Sign the EFI files

Makefile

@@ -15,12 +15,15 @@ CFLAGS += '-DGIT_DESCRIBE=L"$(GIT_DESCRIBE)"'
 ZIPDIR = HackBGRT-$(GIT_DESCRIBE:v%=%)
 ZIP = $(ZIPDIR).zip
 
-all: efi setup zip
-efi: bootx64.efi bootia32.efi
+.PHONY: all efi efi-signed setup zip
+
+all: efi setup
+efi: efi/bootx64.efi efi/bootia32.efi
+efi-signed: efi-signed/bootx64.efi efi-signed/bootia32.efi
 setup: setup.exe
 
 zip: $(ZIP)
-$(ZIP): bootx64.efi bootia32.efi config.txt splash.bmp setup.exe README.md CHANGELOG.md README.efilib LICENSE
+$(ZIP): efi-signed certificate.cer config.txt splash.bmp setup.exe README.md CHANGELOG.md README.efilib LICENSE
 	test ! -d "$(ZIPDIR)"
 	mkdir "$(ZIPDIR)"
 	cp -a $^ "$(ZIPDIR)" || (rm -rf "$(ZIPDIR)"; exit 1)
@@ -33,12 +36,33 @@ src/GIT_DESCRIBE.cs: $(FILES_CS) $(FILES_C) $(FILES_H)
 setup.exe: $(FILES_CS) src/GIT_DESCRIBE.cs
 	csc /define:GIT_DESCRIBE /out:$@ $^
 
-bootx64.efi: CC_PREFIX = x86_64-w64-mingw32
-bootx64.efi: GNUEFI_ARCH = x86_64
-bootx64.efi: $(FILES_C)
+certificate.cer pki:
+	@echo
+	@echo "You need proper keys to sign the EFI executables."
+	@echo "Example:"
+	@echo "mkdir -p pki"
+	@echo "certutil --empty-password -N -d pki"
+	@echo "efikeygen -d pki -n HackBGRT-signer -S -k -c 'CN=HackBGRT Secure Boot Signer,OU=HackBGRT,O=Unknown,MAIL=unknown@example.com' -u 'URL'"
+	@echo "certutil -d pki -n HackBGRT-signer -Lr > certificate.cer"
+	@echo "Modify and run the commands yourself."
+	@echo
+	@false
+
+efi-signed/%.efi: efi/%.efi
+	mkdir -p efi-signed
+	pesign --force -n pki -i $< -o $@ -c HackBGRT-signer -s
+
+efi-signed/bootx64.efi: pki
+efi-signed/bootia32.efi: pki
+
+efi/bootx64.efi: CC_PREFIX = x86_64-w64-mingw32
+efi/bootx64.efi: GNUEFI_ARCH = x86_64
+efi/bootx64.efi: $(FILES_C)
+	@mkdir -p efi
 	$(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) -s
 
-bootia32.efi: CC_PREFIX = i686-w64-mingw32
-bootia32.efi: GNUEFI_ARCH = ia32
-bootia32.efi: $(FILES_C)
+efi/bootia32.efi: CC_PREFIX = i686-w64-mingw32
+efi/bootia32.efi: GNUEFI_ARCH = ia32
+efi/bootia32.efi: $(FILES_C)
+	@mkdir -p efi
 	$(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@ $(LIBS) -s

README.md

@@ -11,9 +11,17 @@ When booting on a UEFI-based computer, Windows may show a vendor-defined logo wh
 **Important:** If you mess up the installation, your system may become unbootable! Create a rescue disk before use. This software comes with no warranty. Use at your own risk.
 
 * Make sure that your computer is booting with UEFI.
-* Make sure that Secure Boot is disabled, unless you know how to sign EFI applications.
+* Make sure that Secure Boot is disabled, unless you know how to manage certificates.
 * Make sure that BitLocker is disabled, or find your recovery key.
 
+### Secure Boot instructions
+
+HackBGRT is not approved by Microsoft. By default, the Secure Boot mechanism will not allow it to run. You will need to either disable Secure Boot (and BitLocker) or enroll the HackBGRT signing certificate `certificate.cer` (also installed in `EFI\HackBGRT\certificate.cer`) into your system. Trusting any self-signed certificates is not recommended, so if you wish to keep your system truly safe with Secure Boot, you should build HackBGRT locally and use your own certificate to sign it.
+
+Enrolling the certificate cannot be automated, that's the whole point of Secure Boot.
+
+Instructions for enrolling the certificate (if it's possible at all) depend on your computer model. Please refer to your motherboard manual or do a web search on *how to enroll Secure Boot certificate*. No support is provided for this option. Note that enrolling a custom certificate breaks PCR7 Binding and can cause problems with BitLocker Automatic Device Encryption. Make sure you have either disabled BitLocker or have the recovery key available.
+
 ### Windows installation
 
 * Get the latest release from the Releases page.

src/Setup.cs

@@ -96,6 +96,9 @@ public class Setup {
 	/** @var Run in batch mode? */
 	protected bool Batch;
 
+	/** @var Is the loader signed? */
+	protected bool LoaderIsSigned = false;
+
 	/**
 	 * Output a line.
 	 */
@@ -311,8 +314,14 @@ public class Setup {
 	 * Install files to ESP.
 	 */
 	protected void InstallFiles() {
-		if (!File.Exists($"boot{EfiArch}.efi")) {
-			throw new SetupException($"Missing boot{EfiArch}.efi, {EfiArch} is not supported!");
+		var loaderSource = Path.Combine("efi-signed", $"boot{EfiArch}.efi");
+		LoaderIsSigned = true;
+		if (!File.Exists(loaderSource)) {
+			loaderSource = Path.Combine("efi", $"boot{EfiArch}.efi");
+			LoaderIsSigned = false;
+			if (!File.Exists(loaderSource)) {
+				throw new SetupException($"Missing boot{EfiArch}.efi, {EfiArch} is not supported!");
+			}
 		}
 		try {
 			if (!Directory.Exists(InstallPath)) {
@@ -332,7 +341,13 @@ public class Setup {
 				InstallImageFile(line.Substring(i + delim.Length));
 			}
 		}
-		InstallFile($"boot{EfiArch}.efi", "loader.efi");
+		InstallFile(loaderSource, "loader.efi");
+		if (LoaderIsSigned) {
+			InstallFile("certificate.cer");
+			WriteLine($"Notice: Remember to enroll the certificate.cer in your firmware!");
+		} else {
+			WriteLine($"Warning: HackBGRT is not signed, you may need to disable Secure Boot!");
+		}
 		WriteLine($"HackBGRT has been copied to {InstallPath}.");
 	}
 
@@ -540,6 +555,9 @@ public class Setup {
 				WriteLine("Secure Boot status could not be determined.");
 			}
 			WriteLine("It's very important to disable Secure Boot before installing.");
+			if (LoaderIsSigned) {
+				WriteLine("Alternatively, you can enroll the certificate.cer in your firmware.");
+			}
 			WriteLine("Otherwise your machine may become unbootable.");
 			if (Batch) {
 				if (allowSecureBoot) {