Traditionally, scripts have provided full system-wide instrumentation to system administrators, including visibility and manipulation capabilities into a kernel or arbitrary user processes. A script is a series of commands in a computer source code within a file that is capable of being executed. The script can be compiled and signed by a private key or a digital signature key, which is a mathematical scheme used to authenticate a digital message. Digital signature keys are used for software distribution, for example, in situations where it is important to detect improper use of the software. One form of a digital signature key is public key cryptography.
Public key cryptography requires two separate keys, 1) a private key and 2) a public key. The private key and the public key are mathematically linked, however, it is nearly impossible or computationally unfeasible to determine a private key from its corresponding public key.
On the server side, data to be signed is fed through a hash function to obtain a hashed value. The hashed value is encrypted with the private key to create a signature. The signature is attached to the unencrypted data. The data with the attached signature can be sent to a receiver. The receiver can then verify the data by feeding the data without the digital signature through the same hash function to obtain a hash value. The receiver can then decrypt the digital signature using the public key. If the hash value and the decrypted digital signature match, then the data has been verified.
The Unified Extensible Firmware Interface (UFEI) is a specification that defines a software interface between an operating system (OS) and platform firmware. An operating system that can be booted from a UFEI can directly boot a computing system using a UFEI operating system loader stored on a storage device. The UEFI 2.2 specification adds a protocol that can secure the boot process by preventing the loading of drivers or OS loaders that are not signed with an acceptable digital signature.
SecureBoot is a component of an operating system that relies on the UEFI's specification's secure boot functionality to help prevent malicious software applications and “unauthorized” operating systems from loading during the system start-up process. A “Machine Owner Key” (MOK) is a form of a public key that can be used to sign binary code. The MOK can be assigned to a specific machine.