uefi-keys/:

- Move the public keys in another repository. Reorganize the key directories.
- Update the key creation accordingly.

uefi-keys/make_keys.sh

@@ -10,6 +10,17 @@
 # .esl		EFI signature list
 # .auth		authentication header (secure variable update)
 
+$SERVER_GROUP=douai
+$KEYS_DIR=private-keys/
+$CERT_DIR=public-certificates/
+$PRIVATE_KEYS_DIR=${KEYS_DIR}${SERVER_GROUP}
+$PUBLIC_CERT_DIR=${CERT_DIR}${SERVER_GROUP}
+
+if [ ! -d "$KEYS_DIR" ]; then
+	echo "ERROR: Please clone the \"private-keys\" repository first, or choose the right name for \$KEYS_DIR."
+	exit
+fi
+
 echo -n "Enter a Common Name to embed in the keys: "
 read NAME
 
@@ -17,40 +28,40 @@ mkdir -p keys
 cd keys
 
 # Request certificates and create corresponding private keys.
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
-        -out PK.crt -days 3650 -nodes -sha256
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
-        -out KEK.crt -days 3650 -nodes -sha256
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout db.key \
-        -out db.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout ${PRIVATE_KEYS_DIR}/PK.key \
+        -out ${PUBLIC_CERT_DIR}/PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout ${PRIVATE_KEYS_DIR}/KEK.key \
+        -out ${PUBLIC_CERT_DIR}/KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout ${PRIVATE_KEYS_DIR}/db.key \
+        -out ${PUBLIC_CERT_DIR}/db.crt -days 3650 -nodes -sha256
 
 # Convert certificates from PEM to DER format (needed for some UEFI).
-openssl x509 -in PK.crt -out PK.cer -outform DER
-openssl x509 -in KEK.crt -out KEK.cer -outform DER
-openssl x509 -in db.crt -out db.cer -outform DER
+openssl x509 -in ${PUBLIC_CERT_DIR}/PK.crt -out ${PUBLIC_CERT_DIR}/PK.cer -outform DER
+openssl x509 -in ${PUBLIC_CERT_DIR}/KEK.crt -out ${PUBLIC_CERT_DIR}/KEK.cer -outform DER
+openssl x509 -in ${PUBLIC_CERT_DIR}/db.crt -out ${PUBLIC_CERT_DIR}/db.cer -outform DER
 
 GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
-echo $GUID > myGUID.txt
+echo $GUID > ${PUBLIC_CERT_DIR}/myGUID.txt
 
 # Create EFI signature lists.
-cert-to-efi-sig-list -g $GUID PK.crt PK.esl
-cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
-cert-to-efi-sig-list -g $GUID db.crt db.esl
+cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/PK.crt ${PUBLIC_CERT_DIR}/PK.esl
+cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/KEK.crt ${PUBLIC_CERT_DIR}/KEK.esl
+cert-to-efi-sig-list -g $GUID ${PUBLIC_CERT_DIR}/db.crt ${PUBLIC_CERT_DIR}/db.esl
 
-rm -f noPK.esl
-touch noPK.esl
+rm -f ${PUBLIC_CERT_DIR}/noPK.esl
+touch ${PUBLIC_CERT_DIR}/noPK.esl
 
 # Create authentication headers for secure variables update (needed for some UEFI).
 sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-                  -k PK.key -c PK.crt PK PK.esl PK.auth
+                  -k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt PK ${PUBLIC_CERT_DIR}/PK.esl ${PUBLIC_CERT_DIR}/PK.auth
 sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-                  -k PK.key -c PK.crt PK noPK.esl noPK.auth
+                  -k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt PK ${PUBLIC_CERT_DIR}/noPK.esl ${PUBLIC_CERT_DIR}/noPK.auth
 sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-                  -k PK.key -c PK.crt KEK KEK.esl KEK.auth
+                  -k ${PRIVATE_KEYS_DIR}/PK.key -c ${PUBLIC_CERT_DIR}/PK.crt KEK ${PUBLIC_CERT_DIR}/KEK.esl ${PUBLIC_CERT_DIR}/KEK.auth
 sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-                  -k KEK.key -c KEK.crt db db.esl db.auth
+                  -k ${PRIVATE_KEYS_DIR}/KEK.key -c ${PUBLIC_CERT_DIR}/KEK.crt db ${PUBLIC_CERT_DIR}/db.esl ${PUBLIC_CERT_DIR}/db.auth
 
-chmod 0600 *.key
+chmod 0600 ${PRIVATE_KEYS_DIR}/*.key
 
 echo ""
 echo ""