Use either Microsoft or Mosby's UEFI VendorGUID when adding certificates

pbatard · pbatard · commit e4e625fec60d · 2025-12-09T18:40:59.000Z
* Mosby derived the ESL GUID from the certificate fingerprint, which means that each of the Microsoft certificates added to the KEK or DB were referenced under their own unique GUID, which had nothing to do with the originator of the certificate (Microsoft). * Outside of not trying to go with UEFI best practices, this is also problematic with tools like fwupdmgr, that try to resolve the VendorGuid to known vendors when reporting back to the user. * So we now make sure that we don't derive the GUID from the data, but instead use a proper VendorGUID when none is defined, which will be Microsoft's for the DB and KEK certs, and our own for the PK and additional DB cert. * Closes #15.
diff --git a/src/data.c b/src/data.c
@@ -7426,6 +7426,7 @@ EFI_STATUS InitializeList(
 		return EFI_INVALID_PARAMETER;
 	ZeroMem(List, sizeof(MOSBY_LIST));
 	List->Entry[List->Size].Type = KEK;
+	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"kek_2011_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?LinkId=321185";
@@ -7434,6 +7435,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Buffer.Size = kek_2011_ms_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = KEK;
+	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"kek_2023_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239775";
@@ -7442,6 +7444,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Buffer.Size = kek_2023_ms_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Set = MOSBY_SET1;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_2011_win_ms.cer";
@@ -7451,6 +7454,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Buffer.Size = db_2011_win_ms_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_2011_3rd_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=321194";
@@ -7459,6 +7463,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Buffer.Size = db_2011_3rd_ms_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_2023_win_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239776";
@@ -7467,6 +7472,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Buffer.Size = db_2023_win_ms_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_2023_3rd_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2239872";
@@ -7475,6 +7481,7 @@ EFI_STATUS InitializeList(
 	List->Entry[List->Size].Buffer.Size = db_2023_3rd_ms_cer_len;
 	List->Size++;
 	List->Entry[List->Size].Type = DB;
+	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;
 	List->Entry[List->Size].Attrs = UEFI_VAR_NV_BS_RT_TIMEAUTH;
 	List->Entry[List->Size].Path = L"db_2023_opt_ms.cer";
 	List->Entry[List->Size].Url = "https://go.microsoft.com/fwlink/?linkid=2284009";
diff --git a/src/gen_data.sh b/src/gen_data.sh
@@ -201,6 +201,8 @@ for file in "${order[@]}"; do
     echo "	List->Entry[List->Size].Flags = USE_BUFFER | ALLOW_UPDATE;"
   elif [[ "$type" == "DBX" ]]; then
     echo "	List->Entry[List->Size].Flags = ALLOW_UPDATE;"
+  elif [[ "$type" == "DB" || "$type" == "KEK" ]]; then
+    echo "	List->Entry[List->Size].Flags = USE_MICROSOFT_GUID;"
   fi
   if [[ "${exclusive_set[${file}]}" != "" ]]; then
     echo "	List->Entry[List->Size].Set = ${exclusive_set[${file}]};"
diff --git a/src/mosby.c b/src/mosby.c
@@ -39,7 +39,7 @@ STATIC EFI_GUID gEfiShimLockGuid =
 	{ 0x605DAB50, 0xE046, 0x4300, { 0xAB, 0xB6, 0x3D, 0xD8, 0x10, 0xDD, 0x8B, 0x23 } };
 
 /* Microsoft GUID - Not yet defined in EDK2 */
-STATIC EFI_GUID gEfiMicrosoftGuid =
+EFI_GUID gEfiMicrosoftGuid =
 	{ 0x77FA9ABD, 0x0359, 0x4D32, { 0xBD, 0x60, 0x28, 0xF4, 0xE7, 0x8F, 0x78, 0x4B } };
 
 /* Attributes for the "key" types we support */
@@ -501,7 +501,7 @@ EFI_STATUS EFIAPI efi_main(
 		Status = GenerateCredentials(DbSubject, &Cred);
 		if (EFI_ERROR(Status))
 			goto exit;
-		Status = CertToAuthVar(Cred.Cert, &List.Entry[i].Variable);
+		Status = CertToAuthVar(Cred.Cert, &List.Entry[i].Variable, FALSE);
 		if (EFI_ERROR(Status)) {
 			FreeCredentials(&Cred);
 			goto exit;
@@ -534,7 +534,7 @@ EFI_STATUS EFIAPI efi_main(
 		Status = GenerateCredentials(PkSubject, &Cred);
 		if (EFI_ERROR(Status))
 			goto exit;
-		Status = CertToAuthVar(Cred.Cert, &List.Entry[i].Variable);
+		Status = CertToAuthVar(Cred.Cert, &List.Entry[i].Variable, FALSE);
 		if (EFI_ERROR(Status)) {
 			FreeCredentials(&Cred);
 			goto exit;
diff --git a/src/mosby.h b/src/mosby.h
@@ -83,6 +83,7 @@
 #define USE_BUFFER                  0x01
 #define NO_INSTALL                  0x02
 #define ALLOW_UPDATE                0x04
+#define USE_MICROSOFT_GUID          0x08
 
 /* Exclusive sets */
 #define MOSBY_SET1                  0x01
@@ -91,6 +92,12 @@
 /* Global Image Handle for the current executable */
 extern EFI_HANDLE gBaseImageHandle;
 
+/* Microsoft's EFI VendorGUID */
+extern EFI_GUID gEfiMicrosoftGuid;
+
+/* Mosby's EFI VendorGUID */
+extern EFI_GUID gEfiMosbyGuid;
+
 /* Types of Secure Boot variables this application is able to install */
 enum {
 	PK,
diff --git a/src/pki.c b/src/pki.c
@@ -355,16 +355,15 @@ VOID FreeCredentials(
 
 EFI_STATUS CertToAuthVar(
 	IN CONST VOID *Cert,
-	OUT MOSBY_VARIABLE *Variable
+	OUT MOSBY_VARIABLE *Variable,
+	IN CONST BOOLEAN UseMicrosoftGUID
 )
 {
 	EFI_STATUS Status = EFI_INVALID_PARAMETER;
 	EFI_SIGNATURE_LIST *Esl = NULL;
 	EFI_SIGNATURE_DATA *Data = NULL;
 	INTN Size;
 	UINT8 *Ptr;
-	EFI_GUID OwnerGuid;
-	UINT8 Sha1[SHA_DIGEST_LENGTH] = { 0 };
 
 	if (Cert == NULL || Variable == NULL)
 		return EFI_INVALID_PARAMETER;
@@ -386,15 +385,8 @@ EFI_STATUS CertToAuthVar(
 	Ptr = &Data->SignatureData[0];
 	i2d_X509((X509*)Cert, &Ptr);
 
-	// Derive the SignatureOwner GUID from the SHA-1 Thumbprint
-	SHA1(&Data->SignatureData[0], Size, Sha1);
-
-	// Reorder, to have the GUID read in the same order as the byte data
-	OwnerGuid.Data1 = SwapBytes32(((UINT32*)Sha1)[0]);
-	OwnerGuid.Data2 = SwapBytes16(((UINT16*)Sha1)[2]);
-	OwnerGuid.Data3 = SwapBytes16(((UINT16*)Sha1)[3]);
-	CopyMem(&OwnerGuid.Data4, &Sha1[8], 8);
-	CopyGuid(&Data->SignatureOwner, &OwnerGuid);
+	// Use either the Microsoft VendorGUID or our own, to identify who provisioned the variable
+	CopyGuid(&Data->SignatureOwner, UseMicrosoftGUID ? &gEfiMicrosoftGuid : &gEfiMosbyGuid);
 
 	Variable->Size = Esl->SignatureListSize;
 	Variable->Data = (EFI_VARIABLE_AUTHENTICATION_2*)Esl;
@@ -470,15 +462,17 @@ EFI_STATUS PopulateAuthVar(
 
 	// Check for a DER encoded X509 certificate
 	Ptr = Entry->Buffer.Data;	// d2i_###() modifies the pointer
-	Status = CertToAuthVar(d2i_X509(NULL, &Ptr, Entry->Buffer.Size), &Entry->Variable);
+	Status = CertToAuthVar(d2i_X509(NULL, &Ptr, Entry->Buffer.Size), &Entry->Variable,
+		Entry->Flags & USE_MICROSOFT_GUID);
 	if (Status == EFI_SUCCESS)
 		goto exit;
 
 	// Check for a PEM encoded X509 certificate
 	bio = BIO_new_mem_buf(Entry->Buffer.Data, Entry->Buffer.Size);
 	if (bio == NULL)
 		ReportErrorAndExit(L"Failed to create X509 buffer\n");
-	Status = CertToAuthVar(PEM_read_bio_X509(bio, NULL, NULL, NULL), &Entry->Variable);
+	Status = CertToAuthVar(PEM_read_bio_X509(bio, NULL, NULL, NULL), &Entry->Variable,
+		Entry->Flags & USE_MICROSOFT_GUID);
 	if (Status == EFI_SUCCESS)
 		goto exit;
 	BIO_free(bio);	// Can't reuse the bio
@@ -490,7 +484,7 @@ EFI_STATUS PopulateAuthVar(
 	p12 = d2i_PKCS12_bio(bio, NULL);
 	// Need to read both the key and cert, even if we don't use the key here
 	if (PKCS12_parse(p12, NULL, (EVP_PKEY**)&Cred.Key, (X509**)&Cred.Cert, NULL)) {
-		Status = CertToAuthVar(Cred.Cert, &Entry->Variable);
+		Status = CertToAuthVar(Cred.Cert, &Entry->Variable, Entry->Flags & USE_MICROSOFT_GUID);
 		PKCS12_free(p12);
 		FreeCredentials(&Cred);
 		if (Status == EFI_SUCCESS)
diff --git a/src/pki.h b/src/pki.h
@@ -1,6 +1,6 @@
 /*
  * MSSB (More Secure Secure Boot -- "Mosby") PKI/OpenSSL functions
- * Copyright 2024 Pete Batard <pete@akeo.ie>
+ * Copyright 2024-2025 Pete Batard <pete@akeo.ie>
  *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -46,7 +46,8 @@ VOID FreeCredentials(
 
 EFI_STATUS CertToAuthVar(
 	IN CONST VOID *Cert,
-	OUT MOSBY_VARIABLE *Variable
+	OUT MOSBY_VARIABLE *Variable,
+	IN CONST BOOLEAN UseMicrosoftGUID
 );
 
 EFI_STATUS PopulateAuthVar(
diff --git a/src/variables.c b/src/variables.c
@@ -24,7 +24,7 @@
 #define MOSBY_LAST_INSTALL_TIME     L"LastInstallTime"
 
 /* GUID we use to store variables */
-STATIC EFI_GUID gMosbyVariableGuid =
+EFI_GUID gEfiMosbyGuid =
 	{ 0x26A35749, 0x477E, 0x41A4, { 0xA9, 0x0A, 0x19, 0xC3, 0xAF, 0xEA, 0x85, 0x40 } };
 
 /* Various messages we display to the user as they attempt to enter Setup Mode */
@@ -170,9 +170,9 @@ EFI_STATUS CheckSetupMode(VOID)
 	// Check the amount of times the user got into UEFI Setup to try to enable Setup
 	// Mode, so that we can provide more helpful messages.
 	Size = sizeof(SetupModeAttempts);
-	gRT->GetVariable(MOSBY_SETUP_MODE_ATTEMPTS, &gMosbyVariableGuid, NULL, &Size, &SetupModeAttempts);
+	gRT->GetVariable(MOSBY_SETUP_MODE_ATTEMPTS, &gEfiMosbyGuid, NULL, &Size, &SetupModeAttempts);
 	// Now that we have (possibly) read it, delete the variable
-	gRT->SetVariable(MOSBY_SETUP_MODE_ATTEMPTS, &gMosbyVariableGuid, 0, 0, NULL);
+	gRT->SetVariable(MOSBY_SETUP_MODE_ATTEMPTS, &gEfiMosbyGuid, 0, 0, NULL);
 
 	// Get the Secure Boot, Setup Mode and Audit Mode status
 	Size = sizeof(SecureBoot);
@@ -226,7 +226,7 @@ EFI_STATUS CheckSetupMode(VOID)
 				SetOsIndication(EFI_OS_INDICATIONS_BOOT_TO_FW_UI) == EFI_SUCCESS) {
 				// Log one more attempt by the user to try to enable Setup mode
 				SetupModeAttempts++;
-				gRT->SetVariable(MOSBY_SETUP_MODE_ATTEMPTS, &gMosbyVariableGuid,
+				gRT->SetVariable(MOSBY_SETUP_MODE_ATTEMPTS, &gEfiMosbyGuid,
 					EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
 					sizeof(SetupModeAttempts), &SetupModeAttempts);
 			}
@@ -252,7 +252,7 @@ BOOLEAN ExitNotice(
 
 	gRT->GetTime(&Time, NULL);
 	// Store the last installation time, so we can alert the user if they re-run Mosby
-	gRT->SetVariable(MOSBY_LAST_INSTALL_TIME, &gMosbyVariableGuid,
+	gRT->SetVariable(MOSBY_LAST_INSTALL_TIME, &gEfiMosbyGuid,
 					EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
 					sizeof(Time), &Time);
 	Reboot = (ConsoleYesNo(KeysGenerated ? ExitMessage1 : ExitMessage2) == 0);
