Where are Canonical's secure boot certificates?

Asked by James Wilson

Where can I find copies of the certificates used by Canonical's secure boot setup? I want to roll my own PK, KEK, and db lists and need the certificates in PEM or DER form.

There appeared to be links on this page (https://wiki.ubuntu.com/UEFI/SecureBoot/KeyManagement/ImageSigning), but they are dead now.

Specifically, I am looking for the two certificates in the following chain on the bootloader:

% sudo sbverify --list /boot/efi/EFI/BOOT/BOOTX64.EFI
signature 1
image signature issuers:
 - /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
 - subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2017)
   issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said (last edit ):
#1
Revision history for this message
James Wilson (jmwilson) said :
#2

I've read all of them. None of those pages have the actual certs.

The second page contains a link to a git repository (https://git.launchpad.net/qa-regression-testing/tree/notes_testing/secure-boot), which purports to have the certificates. The repository's code signing key (/notes_testing/secure-boot/keys/canonical-signing-public.der in that repo) is outdated, no longer used to sign the bootloader, and will not work when used.

The real certificate has a CN of "Canonical Ltd. Secure Boot Signing (2017)", and the one in that repository has a CN of "Canonical Ltd. Secure Boot Signing".

Revision history for this message
Bernard Stafford (bernard010) said :
#3
Revision history for this message
James Wilson (jmwilson) said :
#4

That also doesn't have them. The ca-certificates packages and /etc/ssl only contain certs for TLS, not secure boot.

Revision history for this message
Manfred Hampl (m-hampl) said :
#5

Are you looking for the keys that are used for creating the signed kernels that are accepted by secure boot?
I cannot imagine that they are publicly available, because that would invalidate the whole concept of secure booting.

see https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html

...
As announced earlier today, we've generated an Ubuntu signing key for
use with UEFI. The private half of this key will be stored securely on
our Launchpad infrastructure, which will be responsible for signing boot
loader images and distributing them in the Ubuntu archive.
...

Revision history for this message
James Wilson (jmwilson) said :
#6

I'm looking for the certificates, the public half of the signing process. Certificates are public so anyone can verify a signature made by the private key. For example, Microsoft makes their secure boot certificates easily available via links on its secure boot help page https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance

Revision history for this message
Bernard Stafford (bernard010) said (last edit ):
#7

Embedded in the shim loader.
How UEFI Secure Boot works on Ubuntu
On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft.
https://wiki.ubuntu.com/UEFI/SecureBoot
Secure Boot is proprietary software owned by Microsoft.
Which an agreement to use for canonical software... etc! Fact...
If question is solved press solved.
Quote: "that would invalidate the whole concept of secure booting."
embedded within the shim loader. not human readable to be secure.
https://ubuntu.com/download/server
Ubuntu Jammy Jellyfish Ubuntu 22.04 LTS is in final release: 2022-04-21

Revision history for this message
James Wilson (jmwilson) said :
#8

Ubuntu does it's own signing on the bootloader; see the output of the sbverify in the original question. I need the certificates that correspond to those signatures.

Revision history for this message
Bernard Stafford (bernard010) said (last edit ):
#9

Ubuntu Jammy Jellyfish Ubuntu 22.04 LTS is in final release: 2022-04-21
lsb_release -a; uname -a; python --version

Revision history for this message
James Wilson (jmwilson) said :
#10

That still doesn't help. Maybe a better answer is a who - who on the Ubuntu team works with bootloader signing and can supply the certificates?

Revision history for this message
Manfred Hampl (m-hampl) said :
#11

There is a https://launchpad.net/~canonical-signing team, but I do not know whether they are involved in the area of your question.

Can you help with this problem?

Provide an answer of your own, or ask James Wilson for more information if necessary.

To post a message you must log in.