From fd54dc191d06305d7b5fbfe71cd937e7f95d4f10 Mon Sep 17 00:00:00 2001 From: Jean-Francois Roy Date: Tue, 16 Jul 2024 21:11:55 -0700 Subject: [PATCH] feat(talosctl): append microsoft secure boot certs This patch adds a flag to `secureboot.database.Generate` to append the Microsoft UEFI secure boot DB and KEK certificates to the appropriate ESLs, in addition to complimentary command line flags. This patch also includes a copy of said Microsoft certificates. The certificates are downloaded from an official Microsoft repo. Signed-off-by: Jean-Francois Roy Signed-off-by: Andrey Smirnov --- Dockerfile | 13 ++ cmd/installer/cmd/imager/root.go | 11 ++ cmd/talosctl/cmd/mgmt/gen/secureboot.go | 8 +- hack/release.toml | 6 + .../certs/db/MicCorUEFCA2011_2011-06-27.der | Bin 0 -> 1556 bytes .../certs/db/microsoft uefi ca 2023.der | Bin 0 -> 1448 bytes .../certs/kek/MicCorKEKCA2011_2011-06-24.der | Bin 0 -> 1516 bytes .../microsoft corporation kek 2k ca 2023.der | Bin 0 -> 1462 bytes internal/pkg/secureboot/database/database.go | 129 ++++++++++++++++-- pkg/imager/out.go | 2 +- pkg/imager/profile/input.go | 2 + website/content/v1.8/reference/cli.md | 9 +- 12 files changed, 165 insertions(+), 15 deletions(-) create mode 100644 internal/pkg/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der create mode 100644 internal/pkg/secureboot/database/certs/db/microsoft uefi ca 2023.der create mode 100644 internal/pkg/secureboot/database/certs/kek/MicCorKEKCA2011_2011-06-24.der create mode 100644 internal/pkg/secureboot/database/certs/kek/microsoft corporation kek 2k ca 2023.der diff --git a/Dockerfile b/Dockerfile index 650eee11b6..c16170ef57 100644 --- a/Dockerfile +++ b/Dockerfile @@ -309,6 +309,16 @@ FROM scratch AS ipxe-generate COPY --from=pkg-ipxe-amd64 /usr/libexec/snp.efi /amd64/snp.efi COPY --from=pkg-ipxe-arm64 /usr/libexec/snp.efi /arm64/snp.efi +FROM scratch AS microsoft-secureboot-database +ADD https://github.com/microsoft/secureboot_objects.git / + +FROM scratch AS microsoft-key-keys +COPY --from=microsoft-secureboot-database /PreSignedObjects/KEK/Certificates/*.der /kek/ + +FROM scratch AS microsoft-db-keys +COPY --from=microsoft-secureboot-database /PreSignedObjects/DB/Certificates/MicCor*.der /db/ +COPY --from=microsoft-secureboot-database /PreSignedObjects/DB/Certificates/microsoft*.der /db/ + FROM --platform=${BUILDPLATFORM} scratch AS generate COPY --from=proto-format-build /src/api /api/ COPY --from=generate-build /api/common/*.pb.go /pkg/machinery/api/common/ @@ -333,6 +343,8 @@ COPY --from=go-generate /src/pkg/machinery/extensions/ /pkg/machinery/extensions COPY --from=ipxe-generate / /pkg/provision/providers/vm/internal/ipxe/data/ipxe/ COPY --from=embed-abbrev / / COPY --from=pkg-ca-certificates /etc/ssl/certs/ca-certificates /internal/app/machined/pkg/controllers/secrets/data/ +COPY --from=microsoft-key-keys / /internal/pkg/secureboot/database/certs/ +COPY --from=microsoft-db-keys / /internal/pkg/secureboot/database/certs/ # The base target provides a container that can be used to build all Talos # assets. @@ -345,6 +357,7 @@ COPY --from=generate /pkg/flannel/ ./pkg/flannel/ COPY --from=generate /pkg/imager/ ./pkg/imager/ COPY --from=generate /pkg/machinery/ ./pkg/machinery/ COPY --from=generate /internal/app/machined/pkg/controllers/secrets/data/ ./internal/app/machined/pkg/controllers/secrets/data/ +COPY --from=generate /internal/pkg/secureboot/database/certs/ ./internal/pkg/secureboot/database/certs/ COPY --from=embed / ./ RUN --mount=type=cache,target=/.cache go list all >/dev/null WORKDIR /src/pkg/machinery diff --git a/cmd/installer/cmd/imager/root.go b/cmd/installer/cmd/imager/root.go index fea064f637..51a48e502b 100644 --- a/cmd/installer/cmd/imager/root.go +++ b/cmd/installer/cmd/imager/root.go @@ -45,6 +45,8 @@ var cmdFlags struct { OverlayName string OverlayImage string OverlayOptions []string + // Only used when generating a secure boot iso without also providing a secure boot database. + SecurebootIncludeWellKnownCerts bool } // rootCmd represents the base command when called without any subcommands. @@ -173,6 +175,13 @@ var rootCmd = &cobra.Command{ prof.Output.ImageOptions.DiskSize = int64(size) } + + if cmdFlags.SecurebootIncludeWellKnownCerts { + if prof.Input.SecureBoot == nil { + prof.Input.SecureBoot = &profile.SecureBootAssets{} + } + prof.Input.SecureBoot.IncludeWellKnownCerts = true + } } if err := os.MkdirAll(cmdFlags.OutputPath, 0o755); err != nil { @@ -229,4 +238,6 @@ func init() { rootCmd.MarkFlagsMutuallyExclusive("board", "overlay-name") rootCmd.MarkFlagsMutuallyExclusive("board", "overlay-image") rootCmd.MarkFlagsMutuallyExclusive("board", "overlay-option") + rootCmd.PersistentFlags().BoolVar( + &cmdFlags.SecurebootIncludeWellKnownCerts, "secureboot-include-well-known-certs", false, "Include well-known (Microsoft) UEFI certificates when generating a secure boot database") } diff --git a/cmd/talosctl/cmd/mgmt/gen/secureboot.go b/cmd/talosctl/cmd/mgmt/gen/secureboot.go index 03959691e3..f26652b232 100644 --- a/cmd/talosctl/cmd/mgmt/gen/secureboot.go +++ b/cmd/talosctl/cmd/mgmt/gen/secureboot.go @@ -64,6 +64,7 @@ var genSecurebootPCRCmd = &cobra.Command{ var genSecurebootDatabaseCmdFlags struct { enrolledCertificatePath string signingCertificatePath, signingKeyPath string + includeWellKnownCerts bool } // genSecurebootDatabaseCmd represents the `gen secureboot database` command. @@ -78,6 +79,7 @@ var genSecurebootDatabaseCmd = &cobra.Command{ genSecurebootDatabaseCmdFlags.enrolledCertificatePath, genSecurebootDatabaseCmdFlags.signingKeyPath, genSecurebootDatabaseCmdFlags.signingCertificatePath, + genSecurebootDatabaseCmdFlags.includeWellKnownCerts, ) }, } @@ -140,7 +142,7 @@ func saveAsDER(file string, pem []byte) error { // generateSecureBootDatabase generates a UEFI database to enroll the signing certificate. // // ref: https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/ -func generateSecureBootDatabase(path, enrolledCertificatePath, signingKeyPath, signingCertificatePath string) error { +func generateSecureBootDatabase(path, enrolledCertificatePath, signingKeyPath, signingCertificatePath string, includeWellKnownCerts bool) error { in := profile.SigningKeyAndCertificate{ KeyPath: signingKeyPath, CertPath: signingCertificatePath, @@ -156,7 +158,7 @@ func generateSecureBootDatabase(path, enrolledCertificatePath, signingKeyPath, s return err } - db, err := database.Generate(enrolledPEM, signer) + db, err := database.Generate(enrolledPEM, signer, database.IncludeWellKnownCertificates(includeWellKnownCerts)) if err != nil { return fmt.Errorf("failed to generate database: %w", err) } @@ -186,6 +188,8 @@ func init() { &genSecurebootDatabaseCmdFlags.signingCertificatePath, "signing-certificate", helpers.ArtifactPath(constants.SecureBootSigningCertAsset), "path to the certificate used to sign the database") genSecurebootDatabaseCmd.Flags().StringVar( &genSecurebootDatabaseCmdFlags.signingKeyPath, "signing-key", helpers.ArtifactPath(constants.SecureBootSigningKeyAsset), "path to the key used to sign the database") + genSecurebootDatabaseCmd.Flags().BoolVar( + &genSecurebootDatabaseCmdFlags.includeWellKnownCerts, "include-well-known-uefi-certs", false, "include well-known UEFI (Microsoft) certificates in the database") genSecurebootCmd.AddCommand(genSecurebootDatabaseCmd) } diff --git a/hack/release.toml b/hack/release.toml index 8f10fc666f..85b313b3bc 100644 --- a/hack/release.toml +++ b/hack/release.toml @@ -101,6 +101,12 @@ Talos Linux now supports adding [custom trusted roots](https://www.talos.dev/v1. title = "Default Node Labels" description = """\ Talos Linux on config generation now adds a label `node.kubernetes.io/exclude-from-external-load-balancers` by default for the control plane nodes. +""" + + [notes.secureboot] + title = "Secure Boot" + description = """\ +Talos Linux now can optionally include well-known UEFI (Microsoft) SecureBoot keys into the auto-enrollment UEFI database. """ [make_deps] diff --git a/internal/pkg/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der b/internal/pkg/secureboot/database/certs/db/MicCorUEFCA2011_2011-06-27.der new file mode 100644 index 0000000000000000000000000000000000000000..9aa6ac6c79b21cf1c23b01b5a747aea6ca15da37 GIT binary patch literal 1556 zcmXqLViPcEV*as!nTe5!i7S!g@(~6QU@_ojd87gG}>Bg0aT9G~N^oLSyHOAfTxvz78VGlrx*5UXc@ zJE@j?Q}KQtu47)Vi3^U3=}x=+ReQm2U(eZ&4HIm3hWvfD=i=NWOC-AL9lK&8n=_1d z_qd;YSGY&fe^yt`e;51Sexprl9_vcCzB}n7=OtP9q-mCHMY%7}hP~hTFNkO^jv05GgVcV&l|i zV`O1$G8biJVFk+>C?mv}Sj1RFejLo+USA&U^;y+i)^DL&HNQeZgMlnCMr8Rw(!y)^ zJ9F-BDwxxA)!#7hs?v-u=_>}3a5F@hSa{^P7=jr}8Il;B85|9`K|1+aSb!Oz&43@o z5oTok&%$cJ45SR?K?2Gw5(Z)oBCcsc&JXJ%1ovO_o2MMgVQr<9wZb3jRSyFfRa;I52$! z6E`qT#{<)hfi4gknCbzQ8YHlB0KUE;q>3&%(?GnJZl9qB1|>ijLOt&-U~UZJ4t)3%5Ajph!hU}{4&C1 znHYD|s@Sznw;Gxq+4{H0eq!GFSt?fgW59%;n?qZiG-MR^Zdw;8a`eEO=~ESDCfw%# zQ$BBM@x+c(d-n$IWDVfGA3kqE;#=OQxvDoE_{AMgoLlU5$anoLAz6-){=LWd?9{gP z)Rs5;lckvHKl?QI|H^}7P`p3e|O3K zJ97OESKmr}(H9ZR*1wn5vqAak@s=BJUmY}VS{vpqq5CmoD*M^8kH{0YRa-%tSY$V?b_=s>rUTrh+NQeajH+!L?x*b*&bVWK9^-r zHq16L-S}%;@Cu#AH%nLxPt4u1>xHyS+7tH>zP_;f&GW@(Y-+oZVK+f}tA1R6Kx^-@ z-lllRgN1MfA-&c}SF>PgInqRZZ2P+zbh(mdgZ#grWnDhht= h@@Z?I^6kMoCf9eVhqf)Q%M>eRpEUdHvOST_5de>mHUa@+qlu3fO`m&22^fQVIp+F!&dG@HCx{fPT$yxo5fZNZ6Z?nA!aU=O#Vc&yc&No4KNiQ^K5NyPP?N^Bb0>U# zHZ6JC3w8zZ6O-jGty^+uU2Ww4j<_VAbiRrG-AT^Kv(`Wou0e!}g-4EyA()|*A&J46!O?&pWVSHKY*qtiAY~vA z5>RH5Fc51HX>n;|W0+yDvug9v&d+P~PClE<$!w4cQXtO~XAol$wIE_aSX)R&NlAf~ zzJ7Umxn3?TE$Sub=js<^XXY0a>n9iG=))6&s*wRO83IXYLIm-FNfAgngG52eQ4grW zpoonF=t)*qc1A{)G=mg_BpBa-sV$74jj2T?#iZIQ`D@}bDz+mwBOA< z8ye3&U9$Snf?2P>vfKPq{4wi}q$1Be6`hMQi^RCRU%&B~voX5lHe<@6#|>GlrOuX1 zXIakLzN^6HfBKZ8jcgxIH?mAtSDd-Gy+dS4d+E8xAf$DyAG~b58$X&y4*XG2eC`-DI=v z%!xPkm&!{{zx_PzWOuKORww`B{=Mh4THR(TFY0$XF!S20R{2E9ePX8DOBYOSNM&ok z!fkru$SS^bi@1^#PI+s`sIxS!w~J`5in@_*FA)5dN9?*`q@;(xbK31RAfvORdAUGKbrrWFhiDyB&9+kC`8eiPsA4{j3bFg5OjCaaS z0cL5F-)ZNY^5!|L5H$ak+O5dB-ez)=?dLtsckM$bh+Z;WFZle&sRd0Bcb?xIKKXd4 z`I>si{qoanKC4andE-*3N>|r5#}5z04k%CRDdh6W;*|{jZZ&6;;QxhX2!;u$TyY{aQSKFX=_|@~@;Z-h7vFyCJyq=b5 zJ=?(lCinH5`kjxXl8tHv#r^pnb1%0Lo!ocq>w}h!vu5i&|GItRHO_~R4zR3PV<2R91&S9_(-|4 zw_y7cS>HG7p3eCtcIf)S(^p;`(SJJgok}H`B=nQM3VkEpIuxws!gliCC zV&ReFVhCm^Wk_OhW^gp%2I=Hy0U6U~zz^aGGcx{XVKra|QU>xM0c92m1F;4X*R&w# zhjkHx`>*-UQx4^@wo=MkVGsjSAkPwN5Nr^*z<+^nn|DS@Nr9EVesWQcUM?&x>m}#s z>K9~Zf<*NTitQ<3X)E3>+FDvQfnk;IlCr2*mD_ikX9ZRZqL6?=D`>xf9< zxfXsxa&bKCwcE!oWS;ZzHroC=_L9NZ17COSs$gHN{crYdldzUIO{dm5sus-2e)(?# z|Mh9|PoGbb-=xLU>-}FtQ=t0$^_ry@%XYG!sC>&mVbYvK|L*74oX7zgh@9nG?To0`c7HO3KZNRe1+$`~ySEjVd zjf}U~n9k=+;kkT1N2zk{#t(a#7r7;@Ji>lRvFYRAPcJHs687I%vs6jM`_#c3-mh!z z!%a6m^Do`9A%R&bc-_QG*=w^M z$Zf#M#vIDRCd?EXY$#_S1LANAi~43J7v&e{r^7bTWt=I0q|8)$;$nT3@Q z@;@`l=OY|zB0gzQ;HRtDxKMt%mMI2ThBBO}A(xQ^~(ox@y5 zUVc5-sQZ!sqnfGtMbF^EjnR{X);|=zf3Mqe?|Prq(%`4JxQu4#8>?;8-Zy3D{5Q7_ z^|6{v66R0dU$UrZg=XD+BSlS)$Rp)Pv?lqqZ(}xpJ?qiolUqC#4<}A}B_6o(xyU1x zWWB4OjxGJPC{8}}SRn6m&EG*>vmbZ7$oRke*QCt#N5uZeK8=5H|4mvbcjBQn)(Uy| zxA4B!K5^lYiC@z+%Xc3QTUl)1Un~24_|(CxJ^I`N8nZoSZ4eMya&yYljOep@&#T_- zS>U;2W$+DO{Y}*;ZtdCh{LktFf%2)Yo`2U~vKK#{HtSQZ*iLa zh_Q$~SY5Pdn%(~$X|rnuqMYqwoI={;4J6?jM3`83GP0x@q!=W@_y$aEVFYbVEh;G{)y@*+Bnixa%uT?cZDnE; z`jx)U-*V*+lRL3m6_V8!@8&f1OFy!)HR6ifAHnuK|3|OH3h9=wvrnz<=5XOt>(#jt zpQo(K{wvx?O|Q(*SugL!3B!Y4mp(CVU-q%|$+Wj@k4{aka9Lqoc17Fw`kp)O)~kIr z*G}u)e)UlQYPZ9&oBzIDI`3=QcJ0>xGZxOzmYHq${T-k9;=gA456^1Mka3u)c8a-o zndz%bT+6$~)+sVF$f@&h=iB6D7^e5^N8c+RlMjCP3k)(@E}p+UC&exQjN;kT?^%s@ zb1b_t-_;`4@6wz}oiB@@RB@Qf`7b-PE8A|ne29tXuPs%lZ!M6IY}D5J)}glHSI(!` z2XCx%e3<`dzwnDZk>}5kGj}`86tG~+E!fL=;$ClU(F%s|KrcGzutFc-y5g~ST4T*&wl5x*VCq7IQx@D z?KiK7B*%@1lMeSIv21gk;J4vjRy z?NuKN{n`=}s&d1QM|0XOdVhs)-lWU&Gr!Hu?nFpB^H literal 0 HcmV?d00001 diff --git a/internal/pkg/secureboot/database/database.go b/internal/pkg/secureboot/database/database.go index c2264d67c1..4b536282e4 100644 --- a/internal/pkg/secureboot/database/database.go +++ b/internal/pkg/secureboot/database/database.go @@ -7,6 +7,10 @@ package database import ( "crypto/sha256" + "crypto/x509" + "embed" + "path/filepath" + "sync" "github.com/foxboron/go-uefi/efi/signature" "github.com/foxboron/go-uefi/efi/util" @@ -23,33 +27,142 @@ type Entry struct { Contents []byte } +const ( + microsoftSignatureOwnerGUID = "77fa9abd-0359-4d32-bd60-28f4e78f784b" +) + +// Well-known UEFI DB certificates (DER data). +// +//go:embed certs/db/*.der +var wellKnownDB embed.FS + +// Well-known UEFI KEK certificates (PEM data). +// +//go:embed certs/kek/*.der +var wellKnownKEK embed.FS + +func loadWellKnownCertificates(fs embed.FS, path string) ([]*x509.Certificate, error) { + certs := []*x509.Certificate{} + + files, err := fs.ReadDir(path) + if err != nil { + return nil, err + } + + for _, file := range files { + data, err := fs.ReadFile(filepath.Join(path, file.Name())) + if err != nil { + return nil, err + } + + cert, err := x509.ParseCertificate(data) + if err != nil { + return nil, err + } + + certs = append(certs, cert) + } + + return certs, nil +} + +var wellKnownDBCertificates = sync.OnceValue(func() []*x509.Certificate { + certs, err := loadWellKnownCertificates(wellKnownDB, "certs/db") + if err != nil { + panic(err) + } + + return certs +}) + +var wellKnownKEKCertificates = sync.OnceValue(func() []*x509.Certificate { + certs, err := loadWellKnownCertificates(wellKnownKEK, "certs/kek") + if err != nil { + panic(err) + } + + return certs +}) + +// Options for Generate. +type Options struct { + IncludeWellKnownCertificates bool +} + +// Option is a functional option for Generate. +type Option func(*Options) + +// IncludeWellKnownCertificates is an option to include well-known certificates. +func IncludeWellKnownCertificates(v bool) Option { + return func(o *Options) { + o.IncludeWellKnownCertificates = v + } +} + // Generate generates a UEFI database to enroll the signing certificate. // // ref: https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/ -func Generate(enrolledCertificate []byte, signer pesign.CertificateSigner) ([]Entry, error) { +// +//nolint:gocyclo +func Generate(enrolledCertificate []byte, signer pesign.CertificateSigner, opts ...Option) ([]Entry, error) { + var options Options + + for _, opt := range opts { + opt(&options) + } + // derive UUID from enrolled certificate uuid := uuid.NewHash(sha256.New(), uuid.NameSpaceX500, enrolledCertificate, 4) efiGUID := util.StringToGUID(uuid.String()) - // Create ESL - db := signature.NewSignatureDatabase() - if err := db.Append(signature.CERT_X509_GUID, *efiGUID, enrolledCertificate); err != nil { + // Create PK ESL + pk := signature.NewSignatureDatabase() + if err := pk.Append(signature.CERT_X509_GUID, *efiGUID, enrolledCertificate); err != nil { return nil, err } - // Sign the ESL, but for each EFI variable - _, signedDB, err := signature.SignEFIVariable(efivar.Db, db, signer.Signer(), signer.Certificate()) + _, signedPK, err := signature.SignEFIVariable(efivar.PK, pk, signer.Signer(), signer.Certificate()) if err != nil { return nil, err } - _, signedKEK, err := signature.SignEFIVariable(efivar.KEK, db, signer.Signer(), signer.Certificate()) + // Create KEK ESL + kek := signature.NewSignatureDatabase() + if err := kek.Append(signature.CERT_X509_GUID, *efiGUID, enrolledCertificate); err != nil { + return nil, err + } + + if options.IncludeWellKnownCertificates { + owner := util.StringToGUID(microsoftSignatureOwnerGUID) + for _, cert := range wellKnownKEKCertificates() { + if err := kek.Append(signature.CERT_X509_GUID, *owner, cert.Raw); err != nil { + return nil, err + } + } + } + + _, signedKEK, err := signature.SignEFIVariable(efivar.KEK, kek, signer.Signer(), signer.Certificate()) if err != nil { return nil, err } - _, signedPK, err := signature.SignEFIVariable(efivar.PK, db, signer.Signer(), signer.Certificate()) + // Create db ESL + db := signature.NewSignatureDatabase() + if err := db.Append(signature.CERT_X509_GUID, *efiGUID, enrolledCertificate); err != nil { + return nil, err + } + + if options.IncludeWellKnownCertificates { + owner := util.StringToGUID(microsoftSignatureOwnerGUID) + for _, cert := range wellKnownDBCertificates() { + if err := db.Append(signature.CERT_X509_GUID, *owner, cert.Raw); err != nil { + return nil, err + } + } + } + + _, signedDB, err := signature.SignEFIVariable(efivar.Db, db, signer.Signer(), signer.Certificate()) if err != nil { return nil, err } diff --git a/pkg/imager/out.go b/pkg/imager/out.go index d81ef934dd..14338ef4d6 100644 --- a/pkg/imager/out.go +++ b/pkg/imager/out.go @@ -133,7 +133,7 @@ func (i *Imager) outISO(ctx context.Context, path string, report *reporter.Repor var entries []database.Entry - entries, err = database.Generate(enrolledPEM, signer) + entries, err = database.Generate(enrolledPEM, signer, database.IncludeWellKnownCertificates(i.prof.Input.SecureBoot.IncludeWellKnownCerts)) if err != nil { return fmt.Errorf("failed to generate database: %w", err) } diff --git a/pkg/imager/profile/input.go b/pkg/imager/profile/input.go index bd46ee2853..c73391b913 100644 --- a/pkg/imager/profile/input.go +++ b/pkg/imager/profile/input.go @@ -96,6 +96,8 @@ type SecureBootAssets struct { PlatformKeyPath string `yaml:"platformKeyPath,omitempty"` KeyExchangeKeyPath string `yaml:"keyExchangeKeyPath,omitempty"` SignatureKeyPath string `yaml:"signatureKeyPath,omitempty"` + // Optional, auto-enrollment include well-known UEFI (Microsoft) certs. + IncludeWellKnownCerts bool `yaml:"includeWellKnownCerts,omitempty"` } // SigningKeyAndCertificate describes a signing key & certificate. diff --git a/website/content/v1.8/reference/cli.md b/website/content/v1.8/reference/cli.md index e90520da73..e7f363e09d 100644 --- a/website/content/v1.8/reference/cli.md +++ b/website/content/v1.8/reference/cli.md @@ -1535,10 +1535,11 @@ talosctl gen secureboot database [flags] ### Options ``` - --enrolled-certificate string path to the certificate to enroll (default "_out/uki-signing-cert.pem") - -h, --help help for database - --signing-certificate string path to the certificate used to sign the database (default "_out/uki-signing-cert.pem") - --signing-key string path to the key used to sign the database (default "_out/uki-signing-key.pem") + --enrolled-certificate string path to the certificate to enroll (default "_out/uki-signing-cert.pem") + -h, --help help for database + --include-well-known-uefi-certs include well-known UEFI (Microsoft) certificates in the database + --signing-certificate string path to the certificate used to sign the database (default "_out/uki-signing-cert.pem") + --signing-key string path to the key used to sign the database (default "_out/uki-signing-key.pem") ``` ### Options inherited from parent commands