Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
initramfs-with-mca
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
initramfs-with-mca
Commits
6a85067d
Commit
6a85067d
authored
Mar 16, 2023
by
Ophélie Gagnard
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
uefi-keys: Clean the code.
parent
f1ac7bdf
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
19 additions
and
22 deletions
+19
-22
uefi-keys/dependencies.sh
uefi-keys/dependencies.sh
+1
-1
uefi-keys/make_keys.sh
uefi-keys/make_keys.sh
+18
-21
No files found.
uefi-keys/dependencies.sh
View file @
6a85067d
...
...
@@ -3,7 +3,7 @@
set
-e
# get the root of the git repository (requires git to be installed)
GIT_ROOT
=
`
git rev-parse
--show-toplevel
`
GIT_ROOT
=
$(
git rev-parse
--show-toplevel
)
cd
${
GIT_ROOT
}
/uefi-keys/
# generate efi certificates
...
...
uefi-keys/make_keys.sh
View file @
6a85067d
...
...
@@ -13,8 +13,8 @@
set
-e
# get the root of the git repository (requires git to be installed)
GIT_ROOT
=
`
git rev-parse
--show-toplevel
`
PROJECT_DIR
=
$GIT_ROOT
GIT_ROOT
=
$(
git rev-parse
--show-toplevel
)
PROJECT_DIR
=
"
$GIT_ROOT
"
SERVER_GROUP
=
douai
...
...
@@ -25,9 +25,6 @@ PRIVATE_KEYS_DIR=${PROJECT_DIR}/${KEYS_DIR}/${SERVER_GROUP}
PUBLIC_CERT_DIR
=
$(
realpath
-m
"
$PUBLIC_CERT_DIR
"
)
PRIVATE_KEYS_DIR
=
$(
realpath
-m
"
$PRIVATE_KEYS_DIR
"
)
cd
-
if
[
!
-d
"
$KEYS_DIR
"
]
;
then
...
...
@@ -35,7 +32,7 @@ if [ ! -d "$KEYS_DIR" ]; then
exit
fi
mkdir
-p
${
PRIVATE_KEYS_DIR
}
${
PUBLIC_CERT_DIR
}
mkdir
-p
"
$PRIVATE_KEYS_DIR
"
"
$PUBLIC_CERT_DIR
"
echo
-n
"Enter a Common Name to embed in the keys: "
...
...
@@ -50,32 +47,32 @@ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout ${PRIVATE_
-out
${
PUBLIC_CERT_DIR
}
/db.crt
-days
3650
-nodes
-sha256
# Convert certificates from PEM to DER format (needed for some UEFI).
openssl x509
-in
${
PUBLIC_CERT_DIR
}
/PK.crt
-out
${
PUBLIC_CERT_DIR
}
/PK.cer
-outform
DER
openssl x509
-in
${
PUBLIC_CERT_DIR
}
/KEK.crt
-out
${
PUBLIC_CERT_DIR
}
/KEK.cer
-outform
DER
openssl x509
-in
${
PUBLIC_CERT_DIR
}
/db.crt
-out
${
PUBLIC_CERT_DIR
}
/db.cer
-outform
DER
openssl x509
-in
"
$PUBLIC_CERT_DIR
"
/PK.crt
-out
"
$PUBLIC_CERT_DIR
"
/PK.cer
-outform
DER
openssl x509
-in
"
$PUBLIC_CERT_DIR
"
/KEK.crt
-out
"
$PUBLIC_CERT_DIR
"
/KEK.cer
-outform
DER
openssl x509
-in
"
$PUBLIC_CERT_DIR
"
/db.crt
-out
"
$PUBLIC_CERT_DIR
"
/db.cer
-outform
DER
GUID
=
`
python3
-c
'import uuid; print(str(uuid.uuid1()))'
`
echo
$GUID
>
${
PUBLIC_CERT_DIR
}
/myGUID.txt
GUID
=
$(
python3
-c
'import uuid; print(str(uuid.uuid1()))'
)
echo
"
$GUID
"
>
"
$PUBLIC_CERT_DIR
"
/myGUID.txt
# Create EFI signature lists.
cert-to-efi-sig-list
-g
$GUID
${
PUBLIC_CERT_DIR
}
/PK.crt
${
PUBLIC_CERT_DIR
}
/PK.esl
cert-to-efi-sig-list
-g
$GUID
${
PUBLIC_CERT_DIR
}
/KEK.crt
${
PUBLIC_CERT_DIR
}
/KEK.esl
cert-to-efi-sig-list
-g
$GUID
${
PUBLIC_CERT_DIR
}
/db.crt
${
PUBLIC_CERT_DIR
}
/db.esl
cert-to-efi-sig-list
-g
"
$GUID
"
"
$PUBLIC_CERT_DIR
"
/PK.crt
"
$PUBLIC_CERT_DIR
"
/PK.esl
cert-to-efi-sig-list
-g
"
$GUID
"
"
$PUBLIC_CERT_DIR
"
/KEK.crt
"
$PUBLIC_CERT_DIR
"
/KEK.esl
cert-to-efi-sig-list
-g
"
$GUID
"
"
$PUBLIC_CERT_DIR
"
/db.crt
"
$PUBLIC_CERT_DIR
"
/db.esl
rm
-f
${
PUBLIC_CERT_DIR
}
/noPK.esl
touch
${
PUBLIC_CERT_DIR
}
/noPK.esl
rm
-f
"
$PUBLIC_CERT_DIR
"
/noPK.esl
touch
"
$PUBLIC_CERT_DIR
"
/noPK.esl
# Create authentication headers for secure variables update (needed for some UEFI).
sign-efi-sig-list
-t
"
$(
date
--date
=
'1 second'
+
'%Y-%m-%d %H:%M:%S'
)
"
\
-k
${
PRIVATE_KEYS_DIR
}
/PK.key
-c
${
PUBLIC_CERT_DIR
}
/PK.crt PK
${
PUBLIC_CERT_DIR
}
/PK.esl
${
PUBLIC_CERT_DIR
}
/PK.auth
-k
"
$PRIVATE_KEYS_DIR
"
/PK.key
-c
"
$PUBLIC_CERT_DIR
"
/PK.crt PK
"
$PUBLIC_CERT_DIR
"
/PK.esl
"
$PUBLIC_CERT_DIR
"
/PK.auth
sign-efi-sig-list
-t
"
$(
date
--date
=
'1 second'
+
'%Y-%m-%d %H:%M:%S'
)
"
\
-k
${
PRIVATE_KEYS_DIR
}
/PK.key
-c
${
PUBLIC_CERT_DIR
}
/PK.crt PK
${
PUBLIC_CERT_DIR
}
/noPK.esl
${
PUBLIC_CERT_DIR
}
/noPK.auth
-k
"
$PRIVATE_KEYS_DIR
"
/PK.key
-c
"
$PUBLIC_CERT_DIR
"
/PK.crt PK
"
$PUBLIC_CERT_DIR
"
/noPK.esl
"
$PUBLIC_CERT_DIR
"
/noPK.auth
sign-efi-sig-list
-t
"
$(
date
--date
=
'1 second'
+
'%Y-%m-%d %H:%M:%S'
)
"
\
-k
${
PRIVATE_KEYS_DIR
}
/PK.key
-c
${
PUBLIC_CERT_DIR
}
/PK.crt KEK
${
PUBLIC_CERT_DIR
}
/KEK.esl
${
PUBLIC_CERT_DIR
}
/KEK.auth
-k
"
$PRIVATE_KEYS_DIR
"
/PK.key
-c
"
$PUBLIC_CERT_DIR
"
/PK.crt KEK
"
$PUBLIC_CERT_DIR
"
/KEK.esl
"
$PUBLIC_CERT_DIR
"
/KEK.auth
sign-efi-sig-list
-t
"
$(
date
--date
=
'1 second'
+
'%Y-%m-%d %H:%M:%S'
)
"
\
-k
${
PRIVATE_KEYS_DIR
}
/KEK.key
-c
${
PUBLIC_CERT_DIR
}
/KEK.crt db
${
PUBLIC_CERT_DIR
}
/db.esl
${
PUBLIC_CERT_DIR
}
/db.auth
-k
"
$PRIVATE_KEYS_DIR
"
/KEK.key
-c
"
$PUBLIC_CERT_DIR
"
/KEK.crt db
"
$PUBLIC_CERT_DIR
"
/db.esl
"
$PUBLIC_CERT_DIR
"
/db.auth
chmod
0600
${
PRIVATE_KEYS_DIR
}
/
*
.key
chmod
0600
"
$PRIVATE_KEYS_DIR
"
/
*
.key
echo
""
echo
""
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment