Claude Code Plugins

Community-maintained marketplace

Feedback

uefi-secure-boot

@benchflow-ai/skillsbench
15
0

UEFI Secure Boot configuration and key management. Use when signing boot loaders, managing Secure Boot keys, or creating UEFI-compatible bootable media with signature verification.

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name uefi-secure-boot
description UEFI Secure Boot configuration and key management. Use when signing boot loaders, managing Secure Boot keys, or creating UEFI-compatible bootable media with signature verification.

UEFI Secure Boot

Configure and manage UEFI Secure Boot for signed boot processes.

Key Components

  • PK (Platform Key): Top-level key, controls KEK updates
  • KEK (Key Exchange Key): Controls db/dbx updates
  • db (Signature Database): Allowed signatures
  • dbx (Forbidden Signatures): Revoked signatures

Generate Signing Keys

# Create directory for keys
mkdir -p keys && cd keys

# Generate Platform Key (PK)
openssl req -new -x509 -newkey rsa:2048 -nodes \
  -keyout PK.key -out PK.crt -days 3650 \
  -subj "/CN=My Platform Key/"

# Generate Key Exchange Key (KEK)
openssl req -new -x509 -newkey rsa:2048 -nodes \
  -keyout KEK.key -out KEK.crt -days 3650 \
  -subj "/CN=My Key Exchange Key/"

# Generate Signature Database Key (db)
openssl req -new -x509 -newkey rsa:2048 -nodes \
  -keyout db.key -out db.crt -days 3650 \
  -subj "/CN=My Signature Database Key/"

Sign EFI Binary

# Sign boot loader
sbsign --key db.key --cert db.crt \
  --output grubx64.efi.signed grubx64.efi

# Verify signature
sbverify --cert db.crt grubx64.efi.signed

Using SHIM

Shim is a first-stage bootloader signed by Microsoft:

# Install shim
apt-get install shim-signed

# Copy shim files
cp /usr/lib/shim/shimx64.efi.signed EFI/BOOT/BOOTX64.EFI
cp /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed EFI/BOOT/grubx64.efi

Enroll Keys in UEFI

Convert certificates to EFI format:

# Convert to ESL format
cert-to-efi-sig-list -g $(uuidgen) PK.crt PK.esl
cert-to-efi-sig-list -g $(uuidgen) KEK.crt KEK.esl
cert-to-efi-sig-list -g $(uuidgen) db.crt db.esl

# Sign for enrollment
sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth
sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth

KeyTool Enrollment

Use KeyTool to enroll keys from USB:

# Copy KeyTool to USB
cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi USB/EFI/BOOT/
cp *.auth USB/

# Boot from USB and run KeyTool

MOK (Machine Owner Key)

For shim-based boot:

# Import certificate to MOK
mokutil --import db.crt

# Check enrolled keys
mokutil --list-enrolled

# Disable Secure Boot validation (testing)
mokutil --disable-validation

Create Signed ISO

# Sign kernel
sbsign --key db.key --cert db.crt \
  --output vmlinuz.signed vmlinuz

# Include signed files in ISO
cp vmlinuz.signed iso/live/vmlinuz

Check Secure Boot Status

# From Linux
mokutil --sb-state

# Check current mode
cat /sys/firmware/efi/efivars/SecureBoot-*