Advertisement
Guest User

UEFI secure boot key

a guest
Aug 11th, 2016
224
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##########################generate.sh#####################################
  2. #!/bin/bash
  3.  
  4. echo -n "Enter a Common Name to embed in the keys: "
  5. read NAME
  6.  
  7. openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME PK/" -keyout PK.key \
  8.         -out PK.crt -days 3650 -nodes -sha256
  9. openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME KEK/" -keyout KEK.key \
  10.         -out KEK.crt -days 3650 -nodes -sha256
  11. openssl req -new -x509 -newkey rsa:4096 -subj "/CN=$NAME DB/" -keyout DB.key \
  12.         -out DB.crt -days 3650 -nodes -sha256
  13. openssl x509 -in PK.crt -out PK.cer -outform DER
  14. openssl x509 -in KEK.crt -out KEK.cer -outform DER
  15. openssl x509 -in DB.crt -out DB.cer -outform DER
  16.  
  17. GUID=`python2 -c 'import uuid; print str(uuid.uuid1())'`
  18. echo $GUID > myGUID.txt
  19.  
  20. cert-to-efi-sig-list -g $GUID PK.crt PK.esl
  21. cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
  22. cert-to-efi-sig-list -g $GUID DB.crt DB.esl
  23. rm -f noPK.esl
  24. touch noPK.esl
  25.  
  26. sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
  27.                   -k PK.key -c PK.crt PK PK.esl PK.auth
  28. sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
  29.                   -k PK.key -c PK.crt PK noPK.esl noPK.auth
  30.  
  31. chmod 0600 *.key
  32.  
  33. echo ""
  34. echo ""
  35. echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
  36. echo "flash drive or to your EFI System Partition (ESP)."
  37. echo "For use with most UEFIs' built-in key managers, copy the *.cer files."
  38. echo ""
  39.  
  40. ##########################sign.sh#####################################
  41. #!/bin/sh
  42. sbsign --key /etc/efikeys/DB.key --cert /etc/efikeys/DB.crt --output /boot/efi/EFI/grub/grubx64-signed.efi /boot/efi/EFI/grub/grubx64.efi
  43. mv /boot/efi/EFI/grub/grubx64-signed.efi /boot/efi/EFI/grub/grubx64.efi
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement