blob: d92112a353939706104385427dbb80fe6355d113 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
#!/bin/bash
# Copyright (c) 2015 by Roderick W. Smith
# Copyright (c) 2017 Corey Hinshaw
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
[ -n "${DEBUG}" ] && set -x
set -e
# Do not create new keys if key files already exist
KEYS=(
PK.key PK.crt PK.cer PK.esl PK.auth
KEK.key KEK.crt KEK.cer KEK.esl KEK.auth
DB.key DB.crt DB.cer DB.esl DB.auth
noPK.esl noPK.auth
myGUID.txt
)
for file in ${KEYS[@]}; do
if [ -f ${file} ]; then
echo "Error: keys already exist in $(pwd)" >&2
exit 1
fi
done
echo -n "Enter a Common Name to embed in the keys: "
read NAME
# Platform key
openssl req -new -x509 \
-subj "/CN=${NAME} PK/" -days 3650 -nodes \
-newkey rsa:2048 -sha256 \
-keyout PK.key -out PK.crt
openssl x509 -in PK.crt -out PK.cer -outform DER
# Key exchange key
openssl req -new -x509 \
-subj "/CN=${NAME} KEK/" -days 3650 -nodes \
-newkey rsa:2048 -sha256 \
-keyout KEK.key -out KEK.crt
openssl x509 -in KEK.crt -out KEK.cer -outform DER
# Signature database
openssl req -new -x509 \
-subj "/CN=${NAME} DB/" -days 3650 -nodes \
-newkey rsa:2048 -sha256 \
-keyout DB.key -out DB.crt
openssl x509 -in DB.crt -out DB.cer -outform DER
GUID="$(uuidgen -r)"
echo ${GUID} > myGUID.txt
cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl
cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl
cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl
rm -f noPK.esl
touch noPK.esl
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt \
PK PK.esl PK.auth
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt \
PK noPK.esl noPK.auth
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt \
KEK KEK.esl KEK.auth
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k KEK.key -c KEK.crt \
DB DB.esl DB.auth
chmod 0600 *.key
echo
echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
echo "flash drive or to your EFI System Partition (ESP)."
echo "For use with most UEFIs' built-in key managers, copy the *.cer files."
|