Commit ddb53f56 authored by Ophélie Gagnard's avatar Ophélie Gagnard

uefi-keys/make_keys.sh: Add some comments.

parent 7b1e10ca
#!/bin/bash #!/bin/bash
# Copyright (c) 2015 by Roderick W. Smith # Copyright (c) 2015 by Roderick W. Smith
# Licensed under the terms of the GPL v3 # Licensed under the terms of the GPL v3
# Modified by Nexedi 2021-2022 # Modified by Ophelie Gagnard for Nexedi 2021-2022
# Files:
# .key private key
# .crt certificate in PEM format (default)
# .der certificate in DER format (for UEFI)
# .esl EFI signature list
# .auth authentication header (secure variable update)
echo -n "Enter a Common Name to embed in the keys: " echo -n "Enter a Common Name to embed in the keys: "
read NAME read NAME
...@@ -9,12 +16,15 @@ read NAME ...@@ -9,12 +16,15 @@ read NAME
mkdir -p keys mkdir -p keys
cd keys cd keys
# Request certificates and create corresponding private keys.
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
-out PK.crt -days 3650 -nodes -sha256 -out PK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
-out KEK.crt -days 3650 -nodes -sha256 -out KEK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout db.key \ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout db.key \
-out db.crt -days 3650 -nodes -sha256 -out db.crt -days 3650 -nodes -sha256
# Convert certificates from PEM to DER format (needed for some UEFI).
openssl x509 -in PK.crt -out PK.cer -outform DER openssl x509 -in PK.crt -out PK.cer -outform DER
openssl x509 -in KEK.crt -out KEK.cer -outform DER openssl x509 -in KEK.crt -out KEK.cer -outform DER
openssl x509 -in db.crt -out db.cer -outform DER openssl x509 -in db.crt -out db.cer -outform DER
...@@ -22,12 +32,15 @@ openssl x509 -in db.crt -out db.cer -outform DER ...@@ -22,12 +32,15 @@ openssl x509 -in db.crt -out db.cer -outform DER
GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'` GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
echo $GUID > myGUID.txt echo $GUID > myGUID.txt
# Create EFI signature lists.
cert-to-efi-sig-list -g $GUID PK.crt PK.esl cert-to-efi-sig-list -g $GUID PK.crt PK.esl
cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
cert-to-efi-sig-list -g $GUID db.crt db.esl cert-to-efi-sig-list -g $GUID db.crt db.esl
rm -f noPK.esl rm -f noPK.esl
touch noPK.esl touch noPK.esl
# Create authentication headers for secure variables update (needed for some UEFI).
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt PK PK.esl PK.auth -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \ sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment