工具:
在 Boot Guard 开启的情況下,修改后的 BIOS需要重新 UpdateFdmHash 和 ReHash,再重新封装成exe刷写。
.\BootGuardKey.exe
将产生密钥文件privkey.pem,pubkey.pem,keyprivkey.pem,keypubkey.pem
重新UpdateFdmHash:
.\PatchFdmHash.exe .\x15bios.fd .\RAPTORLAKES.fdm
重新ReHash:
将产生 Key Manifest和Boot Policy Manifest
得到KeyManifest.bin:
BpmGen2\BpmGen2.exe KMGEN -KEY pubkey.pem BPM -KM KeyManifest.bin -SIGNKEY keyprivkey.pem -SIGNPUBKEY keypubkey.pem -SIGHASHALG SHA384 -SCHEME RSAPSS -KMKHASH SHA384 -KMID 0x01 -SVN 1 -d:2 >bpmgen2_km.txt
语法
BpmGen2 KMGEN -KEY <BpKeyFileName> <keyParams> -KM <KmOutputFilename> [Optional settings] {Signing directive}
BpmGen2.exe KMGEN::产生v2.1 KM的指令
[-KEY <BpKeyFileName><keyParams>]
-KEY v2可验证多个密钥文件,pubkey.pem为BootGuardKey.exe产生的密钥文件,BPM参数指定密钥用法为BPM,为默认值
-KM KeyManifest.bin::产生KeyManifest.bin文件
-SIGHASHALG SHA384 -SCHEME RSAPSS -KMKHASH SHA384 -KMID:可选设置,–SIGHASHALG <SHA256 | SHA384 | SM3>签名使用的哈希算法,默认是SHA256,
–SCHEME <RSASSA | RSAPSS | ECDSA | SM2> 签名算法,默认是RSASSA,
–KMKHASH <SHA256 | SM3>,v2专用的产生KM Key Hash的算法,默认SHA256,
–KMID <value 0-15> 默认值是1;
-SIGNKEY keyprivkey.pem -SIGNPUBKEY keypubkey.pem:{Signing directive}必须紧跟的内容之一,
得到Manifest.bin并将其和KeyManifest.bin写入BIOS
BpmGen2\BpmGen2.exe GEN x15bios.fd bpmgen2.params -BPM Manifest.bin -U x15bios.fd -KM KeyManifest.bin -d:2 >bpmgen2_bpm.txt
语法
BpmGen2 GEN <BIOSFileToUpdate> <BpmParamsFile> [-BPM <BpmOutputFileName>] [-U <UpdatedBIosFilename> [-KM <KeyManifiestFile>] ]
BpmGen2\BpmGen2.exe GEN产生Manifest.bin的命令
x15bios.fd: 重新UpdateFdmHash后的BIOS文件,bpmgen2.params为Boot Policy Manifest的静态策略设置文件,
-BPM Manifest.bin:产生BPM文件Manifest.bin,
-U x15bios.fd:使用新的BPM文件更新BIOS,
-KM KeyManifest.bin:用之前产生的KeyManifest.bin替换更新后的BIOS中的KM
再次执行.\BootGuardKey.exe
删除密钥文件privkey.pem,pubkey.pem,keyprivkey.pem,keypubkey.pem
重新包入 ME,产生可烧录到flash的文件,可不用
.\SIGN_BIOS\Fitc\BinAdd.exe .\SIGN_BIOS\Fitc\NP5xSNx1_32M.BIN .\x15bios.fd x15bios_32M.fd
产生InsydeBiosGuardHeader.bin
需要修改BiosGuardSetting.ini文件名,也可改文件名使之和ini文件内相同
FileName = x15bios.fd
执行
.\GenBiosGuardHdr.exe -i BiosGuardSetting.ini
合并BIOS和InsydeBiosGuardHeader.bin文件
cmd /c 'copy /b .\x15bios.fd + .\InsydeBiosGuardHeader.bin BiosGuard_BIOS.fd'
签名,需要名为Secure Certificate的证书
iEFIFlashSigner.exe sign -n "Secure Certificate" -bios BiosGuard_BIOS.fd -ini platform.ini
自建证书:
参考:HowTo: Create self-signed certificates with MakeCert | virtuEs.IT
makecert -r -pe -n "CN=Secure Certificate" -a sha256 -sky signature -cy authority -sv Secure_Certificate.pvk -len 2048 -b 08/31/2017 -e 01/01/2040 Secure_Certificate.cer
pvk2pfx.exe /pvk Secure_Certificate.pvk /spc Secure_Certificate.cer /pfx Secure_Certificate.pfx /pi 你设的密码
双击产生的Secure_Certificate.pfx,导入证书
makecert,pvk2pfx需安装 Visual Studio
位于
D:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64
iFdPacker封装:
Create后,产生可执行的NP5xSNx1.exe ,