# To perform the following instructions, some packages are needed.
# They are all installed with apt at the begining of install.sh.

## Create the keys:
# run the script mkkeys.sh (better in a dedicated directory)
mkdir -p generate_keys && cd generate_keys && cp ../mkkeys.sh . && ./mkkeys.sh

## Signing a UEFI application:
# before running the following line (from install.sh)
dracut --force  -c ./dracut.module/dracut.conf --confdir dracut_tmp
# put the following from the signing key in /etc/uefi-key/
# db.cer	db.crt	db.key

## Add keys to the firmware:
# run
efi-readvar
# if PK, KEK or db is not empty then
# reboot and, in the BIOS, disable Secure Boot (SB) and remove every keys
# then if we assume the keys have the name mkkeys.sh gives them:
# Add the Platform Key (the authority key for the machine).
efi-updatevar -f PK.auth PK
# Add the Key Exchange Key (the authority key for the db and dbx certificates and hashes)
efi-updatevar -a -c KEK.crt -k PK.key KEK
# Replace the current whitelist certificate
efi-updatevar -f -c DB.crt -k KEK.key db
# (replace -f with -a to append another whitelist certificate instead of replacing the old one)

### Troubleshooting
# Some general informations:
# 1) As a general matter, with Secure Boot (SB) disabled and no key, every key should addable.
# 2) A Platform Key is needed for Secure Boot (SB) to be enabled.
# 3) To add or modify a key, you need the private key of the upper level (the Platform Key is its own upper level key).

## Common errors:

# error: "Failed to update <var>: Operation not permitted"
# when trying to delete or replace a key, may be resolved by making it mutable:
lsattr /sys/firmware/efi/efivars/{db,dbx,KEK,PK}*
# "----i--------------" before the key means it is set as immutable
# to make it mutable
chattr -i /sys/firmware/efi/efivars/<key>
# (example:)
chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
# recommanded: make everything immutable after your operation
# to do so, perform the same command with +i instead of -i (same example:)
chattr +i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f

# error: "Cannot write to db, wrong filesystem permissions"
# may be resolved providing the upper level private key
# (note that it can happen even with root mode, as keys are stored on a separate filesystem)