Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##########################generate.sh#####################################
- #!/bin/bash
- echo -n "Enter a Common Name to embed in the keys: "
- read NAME
- openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME PK/" -keyout PK.key \
- -out PK.crt -days 3650 -nodes -sha256
- openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME KEK/" -keyout KEK.key \
- -out KEK.crt -days 3650 -nodes -sha256
- openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME DB/" -keyout DB.key \
- -out DB.crt -days 3650 -nodes -sha256
- openssl x509 -in PK.crt -out PK.cer -outform DER
- openssl x509 -in KEK.crt -out KEK.cer -outform DER
- openssl x509 -in DB.crt -out DB.cer -outform DER
- GUID=`python2 -c 'import uuid; print str(uuid.uuid1())'`
- echo $GUID > myGUID.txt
- cert-to-efi-sig-list -g $GUID PK.crt PK.esl
- cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
- cert-to-efi-sig-list -g $GUID DB.crt DB.esl
- rm -f noPK.esl
- touch noPK.esl
- sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
- -k PK.key -c PK.crt PK PK.esl PK.auth
- sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
- -k PK.key -c PK.crt PK noPK.esl noPK.auth
- chmod 0600 *.key
- echo ""
- echo ""
- echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
- echo "flash drive or to your EFI System Partition (ESP)."
- echo "For use with most UEFIs' built-in key managers, copy the *.cer files."
- echo ""
- ##########################sign.sh#####################################
- #!/bin/sh
- sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output /boot/efi/EFI/grub/grubx64-signed.efi /boot/efi/EFI/grub/grubx64.efi
- mv /boot/efi/EFI/grub/grubx64-signed.efi /boot/efi/EFI/grub/grubx64.efi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement