Time Authenticated EFI Variable


I’m setting up custom secure boot keys on an Asus Z87I-Deluxe motherboard. On other computers I’ve setup with secure boot, I’ve been able to either write the PK, KEK, and DB keys into the EFI variables via the /sys/firmware/efi/efivars filesystem or I’ve been able to load them in via the BIOS menu. I’ve always used DER encoded x509 certificates.

On this board, I’m able to write to the PK, KEK, and DB keys in both manners and read the variables back after a reboot. However, the computer will not boot a signed UEFI image. It doesn’t give any errors, it just drops you back at the UEFI menu each time you select the boot device. I’ve verified the UEFI signature with sbverify successfully.

 $   for file in PK KEK DB; do                                                                                                          sudo openssl x509 -inform DER -in /root/secure-boot/$  file.cer -outform PEM \       | sudo openssl verify -CAfile /root/secure-boot/$  file.crt   done stdin: OK stdin: OK stdin: OK  $   efibootmgr --verbose BootCurrent: 0000 Timeout: 1 seconds BootOrder: 0000,0001,0002,0003 Boot0000* linux HD(1,GPT,12684b61-8989-4df2-bc61-c2d7c6d640d0,0x800,0x64001)/File(\EFI\linux.efi)   $   sudo sbverify --cert=/root/secure-boot/DB.crt /boot/EFI/linux.efi warning: data remaining[24749608 vs 24759224]: gaps between PE/COFF sections? Signature verification OK 

The user manual for the Z87I mentions that when loading the variables in via the BIOS menu, they must be formatted as “a UEFI variable structure with time-based authenticated variable” (section 8.2.2, I presume?).

I’ve never seen another BIOS that requires such a thing and I’m not aware of any software that can generate the required format.

Am I interpreting this correctly? I’ve tried writing straight DER and PEM files without any success.