UEFI Tutorial

This is a tutorial to help developers ramp up on UEFI environment and

programming.UEFI is presented with notes on setting up Ubuntu on an EFI
platform

For setting environment steps followed

Efibootmgr - efibootmgr should be installed by default in Ubuntu on UEFI

platforms. Otherwise, it can be installed with apt.
$ sudo apt install efibootmgr
$ sudo efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0001,0002,0008,0006,0007
Boot0000* ubuntu
HD(4,GPT,0882ec5f-da2e-48ef-8ba3-d1a11cdadfa2,0x800,0x1eb800)/File(\EFI\ubuntu\shim
x64.efi)
Boot0001* DTO UEFI USB Floppy/CD
VenMedia(b6fef66f-1495-4584-a836-3492d1984a8d,0500000001)AMBO
Boot0002* DTO UEFI USB Hard Drive
VenMedia(b6fef66f-1495-4584-a836-3492d1984a8d,0200000001)AMBO
Boot0006* DTO Legacy USB Floppy/CD
VenMedia(b6fef66f-1495-4584-a836-3492d1984a8d,0500000000)AMBO
Boot0007* Hard Drive
VenMedia(b6fef66f-1495-4584-a836-3492d1984a8d,0200000000)AMBO
efi-tools and sbsigntool
The key databases are UEFI variables. When secure boot is enabled, these variables are
authenticated: write-operations to these variables must be signed.

$ mkdir efi-secureboot-tools
$ cd efi-secureboot-tools/

$ sudo apt install git gnu-efi libssl-dev libssl-doc zlib1g-dev libfile-slurp-perl help2man
root@uu-Standard-PC-Q35-ICH9-2009:~# mkdir efi-secureboot-tools
root@uu-Standard-PC-Q35-ICH9-2009:~# cd efi-secureboot-tools/
root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# apt install git gnu-efi
libssl-dev libssl-doc zlib1g-dev libfile-slurp-perl help2man
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
systemd-hwe-hwdb
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
git-man libc-dev-bin libc-devtools libc6-dev libcrypt-dev liberror-perl
libnsl-dev libssl3 libtirpc-dev linux-libc-dev manpages-dev rpcsvc-proto
zlib1g
Setting up libc6-dev:amd64 (2.35-0ubuntu3.1) ...
Setting up zlib1g-dev:amd64 (1:1.2.11.dfsg-2ubuntu9.2) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for install-info (6.8-4build1) ...

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# git clone

http://github.com/mjg59/efitools
Cloning into 'efitools'...
warning: redirecting to https://github.com/mjg59/efitools/
remote: Enumerating objects: 1264, done.
remote: Total 1264 (delta 0), reused 0 (delta 0), pack-reused 1264
Receiving objects: 100% (1264/1264), 284.30 KiB | 1.23 MiB/s, done.
Resolving deltas: 100% (890/890), done.

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# cd efitools/
root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools/efitools# make
Command 'make' not found, but can be installed with:
apt install make # version 4.3-4.1build1, or
apt install make-guile # version 4.3-4.1build1
root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools/efitools# apt install make-guile
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
 systemd-hwe-hwdb
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools/efitools# cd ../
root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# sudo apt install autoconf
automake autotools-dev m4 libltdl-dev libtool binutils-dev uuid-dev
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
systemd-hwe-hwdb

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# git clone

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
Cloning into 'sbsigntools'...
remote: Enumerating objects: 878, done.
remote: Total 878 (delta 0), reused 0 (delta 0), pack-reused 878
Receiving objects: 100% (878/878), 290.87 KiB | 1.24 MiB/s, done.
Resolving deltas: 100% (576/576), done.

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# cd sbsigntools
root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools/sbsigntools# ./autogen.sh
Submodule 'lib/ccan.git' (git://git.ozlabs.org/~ccan/ccan) registered for path 'lib/ccan.git'
Cloning into '/root/efi-secureboot-tools/sbsigntools/lib/ccan.git'...
Submodule path 'lib/ccan.git': checked out 'b1f28e17227f2320d07fe052a8a48942fe17caa5'
Building ccan_depends
Cleaning source tree
Adding ccan/array_size
Adding ccan/build_assert
Adding ccan/check_type
Adding ccan/compiler
Adding ccan/container_of
lib/ccan/Makefile.am:2: but option 'subdir-objects' is disabled
lib/ccan/Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools/sbsigntools# ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... /usr/bin/mkdir -p
checking for gawk... no
checking for mawk... mawk

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# efi-readvar
Command 'efi-readvar' not found, but can be installed with:
apt install efitools
root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# apt install efitools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
systemd-hwe-hwdb
Use 'sudo apt autoremove' to remove it.
The following NEW packages will be installed:
efitools

root@uu-Standard-PC-Q35-ICH9-2009:~/efi-secureboot-tools# efi-readvar
Variable PK, length 870
PK: List 0, type X509
Signature 0, size 842, owner 8be4df61-93ca-11d2-aa0d-00e098032b8c
Subject:
CN=Ubuntu OVMF Secure Boot (PK/KEK key),
emailAddress=ubuntu-devel@lists.ubuntu.com
Issuer:
CN=Ubuntu OVMF Secure Boot (PK/KEK key),
emailAddress=ubuntu-devel@lists.ubuntu.com
Variable KEK, length 2430