy6HGIZLbtog20LONJFIWxqWVOjdQPhgYQBX4m
BZB6rgAx0KUCAwEAAaOBmzCBmDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAKG
GWh0dHBzOi8vd3d3LnF1YmVzLW9zLm9yZy8wHwYDVR0jBBgwFoAUapA/PL5kpj56
rU+Lca72EKirf4AwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFGqQPzy+ZKY+eq1Pi3Gu9hCoq3+AMA0GCSqGSIb3DQEBCwUAA4IBAQBr
j0qHS8Sq9q8voM7NteJZ1m7ewazy+gF+rd5/V44XjPvpdGsqD7pPJenigonssadJ
bp2Q+jniXUe9tnq0hQkI5j39PNBibdlo3vVr78ae7oXvKVEAwgAWZEQqzwH57l9H
esvpneNaB/VIRjfnb0x/5KOCijVgI1a9VXvsEBEgPJAsF39xTUAaTTvj5Kjvjy2h
eeF9otks5Fvi6tP6SaSVXx9rq55fzix6VbXKPgNANXvxo/af3zjnevamHFhFfEdv
rzi38fkGDOjArzHqwWMihzNtGTygOJY5LpVAHmAMzQls+TzYVE3asOPlcj+Or75v
z3YgxQOV8xzV7sGR4ieH
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3312080083 (0xc56a54d3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Qubes OS Secure Boot CA
        Validity
            Not Before: Jan 10 04:38:00 2025 GMT
            Not After : Feb 10 04:38:00 2026 GMT
        Subject: CN=Qubes OS Secure Boot Signer 2025
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c8:53:9b:ae:5b:ba:ae:4f:11:94:0a:f4:c0:f0:
                    e3:c5:7e:99:b4:72:29:b8:48:5a:e7:b2:cb:38:7c:
                    5c:04:a9:24:ba:a2:c1:fd:b7:60:68:8b:0a:b0:c4:
                    e3:64:85:7d:9e:a1:45:82:33:a4:d7:d4:eb:a0:d2:
                    47:3a:1a:3e:ff:6c:71:b9:0d:22:41:25:14:bb:c6:
                    4b:1f:60:7d:39:55:1d:63:32:53:3e:50:63:45:85:
                    df:8f:98:56:22:57:51:c6:f1:1f:ec:c0:39:fd:31:
                    f8:15:3c:1a:62:0b:29:a2:f1:c3:31:ba:61:af:82:
                    99:d5:1b:ee:ac:bc:dd:02:f3:5f:af:3e:54:b6:42:
                    5f:35:0b:27:78:a2:19:2f:b9:bb:2c:84:bd:81:7b:
                    d6:ec:ec:7c:86:58:40:f7:86:08:18:ee:da:23:58:
                    fc:e0:26:8f:5d:77:91:b0:00:41:af:0b:64:16:a7:
                    8d:a5:73:57:1d:f8:98:92:12:be:e8:c9:1d:1a:56:
                    e6:36:d5:bc:c9:f0:dc:b3:d0:60:af:b1:cf:4a:74:
                    3c:cc:6e:8e:d2:88:29:09:89:70:36:34:dd:88:75:
                    8a:34:98:e5:03:99:52:95:0e:34:5e:1c:a4:a4:13:
                    75:04:e8:60:53:4a:51:3e:58:b0:66:ad:c1:52:68:
                    76:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                Object Signing
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        51:68:d4:54:e0:98:bf:c5:e1:f5:25:dd:06:dc:a2:4a:08:23:
        f2:f4:d2:32:24:f6:78:1f:c9:7f:4c:e2:3d:62:ff:63:b4:fd:
        40:58:49:fb:2e:bc:e0:26:04:c0:63:b2:45:c2:e9:41:61:39:
        44:76:3d:88:b8:9b:fa:84:7e:98:c7:47:53:1b:c9:60:69:3b:
        a5:e4:59:a7:24:0a:66:59:31:9b:96:04:31:5c:60:8f:aa:28:
        b5:39:01:38:f7:a3:bf:f1:8c:70:8d:9e:89:1f:49:ba:3d:d4:
        f4:90:3e:ac:65:83:73:c5:55:f4:b7:3a:f5:5c:fe:c3:60:8e:
        90:f9:66:4f:e5:0d:cd:99:aa:59:ca:13:fc:0b:e6:2a:60:3b:
        23:e5:73:52:c8:4b:6b:ab:b9:49:24:b0:37:ff:ae:29:a5:74:
        3d:3d:c1:9b:a2:e1:a1:44:7c:ac:11:68:1b:22:82:01:40:a8:
        e8:8f:27:16:07:50:d3:1c:f9:d3:6d:f4:ce:a3:f5:f2:fe:e2:
        eb:02:e7:b9:94:15:65:77:03:3e:1f:a0:df:72:71:36:a2:a5:
        e8:0c:3e:8e:b6:7f:14:5f:5d:59:bb:00:68:11:69:1f:b9:6e:
        6c:d9:86:1c:a0:96:ca:da:77:16:9c:fb:75:92:dd:d0:08:ac:
        07:e8:20:7b
-----BEGIN CERTIFICATE-----
MIIDAzCCAeugAwIBAgIFAMVqVNMwDQYJKoZIhvcNAQELBQAwIjEgMB4GA1UEAxMX
UXViZXMgT1MgU2VjdXJlIEJvb3QgQ0EwHhcNMjUwMTEwMDQzODAwWhcNMjYwMjEw
MDQzODAwWjArMSkwJwYDVQQDEyBRdWJlcyBPUyBTZWN1cmUgQm9vdCBTaWduZXIg
MjAyNTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMhTm65buq5PEZQK
9MDw48V+mbRyKbhIWueyyzh8XASpJLqiwf23YGiLCrDE42SFfZ6hRYIzpNfU66DS
RzoaPv9scbkNIkElFLvGSx9gfTlVHWMyUz5QY0WF34+YViJXUcbxH+zAOf0x+BU8
GmILKaLxwzG6Ya+CmdUb7qy83QLzX68+VLZCXzULJ3iiGS+5uyyEvYF71uzsfIZY
QPeGCBju2iNY/OAmj113kbAAQa8LZBanjaVzVx34mJISvujJHRpW5jbVvMnw3LPQ
YK+xz0p0PMxujtKIKQmJcDY03Yh1ijSY5QOZUpUONF4cpKQTdQToYFNKUT5YsGat
wVJodgUCAwEAAaM3MDUwEQYJYIZIAYb4QgEBBAQDAgQQMBMGA1UdJQQMMAoGCCsG
AQUFBwMDMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAUWjUVOCYv8Xh
9SXdBtyiSggj8vTSMiT2eB/Jf0ziPWL/Y7T9QFhJ+y684CYEwGOyRcLpQWE5RHY9
iLib+oR+mMdHUxvJYGk7peRZpyQKZlkxm5YEMVxgj6ootTkBOPejv/GMcI2eiR9J
uj3U9JA+rGWDc8VV9Lc69Vz+w2COkPlmT+UNzZmqWcoT/AvmKmA7I+VzUshLa6u5
SSSwN/+uKaV0PT3Bm6LhoUR8rBFoGyKCAUCo6I8nFgdQ0xz50230zqP18v7i6wLn
uZQVZXcDPh+g33JxNqKl6Aw+jrZ/FF9dWbsAaBFpH7lubNmGHKCWytp3Fpz7dZLd
0AisB+ggew==
-----END CERTIFICATE-----

@aronowski @HW42

The value to a user and who that user might be

No response

Completion criteria checklist

• review certificates candidates prepared by Marek
• create/update certificates based on review result

[Nurmagoz]

Signature Algorithm: sha256WithRSAEncryption

Can you change RSA to something else like ECC or so?

[HW42]

Signature Algorithm: sha256WithRSAEncryption

Can you change RSA to something else like ECC or so?

No. It seems even shim doesn't support EC crypto yet (see rhboot/shim#697, note that while that PR is primarily about some Chinese crypto standards it also shows that the more common EC crypto stuff is not included). I would guess that UEFI firmware support is not any better.

So for compatibility we will have to stick to SHA256 and RSA for now.

[HW42]

        Validity
            Not Before: Jan  9 16:02:01 2025 GMT
            Not After : Jan 19 03:14:07 2037 GMT

Side note: There are many certs in the field (including the "Microsoft UEFI CA 2023") that have dates past UNIX time reaching 2**31, so we don't have to worry about avoiding it. But by 2037, we hopefully have already rotate it, so no need to extend it.

        Subject: CN=Qubes OS Secure Boot CA

Re naming the CA:

• In Secure Boot beside the CA for signing boot code (to be added to DB) there's also KEK CAs. For now we don't need one, but this makes just "Secure Boot CA" a bit ambiguous. But there seems to be no common name for it and most other Linux distros also name it like this, so I guess we will keep it as is.

• We might want to add a number to make things easier to differentieate when we rotate it. (Hopefully seldomly needed, but still.)

        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

EC crypto would be nice for new stuff, but as explained above currently not feasible.

We could consider using a bigger key. For usage via a MS signed shim it's pointless since their CA is 2048 bit. But for users that import our key directly it would match what we use elsewhere. This raises the risk of running into incompatibilities somewhat. Most keys I have seen are 2048 bit. But for example Rocky Linux uses an intermediate cert with 3072 bit, so I guess support isn't to bad.

(MS's UEFI CA 2023 is itself signed by an CA that has a 4096 bit key, but since the "UEFI CA" cert is already the trust anchor that part of the chain doesn't need to be verified by firmware, so doesn't say much about support.)

        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:https://www.qubes-os.org/

This is intended to point the issuing CA, usually as a HTTP-URL pointing to a DER encoded version of it. But for a self-signed root that doesn't make much sense so I would drop it completely. (This also matches the CA/B recommendations)

            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign

I think "Digital Signature" is not really needed for the root CA (but also doesn't hurt).

---

        Serial Number: 3312080083 (0xc56a54d3)

We should stick to one method for generating serial numbers. Big randomly generated number as with the root is probably the best idea.

        Validity
            Not Before: Jan 10 04:38:00 2025 GMT
            Not After : Feb 10 04:38:00 2026 GMT

While time validity is not verified by firmwares I don't think we should rely on it. Since this is a core part of X509 certs, I think sooner or later we will run into problems somewhere if we have signatures with invalid times. So I think this should cover the expected support duration of a release. (We can rotate more often, but the older certs shouldn't expire.)

        Subject: CN=Qubes OS Secure Boot Signer 2025

Given that strict one cert per year is not what we want (see above and below) I don't like naming it by a year. We could use a full date (like Fedora does for it's CA), to make it obvious that this is no reference to it's validity period. I probably would simply use a counter.

Looking at common practice of other distros the trend is to have multiple intermediates that are limited in what they are used for, often one per component (grub/linux/...) and architecture. From what I understand this is to aid revocation, since it's better to revoke an intermediate cert than many hashes of singed files. I'm not sure how important this is going to be since SBAT should cover most of those cases. But probably still a good idea.

For us I think this would primarily mean an intermediate per component (grub, UKI, ...). And rotating them from time to time.

[marmarek]

We could consider using a bigger key. For usage via a MS signed shim it's pointless since their CA is 2048 bit. But for users that import our key directly it would match what we use elsewhere. This raises the risk of running into incompatibilities somewhat. Most keys I have seen are 2048 bit. But for example Rocky Linux uses an intermediate cert with 3072 bit, so I guess support isn't to bad.

I think I've seen specific recommendation to use 2048 and not more for compatibility reasons. For example rhboot/shim-review#411 (comment)

• In Secure Boot beside the CA for signing boot code (to be added to DB) there's also KEK CAs. For now we don't need one, but this makes just "Secure Boot CA" a bit ambiguous. But there seems to be no common name for it and most other Linux distros also name it like this, so I guess we will keep it as is.

If we'd need KEK CA at some point, I guess we can name it with "KEK CA", and keep the normal one with just "CA". It may look ambiguous without extra context, but IMO it's just a matter of a single doc page (or README in qubes-secpack?) that list the certs and their purpose.

This is intended to point the issuing CA, usually as a HTTP-URL pointing to a DER encoded version of it. But for a self-signed root that doesn't make much sense so I would drop it completely.

Ok.
But then should I add it to the leaf cert then to point at the CA somewhere (somewhere at https://keys.qubes-os.org/... maybe?) ?

We should stick to one method for generating serial numbers. Big randomly generated number as with the root is probably the best idea.

Both are big random, just different "big" ;) I used different tools to generate them - one is done using efikeygen and the other with certutil. I guess I can do both with efikeygen if I figure out correct options...

So I think this should cover the expected support duration of a release. (We can rotate more often, but the older certs shouldn't expire.)

Well, we don't know expected support duration up front - we have it defined based on release date of the next release. In practice it's usually something about 2 years, but it isn't fixed. Since shim embeds the CA, and this key is used for signing various boot files (grub, xen-unified.efi, maybe something else), I imagine we will publish updates of those anyway, even if only to have it signed with a new key. One problematic case could be somebody installing system past the cert validity time, but we do publish point releases so that should be covered too (we just need to be careful to align point releases and key rotation correctly).

Given that strict one cert per year is not what we want (see above and below) I don't like naming it by a year. We could use a full date (like Fedora does for it's CA), to make it obvious that this is no reference to it's validity period. I probably would simply use a counter.

A counter is fine with me too. FWIW I've seen using year in the name to just signify when the key was created, not necessarily when it is valid - for example the current RPM Fusion key is "RPM Fusion free repository for Fedora (2020)".

Looking at common practice of other distros the trend is to have multiple intermediates that are limited in what they are used for, often one per component (grub/linux/...) and architecture. From what I understand this is to aid revocation, since it's better to revoke an intermediate cert than many hashes of singed files. I'm not sure how important this is going to be since SBAT should cover most of those cases. But probably still a good idea.

IIUC the current recommendation is to do cert revocation only if that cert got compromised. All the other cases should be covered by SBAT, which already allows precise revocation of individual components. Space in dbx is limited, and having more certs that potentially could be revoked may actually be a disadvantage.