Commit 6a85067d authored by Ophélie Gagnard's avatar Ophélie Gagnard

uefi-keys: Clean the code.

parent f1ac7bdf
......@@ -3,7 +3,7 @@
set -e
# get the root of the git repository (requires git to be installed)
GIT_ROOT=`git rev-parse --show-toplevel`
GIT_ROOT=$(git rev-parse --show-toplevel)
cd ${GIT_ROOT}/uefi-keys/
# generate efi certificates
......
......@@ -13,8 +13,8 @@
set -e
# get the root of the git repository (requires git to be installed)
GIT_ROOT=`git rev-parse --show-toplevel`
PROJECT_DIR=$GIT_ROOT
GIT_ROOT=$(git rev-parse --show-toplevel)
PROJECT_DIR="$GIT_ROOT"
SERVER_GROUP=douai
......@@ -25,9 +25,6 @@ PRIVATE_KEYS_DIR=${PROJECT_DIR}/${KEYS_DIR}/${SERVER_GROUP}
PUBLIC_CERT_DIR=$(realpath -m "$PUBLIC_CERT_DIR")
PRIVATE_KEYS_DIR=$(realpath -m "$PRIVATE_KEYS_DIR")
cd -
if [ ! -d "$KEYS_DIR" ]; then
......@@ -35,7 +32,7 @@ if [ ! -d "$KEYS_DIR" ]; then
exit
fi
mkdir -p ${PRIVATE_KEYS_DIR} ${PUBLIC_CERT_DIR}
mkdir -p "$PRIVATE_KEYS_DIR" "$PUBLIC_CERT_DIR"
echo -n "Enter a Common Name to embed in the keys: "
......@@ -50,32 +47,32 @@ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout ${PRIVATE_
-out ${PUBLIC_CERT_DIR}/db.crt -days 3650 -nodes -sha256
# Convert certificates from PEM to DER format (needed for some UEFI).
openssl x509 -in ${PUBLIC_CERT_DIR}/PK.crt -out ${PUBLIC_CERT_DIR}/PK.cer -outform DER
openssl x509 -in ${PUBLIC_CERT_DIR}/KEK.crt -out ${PUBLIC_CERT_DIR}/KEK.cer -outform DER
openssl x509 -in ${PUBLIC_CERT_DIR}/db.crt -out ${PUBLIC_CERT_DIR}/db.cer -outform DER
openssl x509 -in "$PUBLIC_CERT_DIR"/PK.crt -out "$PUBLIC_CERT_DIR"/PK.cer -outform DER
openssl x509 -in "$PUBLIC_CERT_DIR"/KEK.crt -out "$PUBLIC_CERT_DIR"/KEK.cer -outform DER
openssl x509 -in "$PUBLIC_CERT_DIR"/db.crt -out "$PUBLIC_CERT_DIR"/db.cer -outform DER
GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
echo $GUID > ${PUBLIC_CERT_DIR}/myGUID.txt
GUID=$(python3 -c 'import uuid; print(str(uuid.uuid1()))')
echo "$GUID" > "$PUBLIC_CERT_DIR"/myGUID.txt
# Create EFI signature lists.
cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/PK.crt ${PUBLIC_CERT_DIR}/PK.esl
cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/KEK.crt ${PUBLIC_CERT_DIR}/KEK.esl
cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/db.crt ${PUBLIC_CERT_DIR}/db.esl
cert-to-efi-sig-list -g "$GUID" "$PUBLIC_CERT_DIR"/PK.crt "$PUBLIC_CERT_DIR"/PK.esl
cert-to-efi-sig-list -g "$GUID" "$PUBLIC_CERT_DIR"/KEK.crt "$PUBLIC_CERT_DIR"/KEK.esl
cert-to-efi-sig-list -g "$GUID" "$PUBLIC_CERT_DIR"/db.crt "$PUBLIC_CERT_DIR"/db.esl
rm -f ${PUBLIC_CERT_DIR}/noPK.esl
touch ${PUBLIC_CERT_DIR}/noPK.esl
rm -f "$PUBLIC_CERT_DIR"/noPK.esl
touch "$PUBLIC_CERT_DIR"/noPK.esl
# Create authentication headers for secure variables update (needed for some UEFI).
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt PK ${PUBLIC_CERT_DIR}/PK.esl ${PUBLIC_CERT_DIR}/PK.auth
-k "$PRIVATE_KEYS_DIR"/PK.key -c "$PUBLIC_CERT_DIR"/PK.crt PK "$PUBLIC_CERT_DIR"/PK.esl "$PUBLIC_CERT_DIR"/PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt PK ${PUBLIC_CERT_DIR}/noPK.esl ${PUBLIC_CERT_DIR}/noPK.auth
-k "$PRIVATE_KEYS_DIR"/PK.key -c "$PUBLIC_CERT_DIR"/PK.crt PK "$PUBLIC_CERT_DIR"/noPK.esl "$PUBLIC_CERT_DIR"/noPK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt KEK ${PUBLIC_CERT_DIR}/KEK.esl ${PUBLIC_CERT_DIR}/KEK.auth
-k "$PRIVATE_KEYS_DIR"/PK.key -c "$PUBLIC_CERT_DIR"/PK.crt KEK "$PUBLIC_CERT_DIR"/KEK.esl "$PUBLIC_CERT_DIR"/KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/KEK.key -c ${PUBLIC_CERT_DIR}/KEK.crt db ${PUBLIC_CERT_DIR}/db.esl ${PUBLIC_CERT_DIR}/db.auth
-k "$PRIVATE_KEYS_DIR"/KEK.key -c "$PUBLIC_CERT_DIR"/KEK.crt db "$PUBLIC_CERT_DIR"/db.esl "$PUBLIC_CERT_DIR"/db.auth
chmod 0600 ${PRIVATE_KEYS_DIR}/*.key
chmod 0600 "$PRIVATE_KEYS_DIR"/*.key
echo ""
echo ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment