SecureBoot research

README.md

SecureBoot UEFI variables visualizer

Introduction

This snippet parses and properly displays the content of UEFI variables, specifically PK, KEK and db

How to use

Get-KEK.ps1 -Name PK
Get-KEK.ps1 -Name KEK
Get-KEK.ps1 -Name db

How to generate PK

$pkCert = New-SelfSignedCertificate -KeyUsage DigitalSignature -KeyLength 2048 -KeyAlgorithm RSA -NotAfter (Get-Date).AddMonths(12) -NotBefore (Get-Date) -Subject "CN=Devices PK,O=Kveer,C=FR" -CertStoreLocation Cert:\CurrentUser\My\ -TextExtension @('2.5.29.19={critical}{text}ca=0') -Provider 'Microsoft Software Key Storage Provider' -Type CodeSigningCert -FriendlyName "SecureBoot PK $(Get-Date -Format yyyy-MM-dd)"
$pkCert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) | Set-Content C:\src\efi\pk.cer -AsByteStream
([System.Security.Cryptography.RSA]$pkCert.PrivateKey).ExportPkcs8PrivateKey() | Set-Content "PK.key" -AsByteStream
#$rsa = [System.Security.Cryptography.X509Certificates.RSACertificateExtensions]::GetRSAPrivateKey($pkCert)
#$pkCert | Export-PfxCertificate -NoProperties -NoClobber -Password (ConvertTo-SecureString -String azerqsdf -AsPlainText -Force) -FilePath $env:TEMP\pk.pfx
#([System.Security.Cryptography.RSA]$c1.PrivateKey).ExportPkcs8PrivateKey()
$owner = [Guid]::NewGuid()
$pkVar = Format-SecureBootUEFI -FormatWithCert -CertificateFilePath .\PK.cer -Name PK -SignatureOwner $owner
$g=[guid]'d3b7b2fc-c7ff-4607-97e3-f5337ed9f8cd'

## if variable empty:
Variable is currently undefined: 0xC0000100
##
$fpk = Format-SecureBootUEFI -Name PK -signatureOwner $g -Time (Get-Date) -CertificateFilePath ca_pk_copy.cer -FormatWithCert -SignableFilePath pk.esl
& 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe' sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce .\prout\pk.auth /a /f .\prout\ca_pk.pfx /p proutprout .\prout\pk.esl
$fpk | Set-SecureBootUEFI -Name PK -SignedFilePath PK.auth

Delete a variable

Format-SecureBootUEFI -Name KEK -Delete -SignableFilePath delete_kek.esl -Time (Get-Date)
& 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe' sign /fd sha256 /p7 D:\prout1\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /f .\ca_pk.pfx /p proutprout .\delete_kek.esl
Set-SecureBootUEFI -Name KEK -ContentFilePath .\delete_kek.esl -SignedFilePath .\delete_kek.esl.p7 -Time (Get-Date)

Sources

• UEFI specifications
• Microsoft KEK and db certificates
• https://media.defense.gov/2023/Mar/20/2003182401/-1/-1/0/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20230317.PDF
• Source code of the SecureBoot module: Get-Module SecureBoot | Select-Object -ExpandProperty Path

PS C:\Windows\System32> Get-SecureBootUEFI -Name KEK | Select-Object -ExpandProperty Bytes | Format-Hex -Encoding ASCII

   Label: Byte (System.Byte) <5E78AE64>

          Offset Bytes                                           Ascii
                 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
          ------ ----------------------------------------------- -----
0000000000000000 A1 59 C0 A5 E4 94 A7 4A 87 B5 AB 15 5C 2B F0 72 ¡YÀ¥ä�§J�µ«�\+ðr       <== EFI_GUID SignatureType
                 ___________-SignatureListSize (tout le bloc, y compris le GUID au-dessus)
                             ___________-SignatureHeaderSize
                                         ___________-SignatureSize (taille des signatures)
0000000000000010 18 06 00 00 00 00 00 00 FC 05 00 00 BD 9A FA 77 ��      ü�  ½�úwSignatureHeaderSize || 
0000000000000020 59 03 32 4D BD 60 28 F4 E7 8F 78 4B 30 82 05 E8 Y�2M½`(ôç�xK0��è
0000000000000030 30 82 03 D0 A0 03 02 01 02 02 0A 61 0A D1 88 00 0��������a��
0000000000000040 00 00 00 00 03 30 0D 06 09 2A 86 48 86 F7 0D 01     �0���*�H�÷��
0000000000000050 01 0B 05 00 30 81 91 31 0B 30 09 06 03 55 04 06 ��� 0��1�0���U��
0000000000000060 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0A 57 ��US1�0���U����W
0000000000000070 61 73 68 69 6E 67 74 6F 6E 31 10 30 0E 06 03 55 ashington1�0���U
0000000000000080 04 07 13 07 52 65 64 6D 6F 6E 64 31 1E 30 1C 06 ����Redmond1�0��
0000000000000090 03 55 04 0A 13 15 4D 69 63 72 6F 73 6F 66 74 20 �U����Microsoft
00000000000000A0 43 6F 72 70 6F 72 61 74 69 6F 6E 31 3B 30 39 06 Corporation1;09�
00000000000000B0 03 55 04 03 13 32 4D 69 63 72 6F 73 6F 66 74 20 �U���2Microsoft
00000000000000C0 43 6F 72 70 6F 72 61 74 69 6F 6E 20 54 68 69 72 Corporation Thir
00000000000000D0 64 20 50 61 72 74 79 20 4D 61 72 6B 65 74 70 6C d Party Marketpl
00000000000000E0 61 63 65 20 52 6F 6F 74 30 1E 17 0D 31 31 30 36 ace Root0���1106
00000000000000F0 32 34 32 30 34 31 32 39 5A 17 0D 32 36 30 36 32 24204129Z��26062
0000000000000100 34 32 30 35 31 32 39 5A 30 81 80 31 0B 30 09 06 4205129Z0��1�0��
0000000000000110 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 �U����US1�0���U�
0000000000000120 08 13 0A 57 61 73 68 69 6E 67 74 6F 6E 31 10 30 ���Washington1�0
0000000000000130 0E 06 03 55 04 07 13 07 52 65 64 6D 6F 6E 64 31 ���U����Redmond1
0000000000000140 1E 30 1C 06 03 55 04 0A 13 15 4D 69 63 72 6F 73 �0���U����Micros
0000000000000150 6F 66 74 20 43 6F 72 70 6F 72 61 74 69 6F 6E 31 oft Corporation1
0000000000000160 2A 30 28 06 03 55 04 03 13 21 4D 69 63 72 6F 73 *0(��U���!Micros
0000000000000170 6F 66 74 20 43 6F 72 70 6F 72 61 74 69 6F 6E 20 oft Corporation
0000000000000180 4B 45 4B 20 43 41 20 32 30 31 31 30 82 01 22 30 KEK CA 20110��"0
0000000000000190 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 ���*�H�÷����� ��
00000000000001A0 01 0F 00 30 82 01 0A 02 82 01 01 00 C4 E8 B5 8A �� 0������� Äèµ�
00000000000001B0 BF AD 57 26 B0 26 C3 EA E7 FB 57 7A 44 02 5D 07 ¿­W&°&ÃêçûWzD�]�
00000000000001C0 0D DA 4A E5 74 2A E6 B0 0F EC 6D EB EC 7F B9 E3 �ÚJåt*æ°�ìmëì�¹ã
00000000000001D0 5A 63 32 7C 11 17 4F 0E E3 0B A7 38 15 93 8E C6 Zc2|��O�ã�§8���Æ
00000000000001E0 F5 E0 84 B1 9A 9B 2C E7 F5 B7 91 D6 09 E1 E2 C0 õà�±��,çõ·�Ö�áâÀ
00000000000001F0 04 A8 AC 30 1C DF 48 F3 06 50 9A 64 A7 51 7F C8 �¨¬0�ßHó�P�d§Q�È
0000000000000200 85 4F 8F 20 86 CE FE 2F E1 9F FF 82 C0 ED E9 CD �O� �Îþ/á�ÿ�ÀíéÍ
0000000000000210 CE F4 53 6A 62 3A 0B 43 B9 E2 25 FD FE 05 F9 D4 ÎôSjb:�C¹â%ýþ�ùÔ
0000000000000220 C4 14 AB 11 E2 23 89 8D 70 B7 A4 1D 4D EC AE E5 Ä�«�â#��p·¤�Mì®å
0000000000000230 9C FA 16 C2 D7 C1 CB D4 E8 C4 2F E5 99 EE 24 8B �ú�Â×ÁËÔèÄ/å�î$�
0000000000000240 03 EC 8D F2 8B EA C3 4A FB 43 11 12 0B 7E B5 47 �ì�ò�êÃJûC���~µG
0000000000000250 92 6C DC E6 04 89 EB F5 33 04 EB 10 01 2A 71 E5 �lÜæ��ëõ3�ë��*qå
0000000000000260 F9 83 13 3C FF 25 09 2F 68 76 46 FF BA 4F BE DC ù��<ÿ%�/hvFÿºO¾Ü
0000000000000270 AD 71 2A 58 AA FB 0E D2 79 3D E4 9B 65 3B CC 29 ­q*Xªû�Òy=ä�e;Ì)
0000000000000280 2A 9F FC 72 59 A2 EB AE 92 EF F6 35 13 80 C6 02 *�ürY¢ë®�ïö5��Æ�
0000000000000290 EC E4 5F CC 9D 76 CD EF 63 92 C1 AF 79 40 84 79 ìä_Ì�vÍïc�Á¯y@�y
00000000000002A0 87 7F E3 52 A8 E8 9D 7B 07 69 8F 15 02 03 01 00 ��ãR¨è�{�i�����
00000000000002B0 01 A3 82 01 4F 30 82 01 4B 30 10 06 09 2B 06 01 �£��O0��K0���+��
00000000000002C0 04 01 82 37 15 01 04 03 02 01 00 30 1D 06 03 55 ���7������ 0���U
00000000000002D0 1D 0E 04 16 04 14 62 FC 43 CD A0 3E A4 CB 67 12 ������büCÍ >¤Ëg�
00000000000002E0 D2 5B D9 55 AC 7B CC B6 8A 5F 30 19 06 09 2B 06 Ò[ÙU¬{̶�_0���+�
00000000000002F0 01 04 01 82 37 14 02 04 0C 1E 0A 00 53 00 75 00 ����7������ S u
0000000000000300 62 00 43 00 41 30 0B 06 03 55 1D 0F 04 04 03 02 b C A0���U������
0000000000000310 01 86 30 0F 06 03 55 1D 13 01 01 FF 04 05 30 03 ��0���U����ÿ��0�
0000000000000320 01 01 FF 30 1F 06 03 55 1D 23 04 18 30 16 80 14 ��ÿ0���U�#��0���
0000000000000330 45 66 52 43 E1 7E 58 11 BF D6 4E 9E 23 55 08 3B EfRCá~X�¿ÖN�#U�;
0000000000000340 3A 22 6A A8 30 5C 06 03 55 1D 1F 04 55 30 53 30 :"j¨0\��U���U0S0
0000000000000350 51 A0 4F A0 4D 86 4B 68 74 74 70 3A 2F 2F 63 72 Q O M�Khttp://cr
0000000000000360 6C 2E 6D 69 63 72 6F 73 6F 66 74 2E 63 6F 6D 2F l.microsoft.com/
0000000000000370 70 6B 69 2F 63 72 6C 2F 70 72 6F 64 75 63 74 73 pki/crl/products
0000000000000380 2F 4D 69 63 43 6F 72 54 68 69 50 61 72 4D 61 72 /MicCorThiParMar
0000000000000390 52 6F 6F 5F 32 30 31 30 2D 31 30 2D 30 35 2E 63 Roo_2010-10-05.c
00000000000003A0 72 6C 30 60 06 08 2B 06 01 05 05 07 01 01 04 54 rl0`��+��������T
00000000000003B0 30 52 30 50 06 08 2B 06 01 05 05 07 30 02 86 44 0R0P��+�����0��D
00000000000003C0 68 74 74 70 3A 2F 2F 77 77 77 2E 6D 69 63 72 6F http://www.micro
00000000000003D0 73 6F 66 74 2E 63 6F 6D 2F 70 6B 69 2F 63 65 72 soft.com/pki/cer
00000000000003E0 74 73 2F 4D 69 63 43 6F 72 54 68 69 50 61 72 4D ts/MicCorThiParM
00000000000003F0 61 72 52 6F 6F 5F 32 30 31 30 2D 31 30 2D 30 35 arRoo_2010-10-05
0000000000000400 2E 63 72 74 30 0D 06 09 2A 86 48 86 F7 0D 01 01 .crt0���*�H�÷���
0000000000000410 0B 05 00 03 82 02 01 00 D4 84 88 F5 14 94 18 02 �� ���� Ô��õ����
0000000000000420 CA 2A 3C FB 2A 92 1C 0C D7 A0 D1 F1 E8 52 66 A8 Ê*<û*���× ÑñèRf¨
0000000000000430 EE A2 B5 75 7A 90 00 AA 2D A4 76 5A EA 79 B7 B9 uz� ª-¤vZêy·¹
0000000000000440 37 6A 51 7B 10 64 F6 E1 64 F2 02 67 BE F7 A8 1B 7jQ{�döádò�g¾÷¨�
0000000000000450 78 BD BA CE 88 58 64 0C D6 57 C8 19 A3 5F 05 D6 x½ºÎ�Xd�ÖWÈ�£_�Ö
0000000000000460 DB C6 D0 69 CE 48 4B 32 B7 EB 5D D2 30 F5 C0 F5 ÛÆÐiÎHK2·ë]Ò0õÀõ
0000000000000470 B8 BA 78 07 A3 2B FE 9B DB 34 56 84 EC 82 CA AE ¸ºx�£+þ�Û4V�ì�Ê®
0000000000000480 41 25 70 9C 6B E9 FE 90 0F D7 96 1F E5 E7 94 1F A%p�kéþ��×��åç��
0000000000000490 B2 2A 0C 8D 4B FF 28 29 10 7B F7 D7 7C A5 D1 76 ²*��Kÿ()�{÷×|¥Ñv
00000000000004A0 B9 05 C8 79 ED 0F 90 92 9C C2 FE DF 6F 7E 6C 0F ¹�Èyí����Âþßo~l�
00000000000004B0 7B D4 C1 45 DD 34 51 96 39 0F E5 5E 56 D8 18 05 {ÔÁEÝ4Q�9�å^VØ��
00000000000004C0 96 F4 07 A6 42 B3 A0 77 FD 08 19 F2 71 56 CC 9F �ô�¦B³ wý��òqVÌ�
00000000000004D0 86 23 A4 87 CB A6 FD 58 7E D4 69 67 15 91 7E 81 �#¤�˦ýX~Ôig��~�
00000000000004E0 F2 7F 13 E5 0D 8B 8A 3C 87 84 EB E3 CE BD 43 E5 ò��å���<��ëãνCå
00000000000004F0 AD 2D 84 93 8E 6A 2B 5A 7C 44 FA 52 AA 81 C8 2D ­-���j+Z|DúRª�È-
0000000000000500 1C BB E0 52 DF 00 11 F8 9A 3D C1 60 B0 E1 33 B5 �»àRß �ø�=Á`°á3µ
0000000000000510 A3 88 D1 65 19 0A 1A E7 AC 7C A4 C1 82 87 4E 38 £�Ñe���ç¬|¤Á��N8
0000000000000520 B1 2F 0D C5 14 87 6F FD 8D 2E BC 39 B6 E7 E6 C3 ±/�Å��oý�.¼9¶çæÃ
0000000000000530 E0 E4 CD 27 84 EF 94 42 EF 29 8B 90 46 41 3B 81 àäÍ'�ï�Bï)��FA;�
0000000000000540 1B 67 D8 F9 43 59 65 CB 0D BC FD 00 92 4F F4 75 �gØùCYeË�¼ý �Oôu
0000000000000550 3B A7 A9 24 FC 50 41 40 79 E0 2D 4F 0A 6A 27 76 ;§©$üPA@yà-O�j'v
0000000000000560 6E 52 ED 96 69 7B AF 0F F7 87 05 D0 45 C2 AD 53 nRí�i{¯�÷��ÐE­S
0000000000000570 14 81 1F FB 30 04 AA 37 36 61 DA 4A 69 1B 34 D8 ���û0�ª76aÚJi�4Ø
0000000000000580 68 ED D6 02 CF 6C 94 0C D3 CF 6C 22 79 AD B1 F0 híÖ�Ïl��ÓÏl"y­±ð
0000000000000590 BC 03 A2 46 60 A9 C4 07 C2 21 82 F1 FD F2 E8 79 ¼�¢F`©Ä�Â!�ñýòèy
00000000000005A0 32 60 BF D8 AC A5 22 14 4B CA C1 D8 4B EB 7D 3F 2`¿Ø¬¥"�KÊÁØKë}?
00000000000005B0 57 35 B2 E6 4F 75 B4 B0 60 03 22 53 AE 91 79 1D W5²æOu´°`�"S®�y�
00000000000005C0 D6 9B 41 1F 15 86 54 70 B2 DE 0D 35 0F 7C B0 34 Ö�A���Tp²Þ�5�|°4
00000000000005D0 72 BA 97 60 3B F0 79 EB A2 B2 1C 5D A2 16 B8 87 rº�`;ðy뢲�]¢�¸�
00000000000005E0 C5 E9 1B F6 B5 97 25 6F 38 9F E3 91 FA 8A 79 98 Åé�öµ�%o8�ã�ú�y�
00000000000005F0 C3 69 0E B7 A3 1C 20 05 97 F8 CA 14 AE 00 D7 C4 Ãi�·£� ��øÊ�® ×Ä
0000000000000600 F3 C0 14 10 75 6B 34 A0 1B B5 99 60 F3 5C B0 C5 óÀ��uk4 �µ�`ó\°Å
0000000000000610 57 4E 36 D2 32 84 BF 9E                         WN6Ò2�¿�

Additional doc

https://support.microsoft.com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f

Get-KEK.ps1

#Requires -PSEdition Desktop
#Requires -RunAsAdministrator
#Requires -Modules SecureBoot

# https://uefi.org/specs/UEFI/2.11/32_Secure_Boot_and_Driver_Signing.html#signature-database

param(
    [ValidateSet("PK", "KEK", "db", "dbx", "SetupMode", "SecureBoot", "PKDefault", "KEKDefault", "dbDefault", "dbxDefault", "dbt", "dbtDefault")]
    [string]$Name,
    [string]$OutDirectory = $null
)

$EFI_CERT_SHA256_GUID = [Guid]'C1C41626-504C-4092-ACA9-41F936934328'
$EFI_CERT_X509_GUID   = [Guid]'A5C059A1-94E4-4AA7-87B5-AB155C2BF072'

[byte[]]$uefiVar = Get-SecureBootUEFI -Name $Name -ErrorAction Stop `
    | Select-Object -ExpandProperty Bytes

if ($null -eq $uefiVar) {
    # probably access denied or variable is empty
    return
}

$res = @()

if (-Not [string]::IsNullOrEmpty($OutDirectory) -and -not (Test-Path $OutDirectory)) {
    Write-Host "$OutDirectory does not exist."
    return
}

$i = 0 # file number index
$j = 0 # index $signatureList

while ($true) { # iterate over all signature lists

    $signatureType = [Guid][byte[]]$uefiVar[$j..($j+15)]
    $signatureListSize = [BitConverter]::ToInt32(([byte[]]$uefiVar[($j+16)..($j+19)]), 0)
    $signatureHeaderSize = [BitConverter]::ToInt32(([byte[]]$uefiVar[($j+20)..($j+23)]), 0)
    $signatureSize = [BitConverter]::ToInt32(([byte[]]$uefiVar[($j+24)..($j+27)]), 0)
    #$signatureList = $uefiVar[16..$signatureListSize]

    $k = $j + 16 + 12 + $signatureHeaderSize

    while ($true) { # iterate over all signatures
        if ($signatureType -eq $EFI_CERT_X509_GUID) {
            
            $signatureList = $uefiVar[$k..($k+$signatureSize-1)]

            $signatureOwner = [Guid][byte[]]$signatureList[0..15]
            $der = [byte[]]$signatureList[16..$signatureSize]
            $der | Set-Content ([System.IO.Path]::Combine($OutDirectory, "prout.crt")) -Encoding Byte

            $a = New-Object object[] 1
            $a[0] = $der
            $cert = $null
            $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 ($a)

            if ($null -ne $OutDirectory) {
                $f = "$Name-$signatureOwner-$i.cer"
                $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) | Set-Content ([System.IO.Path]::Combine($OutDirectory, $f)) -Encoding Byte #-AsByteStream
            }

            $res += New-Object PSObject -Property @{
                SignatureOwner = $signatureOwner;
                Type           = "X509";
                Thumbprint     = $cert.Thumbprint;
                NotAfter       = $cert.NotAfter;
                NotBefore      = $cert.NotBefore;
                SerialNumber   = $cert.SerialNumber;
                Issuer         = $cert.Issuer;
                Subject        = $cert.Subject;
                #RawCert        = $cert
            }
        } elseif ($signatureType -eq $EFI_CERT_SHA256_GUID) {
            # SignatureHeader = 0
            # SignatureSize = 16 (signatureOwner)+ 32 (sha256)

            $signatureList = $uefiVar[$k..($k+$signatureSize-1)]
            $signatureOwner = [Guid][byte[]]$signatureList[0..15]

            $sha256 = [byte[]]$signatureList[16..$signatureSize]
            $strSha256 = [BitConverter]::ToString($sha256) -replace '-'

            $res += New-Object PSObject -Property @{
                SignatureOwner = $signatureOwner;
                Type        = "SHA-256";
                SHA256      = $strSha256
            }
        } else {
            Write-Host "Unknown EFI GUID: ${signatureType}. Not implemented"
            break
        }

        $k += $signatureSize

        if ($k -ge $signatureListSize) {
            break
        }

        $i++
    }

    $j += $signatureListSize
    if ($j -ge $uefiVar.Length) {
        break
    }
}

$res
$res | Where-Object Type -EQ "SHA-256" | Set-Content ([System.IO.Path]::Combine($OutDirectory, "dbx-sha256.txt"))

New-SecureBootCertificates.ps1

#Requires -PSEdition Desktop
#Requires -RunAsAdministrator
#Requires -Modules SecureBoot
#Requires -Assembly System.Web

param(
    [ValidateNotNullOrEmpty()]
    [string]$OutputDirectory,
    [string]$Organization = 'Kveer',
    [string]$PkiName = 'Kveer RSA Devices',
    [DateTime]$NotAfter,
    [Guid]$Owner = '2c161c59-79d6-4591-b551-016f66679909'
)

Add-Type -AssemblyName System.Web

$MICROSOFT_OWNER = [Guid]'77fa9abd-0359-4d32-bd60-28f4e78f784b'
$time = [datetime]([int64]((Get-Date).Ticks/[timespan]::TicksPerSecond)*[timespan]::TicksPerSecond)
#$time = [datetime]([int64]((New-Object DateTime 2025,11,11).Ticks/[timespan]::TicksPerSecond)*[timespan]::TicksPerSecond)
$signtool = "${env:ProgramFiles(x86)}\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe"
$subjTemplate = "$($NotBefore.Year),OU=SecureBoot,O=$Organization,C=FR"

$NotBefore = Get-Date
if ($null -eq $NotAfter) {
    $NotAfter = $NotBefore.AddYears(15)
}

if (-Not (Test-Path $OutputDirectory)) {
    New-Item $OutputDirectory -ItemType Directory -ErrorAction Stop | Out-Null
}

# Generate all certificates

$rootCA = New-SelfSignedCertificate `
    -KeyUsage CertSign,CRLSign,DigitalSignature `
    -KeyLength 4096 `
    -KeyAlgorithm RSA `
    -NotAfter $NotAfter `
    -NotBefore $NotBefore `
    -Subject "CN=$PkiName Root CA $subjTemplate" `
    -CertStoreLocation Cert:\CurrentUser\My\ `
    -TextExtension @('2.5.29.19={critical}{text}ca=1&pathlength=1') `
    -Provider 'Microsoft Software Key Storage Provider' `
    -KeyExportPolicy Exportable `
    -Type Custom `
    -FriendlyName "$PkiName Root CA $($NotBefore.ToString("yyyy-MM-dd"))" -HashAlgorithm SHA384

$pkCert = New-SelfSignedCertificate `
    -KeyUsage DigitalSignature `
    -KeyLength 2048 `
    -KeyAlgorithm RSA `
    -NotAfter $NotAfter `
    -NotBefore $NotBefore `
    -Subject "CN=$PkiName PK $subjTemplate" `
    -CertStoreLocation Cert:\CurrentUser\My\ `
    -TextExtension @('2.5.29.19={critical}{text}ca=0') `
    -Provider 'Microsoft Software Key Storage Provider' `
    -KeyExportPolicy Exportable `
    -Type Custom `
    -Signer $rootCA `
    -FriendlyName "$PkiName PK $($NotBefore.ToString("yyyy-MM-dd"))"

$kekCert = New-SelfSignedCertificate `
    -KeyUsage CertSign,CRLSign,DigitalSignature `
    -KeyLength 2048 `
    -KeyAlgorithm RSA `
    -NotAfter $NotAfter `
    -NotBefore $NotBefore `
    -Subject "CN=$PkiName KEK CA $subjTemplate" `
    -CertStoreLocation Cert:\CurrentUser\My\ `
    -TextExtension @('2.5.29.19={critical}{text}ca=1&pathlength=0') `
    -Provider 'Microsoft Software Key Storage Provider' `
    -KeyExportPolicy Exportable `
    -Type Custom `
    -Signer $rootCA `
    -FriendlyName "$PkiName KEK $($NotBefore.ToString("yyyy-MM-dd"))"

$dbCert = New-SelfSignedCertificate `
    -KeyUsage CertSign,CRLSign,DigitalSignature `
    -KeyLength 2048 `
    -KeyAlgorithm RSA `
    -NotAfter $NotAfter `
    -NotBefore $NotBefore `
    -Subject "CN=$PkiName db CA $subjTemplate" `
    -CertStoreLocation Cert:\CurrentUser\My\ `
    -TextExtension @('2.5.29.19={critical}{text}ca=1&pathlength=0') `
    -Provider 'Microsoft Software Key Storage Provider' `
    -KeyExportPolicy Exportable `
    -Type Custom `
    -Signer $rootCA `
    -FriendlyName "$PkiName DB $($NotBefore.ToString("yyyy-MM-dd"))"

$ppathRoot  = [IO.Path]::Combine($OutputDirectory, "root")
$ppathPK    = [IO.Path]::Combine($OutputDirectory, "pk")
$ppathKEK   = [IO.Path]::Combine($OutputDirectory, "kek")
$ppathDB    = [IO.Path]::Combine($OutputDirectory, "db")
$ppathKEKMS2011 = [IO.Path]::Combine($OutputDirectory, "kek_ms2011")
$ppathKEKMS2023 = [IO.Path]::Combine($OutputDirectory, "kek_ms2023")
$ppathDBMSWIN2011  = [IO.Path]::Combine($OutputDirectory, "db_mswindows2011")
$ppathDBMSWIN2023  = [IO.Path]::Combine($OutputDirectory, "db_mswindows2023")
$ppathDBMSUEFI2011  = [IO.Path]::Combine($OutputDirectory, "db_msuefi2011")
$ppathDBMSUEFI2023  = [IO.Path]::Combine($OutputDirectory, "db_msuefi2023")

$clearPwd = [System.Web.Security.Membership]::GeneratePassword(16,1)
$pfxpwd = ConvertTo-SecureString -String $clearPwd -AsPlainText -Force
Export-PfxCertificate -Cert $rootCA -FilePath "$ppathRoot.pfx" -NoClobber -Password $pfxpwd | Out-Null
Export-PfxCertificate -Cert $pkCert -FilePath "$ppathPK.pfx" -NoClobber -Password $pfxpwd | Out-Null
Export-PfxCertificate -Cert $kekCert -FilePath "$ppathKEK.pfx" -NoClobber -Password $pfxpwd | Out-Null
Export-PfxCertificate -Cert $dbCert -FilePath "$ppathDB.pfx" -NoClobber -Password $pfxpwd | Out-Null

Export-Certificate -Type CERT -NoClobber -Cert $rootCA  -FilePath "$ppathRoot.cer" | Out-Null
Export-Certificate -Type CERT -NoClobber -Cert $pkCert  -FilePath "$ppathPK.cer"   | Out-Null
Export-Certificate -Type CERT -NoClobber -Cert $kekCert -FilePath "$ppathKEK.cer"  | Out-Null
Export-Certificate -Type CERT -NoClobber -Cert $dbCert  -FilePath "$ppathDB.cer"   | Out-Null

Invoke-WebRequest 'https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/DBX/amd64/DBXUpdate.bin' -OutFile ([IO.Path]::Combine($OutputDirectory, 'DBXUpdate.bin'))
Invoke-WebRequest 'https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PreSignedObjects/KEK/Certificates/microsoft%20corporation%20kek%202k%20ca%202023.der' -OutFile "$ppathKEKMS2023.der"
Invoke-WebRequest 'https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PreSignedObjects/KEK/Certificates/MicCorKEKCA2011_2011-06-24.der' -OutFile "$ppathKEKMS2011.der"
Invoke-WebRequest 'https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PreSignedObjects/DB/Certificates/windows%20uefi%20ca%202023.der' -OutFile "$ppathDBMSWIN2023.der"
Invoke-WebRequest 'https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PreSignedObjects/DB/Certificates/microsoft%20uefi%20ca%202023.der' -OutFile "$ppathDBMSUEFI2023.der"
Invoke-WebRequest 'https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PreSignedObjects/DB/Certificates/MicCorUEFCA2011_2011-06-27.der' -OutFile "$ppathDBMSUEFI2011.der"
Invoke-WebRequest 'https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PreSignedObjects/DB/Certificates/MicWinProPCA2011_2011-10-19.der' -OutFile "$ppathDBMSWIN2011.der"

Write-Host "Time ticks: $($time.Ticks)"
Write-Host "Password for PFX files: $clearPwd"

# Generate all payloads
Format-SecureBootUEFI -Name PK -SignatureOwner $Owner -Time $time.ToString('u') -CertificateFilePath "$ppathPK.cer" -FormatWithCert -SignableFilePath "$ppathPK.esl" -ContentFilePath "$ppathPK.var"
& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $pkCert.Thumbprint "$ppathPK.esl"

Format-SecureBootUEFI -Name KEK -SignatureOwner $Owner -Time $time.ToString('u') -CertificateFilePath "$ppathKEK.cer" -FormatWithCert -SignableFilePath "$ppathKEK.esl" -ContentFilePath "$ppathKEK.var"
& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $pkCert.Thumbprint "$ppathKEK.esl"

Format-SecureBootUEFI -Name KEK -SignatureOwner $MICROSOFT_OWNER -Time $time.ToString('u') -CertificateFilePath "$ppathKEKMS2023.der" -FormatWithCert -SignableFilePath "$ppathKEKMS2023.esl" -ContentFilePath "$ppathKEKMS2023.var" -AppendWrite:$true
& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $pkCert.Thumbprint "$ppathKEKMS2023.esl"

Format-SecureBootUEFI -Name KEK -SignatureOwner $MICROSOFT_OWNER -Time $time.ToString('u') -CertificateFilePath "$ppathKEKMS2011.der" -FormatWithCert -SignableFilePath "$ppathKEKMS2011.esl" -ContentFilePath "$ppathKEKMS2011.var" -AppendWrite:$true
& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $pkCert.Thumbprint "$ppathKEKMS2011.esl"

Format-SecureBootUEFI -Name db -SignatureOwner $Owner -Time $time.ToString('u') -CertificateFilePath "$ppathDB.cer" -FormatWithCert -SignableFilePath "$ppathDB.esl" -ContentFilePath "$ppathDB.var"
& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $kekCert.Thumbprint "$ppathDB.esl"

Format-SecureBootUEFI -Name db -SignatureOwner $MICROSOFT_OWNER -Time $time.ToString('u') -CertificateFilePath "$ppathDBMSWIN2023.der" -FormatWithCert -SignableFilePath "$ppathDBMSWIN2023.esl" -ContentFilePath "$ppathDBMSWIN2023.var" -AppendWrite:$true
& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $kekCert.Thumbprint "$ppathDBMSWIN2023.esl"

Format-SecureBootUEFI -Name db -SignatureOwner $MICROSOFT_OWNER -Time $time.ToString('u') -CertificateFilePath "$ppathDBMSUEFI2023.der" -FormatWithCert -SignableFilePath "$ppathDBMSUEFI2023.esl" -ContentFilePath "$ppathDBMSUEFI2023.var" -AppendWrite:$true
& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $kekCert.Thumbprint "$ppathDBMSUEFI2023.esl"

Remove-Item $rootCA.PSPath
Remove-Item $pkCert.PSPath
remove-Item $kekCert.PSPath
Remove-Item $dbCert.PSPath

function Install-PK {
    param(
        [string]$Thumbprint,
        [Guid]$SignatureOwner
    )

    $time = [datetime]([int64]((Get-Date).Ticks/[timespan]::TicksPerSecond)*[timespan]::TicksPerSecond)

    $cert = Get-Item Cert:\CurrentUser\My\$Thumbprint

    if ($null -eq $cert) {
        Write-Error "PK certificate with thumprint $Thumbprint not found in Cert:\CurrentUser\My"
        return
    }

    if (-Not ($cert.HasPrivateKey)) {
        Write-Error "No private key available for the PK certificate"
    }

    $tmpCert = [IO.Path]::GetTempFileName()
    $p7OutDir = [IO.Path]::GetDirectoryName($tmpcert)
    $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) `
        | Set-Content -Path $tmpCert -Encoding Byte

    Format-SecureBootUEFI -Name PK -SignatureOwner $SignatureOwner -Time $time -CertificateFilePath $tmpCert -FormatWithCert -SignableFilePath "$tmpCert.esl" -ContentFilePath "$tmpCert.var"
    & $signtool sign /fd sha256 /p7 $p7OutDir /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $Thumbprint "$tmpCert.esl"
    Set-SecureBootUEFI -Name PK -SignedFilePath "$tmpCert.esl.p7" -ContentFilePath "$tmpCert.var" -Time $time

    Remove-Item "$tmpCert*"
}

function Install-KEK {
    param(
        [Parameter(Mandatory)]
        [string]$PKThumbprint,
        [Parameter(Mandatory, ParameterSetName = 'Store')]
        [string]$KEKThumbprint,
        [Parameter(Mandatory, ParameterSetName = 'File')]
        [string]$KEKFile,
        [Parameter(Mandatory)]
        [Guid]$SignatureOwner,
        [switch]$AppendWrite
    )

    $time = [datetime]([int64]((Get-Date).Ticks/[timespan]::TicksPerSecond)*[timespan]::TicksPerSecond)

    $pkcert  = Get-Item Cert:\CurrentUser\My\$PKThumbprint

    if ($null -eq $pkcert) {
        Write-Error "PK certificate with thumprint $PKThumbprint not found in Cert:\CurrentUser\My"
        return
    }
    
    if (-Not ($pkcert.HasPrivateKey)) {
        Write-Error "No private key available for the PK certificate"
    }

    if ($null -ne $KEKThumbprint) {
        $kekcert = Get-Item Cert:\CurrentUser\My\$KEKThumbprint

        if ($null -eq $kekcert) {
            Write-Error "KEK certificate with thumprint $KEKThumbprint not found in Cert:\CurrentUser\My"
            return
        }
    } else {
        $kekcert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $KEKFile
    }

    $tmpCert = [IO.Path]::GetTempFileName()
    $p7OutDir = [IO.Path]::GetDirectoryName($tmpcert)
    $kekcert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) `
        | Set-Content -Path $tmpCert -Encoding Byte

    Format-SecureBootUEFI -Name KEK -SignatureOwner $SignatureOwner -Time $time -CertificateFilePath $tmpCert -FormatWithCert -SignableFilePath "$tmpCert.esl" -ContentFilePath "$tmpCert.var" -AppendWrite:$AppendWrite
    & $signtool sign /fd sha256 /p7 $p7OutDir /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $PKThumbprint "$tmpCert.esl"
    Set-SecureBootUEFI -Name KEK -SignedFilePath "$tmpCert.esl.p7" -ContentFilePath "$tmpCert.var" -Time $time -AppendWrite:$AppendWrite

    Remove-Item "$tmpCert*"
}

function Install-db {
    param(
        [Parameter(Mandatory)]
        [string]$KEKThumbprint,
        [Parameter(Mandatory, ParameterSetName = 'Store')]
        [string]$dbThumbprint,
        [Parameter(Mandatory, ParameterSetName = 'File')]
        [string]$dbFile,
        [Parameter(Mandatory)]
        [Guid]$SignatureOwner,
        [switch]$AppendWrite
    )

    $time = [datetime]([int64]((Get-Date).Ticks/[timespan]::TicksPerSecond)*[timespan]::TicksPerSecond)

    $kekcert  = Get-Item Cert:\CurrentUser\My\$KEKThumbprint

    if ($null -eq $kekcert) {
        Write-Error "KEK Certificate with thumprint $KEKThumbprint not found in Cert:\CurrentUser\My"
        return
    }

    if (-Not ($kekcert.HasPrivateKey)) {
        Write-Error "No private key available for the KEK certificate"
    }

    if ($null -ne $dbThumbprint) {
        $dbcert = Get-Item Cert:\CurrentUser\My\$dbThumbprint

        if ($null -eq $dbcert) {
            Write-Error "db Certificate with thumprint $dbThumbprint not found in Cert:\CurrentUser\My"
            return
        }
    } else {
        $dbcert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $dbFile
    }

    $tmpCert = [IO.Path]::GetTempFileName()
    $p7OutDir = [IO.Path]::GetDirectoryName($tmpcert)
    $dbcert.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert) `
        | Set-Content -Path $tmpCert -Encoding Byte

    Format-SecureBootUEFI -Name db -SignatureOwner $SignatureOwner -Time $time -CertificateFilePath $tmpCert -FormatWithCert -SignableFilePath "$tmpCert.esl" -ContentFilePath "$tmpCert.var" -AppendWrite:$AppendWrite
    & $signtool sign /fd sha256 /p7 $p7OutDir /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /sha1 $KEKThumbprint "$tmpCert.esl"
    Set-SecureBootUEFI -Name db -SignedFilePath "$tmpCert.esl.p7" -ContentFilePath "$tmpCert.var" -Time $time -AppendWrite:$AppendWrite

    Remove-Item "$tmpCert*"
}

#Install-PK  -Thumbprint $pkCert.Thumbprint -SignatureOwner $Owner
#Install-KEK -PKThumbprint $pkCert.Thumbprint -KEKThumbprint $kekCert.Thumbprint -SignatureOwner $owner
#Install-KEK -PKThumbprint $pkcert.Thumbprint -KEKFile 'microsoft corporation kek ca 2011.der' -SignatureOwner $MICROSOFT_OWNER -AppendWrite:$true
#Install-db  -KEKThumbprint $kekCert.Thumbprint -dbThumbprint $dbCert.Thumbprint -SignatureOwner $owner
#Install-db  -KEKThumbprint $kekCert.Thumbprint -dbFile 'windows pca 2011.der' -SignatureOwner $MICROSOFT_OWNER -AppendWrite:$true
#Install-db  -KEKThumbprint $kekCert.Thumbprint -dbFile 'microsoft uefi ca 2011.der' -SignatureOwner $MICROSOFT_OWNER -AppendWrite:$true

Write-Host "Time ticks: $($time.Ticks)"
# Delete db
#Format-SecureBootUEFI -Delete -Name db -SignableFilePath db_delete.esl -Time $time
#& $signtool sign /fd sha256 /p7 $OutputDirectory /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /n "$PkiName KEK CA $($NotBefore.Year)" "db_delete.esl"
#Set-SecureBootUEFI -Name db -SignedFilePath db_delete.esl.p7 -ContentFilePath .\db_delete.esl -Time $time