Commit 6a85067d authored by Ophélie Gagnard's avatar Ophélie Gagnard

uefi-keys: Clean the code.

parent f1ac7bdf
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
set -e set -e
# get the root of the git repository (requires git to be installed) # get the root of the git repository (requires git to be installed)
GIT_ROOT=`git rev-parse --show-toplevel` GIT_ROOT=$(git rev-parse --show-toplevel)
cd ${GIT_ROOT}/uefi-keys/ cd ${GIT_ROOT}/uefi-keys/
# generate efi certificates # generate efi certificates
......
...@@ -13,8 +13,8 @@ ...@@ -13,8 +13,8 @@
set -e set -e
# get the root of the git repository (requires git to be installed) # get the root of the git repository (requires git to be installed)
GIT_ROOT=`git rev-parse --show-toplevel` GIT_ROOT=$(git rev-parse --show-toplevel)
PROJECT_DIR=$GIT_ROOT PROJECT_DIR="$GIT_ROOT"
SERVER_GROUP=douai SERVER_GROUP=douai
...@@ -25,9 +25,6 @@ PRIVATE_KEYS_DIR=${PROJECT_DIR}/${KEYS_DIR}/${SERVER_GROUP} ...@@ -25,9 +25,6 @@ PRIVATE_KEYS_DIR=${PROJECT_DIR}/${KEYS_DIR}/${SERVER_GROUP}
PUBLIC_CERT_DIR=$(realpath -m "$PUBLIC_CERT_DIR") PUBLIC_CERT_DIR=$(realpath -m "$PUBLIC_CERT_DIR")
PRIVATE_KEYS_DIR=$(realpath -m "$PRIVATE_KEYS_DIR") PRIVATE_KEYS_DIR=$(realpath -m "$PRIVATE_KEYS_DIR")
cd - cd -
if [ ! -d "$KEYS_DIR" ]; then if [ ! -d "$KEYS_DIR" ]; then
...@@ -35,7 +32,7 @@ if [ ! -d "$KEYS_DIR" ]; then ...@@ -35,7 +32,7 @@ if [ ! -d "$KEYS_DIR" ]; then
exit exit
fi fi
mkdir -p ${PRIVATE_KEYS_DIR} ${PUBLIC_CERT_DIR} mkdir -p "$PRIVATE_KEYS_DIR" "$PUBLIC_CERT_DIR"
echo -n "Enter a Common Name to embed in the keys: " echo -n "Enter a Common Name to embed in the keys: "
...@@ -50,32 +47,32 @@ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout ${PRIVATE_ ...@@ -50,32 +47,32 @@ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout ${PRIVATE_
-out ${PUBLIC_CERT_DIR}/db.crt -days 3650 -nodes -sha256 -out ${PUBLIC_CERT_DIR}/db.crt -days 3650 -nodes -sha256
# Convert certificates from PEM to DER format (needed for some UEFI). # Convert certificates from PEM to DER format (needed for some UEFI).
openssl x509 -in ${PUBLIC_CERT_DIR}/PK.crt -out ${PUBLIC_CERT_DIR}/PK.cer -outform DER openssl x509 -in "$PUBLIC_CERT_DIR"/PK.crt -out "$PUBLIC_CERT_DIR"/PK.cer -outform DER
openssl x509 -in ${PUBLIC_CERT_DIR}/KEK.crt -out ${PUBLIC_CERT_DIR}/KEK.cer -outform DER openssl x509 -in "$PUBLIC_CERT_DIR"/KEK.crt -out "$PUBLIC_CERT_DIR"/KEK.cer -outform DER
openssl x509 -in ${PUBLIC_CERT_DIR}/db.crt -out ${PUBLIC_CERT_DIR}/db.cer -outform DER openssl x509 -in "$PUBLIC_CERT_DIR"/db.crt -out "$PUBLIC_CERT_DIR"/db.cer -outform DER
GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'` GUID=$(python3 -c 'import uuid; print(str(uuid.uuid1()))')
echo $GUID > ${PUBLIC_CERT_DIR}/myGUID.txt echo "$GUID" > "$PUBLIC_CERT_DIR"/myGUID.txt
# Create EFI signature lists. # Create EFI signature lists.
cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/PK.crt ${PUBLIC_CERT_DIR}/PK.esl cert-to-efi-sig-list -g "$GUID" "$PUBLIC_CERT_DIR"/PK.crt "$PUBLIC_CERT_DIR"/PK.esl
cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/KEK.crt ${PUBLIC_CERT_DIR}/KEK.esl cert-to-efi-sig-list -g "$GUID" "$PUBLIC_CERT_DIR"/KEK.crt "$PUBLIC_CERT_DIR"/KEK.esl
cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/db.crt ${PUBLIC_CERT_DIR}/db.esl cert-to-efi-sig-list -g "$GUID" "$PUBLIC_CERT_DIR"/db.crt "$PUBLIC_CERT_DIR"/db.esl
rm -f ${PUBLIC_CERT_DIR}/noPK.esl rm -f "$PUBLIC_CERT_DIR"/noPK.esl
touch ${PUBLIC_CERT_DIR}/noPK.esl touch "$PUBLIC_CERT_DIR"/noPK.esl
# Create authentication headers for secure variables update (needed for some UEFI). # Create authentication headers for secure variables update (needed for some UEFI).
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt PK ${PUBLIC_CERT_DIR}/PK.esl ${PUBLIC_CERT_DIR}/PK.auth -k "$PRIVATE_KEYS_DIR"/PK.key -c "$PUBLIC_CERT_DIR"/PK.crt PK "$PUBLIC_CERT_DIR"/PK.esl "$PUBLIC_CERT_DIR"/PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt PK ${PUBLIC_CERT_DIR}/noPK.esl ${PUBLIC_CERT_DIR}/noPK.auth -k "$PRIVATE_KEYS_DIR"/PK.key -c "$PUBLIC_CERT_DIR"/PK.crt PK "$PUBLIC_CERT_DIR"/noPK.esl "$PUBLIC_CERT_DIR"/noPK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt KEK ${PUBLIC_CERT_DIR}/KEK.esl ${PUBLIC_CERT_DIR}/KEK.auth -k "$PRIVATE_KEYS_DIR"/PK.key -c "$PUBLIC_CERT_DIR"/PK.crt KEK "$PUBLIC_CERT_DIR"/KEK.esl "$PUBLIC_CERT_DIR"/KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k ${PRIVATE_KEYS_DIR}/KEK.key -c ${PUBLIC_CERT_DIR}/KEK.crt db ${PUBLIC_CERT_DIR}/db.esl ${PUBLIC_CERT_DIR}/db.auth -k "$PRIVATE_KEYS_DIR"/KEK.key -c "$PUBLIC_CERT_DIR"/KEK.crt db "$PUBLIC_CERT_DIR"/db.esl "$PUBLIC_CERT_DIR"/db.auth
chmod 0600 ${PRIVATE_KEYS_DIR}/*.key chmod 0600 "$PRIVATE_KEYS_DIR"/*.key
echo "" echo ""
echo "" echo ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment