uefi-keys/:

- Generate new keys.
Note: they were originally generated while the repository was public, so they could not be trusted.
- Move the keys in uefi-keys/keys/
- Move mkkeys.sh to make_keys.sh and update it accordingly.
- Update dracut.module/dracut.conf.in accordingly.

dracut.module/dracut.conf.in

@@ -10,5 +10,5 @@ reproducible=yes
 #loginstall=./loginstall/
 uefi=yes
 uefi_stub=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
-uefi_secureboot_cert=%PROJECT_DIR%/uefi-keys/DB.crt
-uefi_secureboot_key=%PROJECT_DIR%/uefi-keys/DB.key
+uefi_secureboot_cert=%PROJECT_DIR%/uefi-keys/keys/db.crt
+uefi_secureboot_key=%PROJECT_DIR%/uefi-keys/keys/db.key

uefi-keys/DB.crt

------BEGIN CERTIFICATE-----
-MIIDHTCCAgWgAwIBAgIUCXcXOU0UPEBomolNyuOYcJfJoRkwDQYJKoZIhvcNAQEL
-BQAwHjEcMBoGA1UEAwwTU3RvcmVkIG9uIGdpdGxhYiBEQjAeFw0yMjA0MDQwOTEz
-NDlaFw0zMjA0MDEwOTEzNDlaMB4xHDAaBgNVBAMME1N0b3JlZCBvbiBnaXRsYWIg
-REIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHiUc+MyP+TQDM4s8c
-SP1p/luYT1pgfS0H8SBQxy0bhjjCu3YTv38FdXR1pxLVLuwJfK0TYzrsL0DAUjNV
-FO45AaC0zbH7eMy4UA6prSEcaqcPgqcyD3Nfg4B/DpwCkdEQVwwT75aR4raG2+QD
-/JRe+n/4tY9PhzxsAexOazISEfMigvjWUg3lDWZyo21orObV6YWMYeX5xN+SregU
-TwE5W7LANhFTzInnaQJ9lmA7q2d+D3FQ/HM6vNmb1a/TlMlnzbGaWOEbWOaIGpku
-ZpTHM+piwm5K5oA7X0rO8Mf5c1X/zuGwLCDj44kFaQlTSV5UMdU5CclvMDK96qcS
-ypMrAgMBAAGjUzBRMB0GA1UdDgQWBBTIHsJW7yF4GMQNU4vxilfX56PMSDAfBgNV
-HSMEGDAWgBTIHsJW7yF4GMQNU4vxilfX56PMSDAPBgNVHRMBAf8EBTADAQH/MA0G
-CSqGSIb3DQEBCwUAA4IBAQAOPzJCyld6PMbuosnwVS0tbv+up157rgGtUB7e4r1O
-b8DKxVSMXA5q7ydj0SP6VWExr192n9omxGYolyBHq1OpxT09khjXor1ebyzBWUoD
-HDrJfHn+VZECTwKlpyR7US1cab1SACstaQomwa2AfAQ6JgBr25Lo8hCcBKKkr/gt
-sLWcQEemPjnRrcD/Wn40lpaqMvJUtasmBRIIPc43LQz4ksSvBnEdq/fHZtfgQtgT
-BDLk9voHxr7sO4X/UqzrReaCnDdbu2HZpgQa/Qv+2b2h2ytyUd2rR5GdqSOYU2Y7
-Y045LGgafuyJDvKH2yaAMtaqQhISFReuUaJ41KxTAk4z
------END CERTIFICATE-----

uefi-keys/KEK.crt

------BEGIN CERTIFICATE-----
-MIIDHzCCAgegAwIBAgIUfWXW12ByFkz/so3aswilrWI7vo0wDQYJKoZIhvcNAQEL
-BQAwHzEdMBsGA1UEAwwUU3RvcmVkIG9uIGdpdGxhYiBLRUswHhcNMjIwNDA0MDkx
-MzQ5WhcNMzIwNDAxMDkxMzQ5WjAfMR0wGwYDVQQDDBRTdG9yZWQgb24gZ2l0bGFi
-IEtFSzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJrlyqU+2K0QFlSK
-FhU4ptUchrKLZ6LnHQoREE7mRyH4VR7pBeBmOHW9I2b9DKJJEA6KswWqOhKPWInk
-XaZSvvBssy3Y1Kv30oeiBMQed3r9SfLmTJRblnNvJ+YIz1ZwwdMenrg5kMA2PaFY
-gy22yNzY0oT2SgB592ge+ftnueBD79nbEyXfR5jynZSup6glt+C49uKYukdw35Qa
-cbYnq0vvsJKmR0hxrDbAdjh/9tCqa1v4EqihHJ4r9sQ9LhGxSN4CjlfzOgufZ9Zg
-2nWt8Ig3jeBynPz9GxdHD0rH4DzQ9JZSmR9gJoF1hcUASAB3SqJLXQskF7hf/eXL
-AjCSig0CAwEAAaNTMFEwHQYDVR0OBBYEFGZEDP/JE0zKLEnrgmhfLcCnt2YcMB8G
-A1UdIwQYMBaAFGZEDP/JE0zKLEnrgmhfLcCnt2YcMA8GA1UdEwEB/wQFMAMBAf8w
-DQYJKoZIhvcNAQELBQADggEBAAUbf/Fl1rcgz2DCrlEuO8tnbhvLzc4peJxu8DIv
-m9zLgTlhceQI2lMLEYk4sJzzmzQ5ZQmRRnGUmR0SmKAPziPhRa6efRivDGVVyTqi
-Tlu6rO1ZN1mQz/uctZeTkV4TGhiVu2GrE5qE611kZLECBzQffLOJcraYhTwDi0jm
-nSvkRCRTV2SGxsD45eYcCnRYpl5pTHhLa2QbS6nTf5OFSfItSntxCSZ773zg0gWk
-nUNyAjuZOcg5223XL+njUKVWyR3Z9P3aR1D1psTrHd5e6eun/DLrAZQhZ0jQphtJ
-6YAOrwDhGhMKTFTPhegR3H99Ie8R2dIcTa752GVd54IQ44g=
------END CERTIFICATE-----

uefi-keys/PK.crt

------BEGIN CERTIFICATE-----
-MIIDHTCCAgWgAwIBAgIULMOpRSFPuIZf3kENV26CKG/n4IYwDQYJKoZIhvcNAQEL
-BQAwHjEcMBoGA1UEAwwTU3RvcmVkIG9uIGdpdGxhYiBQSzAeFw0yMjA0MDQwOTEz
-NDlaFw0zMjA0MDEwOTEzNDlaMB4xHDAaBgNVBAMME1N0b3JlZCBvbiBnaXRsYWIg
-UEswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3IX8Gfz8R93RT3hQJ
-G5SDahwoZuCSO0TsSY8akTZCe4AoRm8DlaSwb60QHiO5Be7A6zFYzbWxYVGPDqHH
-li9ICP75GtnbgjMEbGQvzAOWH7FNpUSNMiiIFdzFSdrFZBgoS4IGRgR2/D0kl+Dg
-Z+j4bU0tw6S6MlJprMxx613OxndrXZqgy/OgA/SnutpdiRjU+AziWGcnMYKCRuQS
-e3mfqTS8lMFvS2DFHmZwddPTimIVCEzVzhMUJe5bm/SuYS3z9VWnPMeDRIyIQCmN
-of9+YIzW1m8tb7P5mpS+3NPzJ65pG5FeEgOxr+U1shcMuV0swdN+h057Z1F+4jFc
-3XzPAgMBAAGjUzBRMB0GA1UdDgQWBBSwOm6VV8AbJdyhBfga4KUduU+kcTAfBgNV
-HSMEGDAWgBSwOm6VV8AbJdyhBfga4KUduU+kcTAPBgNVHRMBAf8EBTADAQH/MA0G
-CSqGSIb3DQEBCwUAA4IBAQBRI2flodyHjTi8JBT1911XBrZqvt+pO6IYePvjRBmy
-bmPtK73GntULkNe7OGYFswAy5tQrQjPfsSGh454dAl+xJHVtScHFD6W4atz/65DZ
-mtjhn4POnzVBlPMEL7CY0UGl/ocn/uLolbxFJ9AIHpYg5NPA6HeMt8x9+fUbHmNS
-lzXqNJOi4f9O35tRAmORABHHHXIocdLxpFNH5SmZ++rbbueLVl4llGUS++taniKn
-URIPcYmCHnP8RLyvm73djct86h0qeBFbRrVHTgu6+mGdzqMizqsXRgK9tWcj5Sh5
-GvzkzwPo7TVsMPWZYd/jB4UM1GJyCv/0Eqgs+P5DkvIa
------END CERTIFICATE-----

uefi-keys/keys/KEK.crt

+-----BEGIN CERTIFICATE-----
+MIIDHTCCAgWgAwIBAgIUAgrUDFiPo2hxBIyH9zQdsRoy82AwDQYJKoZIhvcNAQEL
+BQAwHjEcMBoGA1UEAwwTUmFwaWQuU3BhY2UtMDAxIEtFSzAeFw0yMjA0MDUxMzUx
+NTZaFw0zMjA0MDIxMzUxNTZaMB4xHDAaBgNVBAMME1JhcGlkLlNwYWNlLTAwMSBL
+RUswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHCM2QZ47W+TDU0RD/
+FyVwxt/PXYW3nvHVh4s2UrcTv8T9w1eOiKVorGt24fQ0XI/S3vXmABCU+SOH60Co
+9AJwIClTLmUC/DiWGiafamEtp+SGkO+5vZl8rk3W50ucuodBEP+AtAH6UwMx59de
+ELAA7Rxuq76LDm4YG7amB121eLC1eUCIcXwUwyHnZF0UbdMFYo7cnw7XQc13tALo
+O6vpMT0tpkHyS2YEFRv7bTava4NsYAYAX6AGuie5KtXaoT7HmmJprtDWWymJLLjM
+UZpO/hhjRBkZjYdIQVUSvFaV8ofXefYcDxmAVE7gV6VlSTbY84U8z6QGOdpmasSQ
+0GxzAgMBAAGjUzBRMB0GA1UdDgQWBBQvB54/i/TRLjOZZi2YqiEtihK7NDAfBgNV
+HSMEGDAWgBQvB54/i/TRLjOZZi2YqiEtihK7NDAPBgNVHRMBAf8EBTADAQH/MA0G
+CSqGSIb3DQEBCwUAA4IBAQAdLRr0V/BOsWBX3yEmqkdPNmPCZ7VNFFqHB8PKVvq0
+ZYUEOhOFdZy8LRl7LzrPaqHYicUS8Xb3icIxYCpVlihMe3RH7yG4jXpVajIfLu6B
+BsBOcxUgW/eF1qOOVIjdxIXD/35LrLB0lj5Wh8t8XHcjb8vRlcXgpKpUDEbM8k1H
+gMKjEJrxRc3MEbMZfkzq06dSCiVSketMl6xcE/2hLIqfS3QWpQOsneEPG6Y4Yp+g
+65LbAE6cNOQ5P5NYHss0n6yTG48Zomj07WCSewQwbiulurYgZALfSSYjG90rJLST
+SiB4BFaE80eZTCs1GzIiBHr2LIoHkeTpust38zcf9LXe
+-----END CERTIFICATE-----

uefi-keys/keys/PK.crt

+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIUMRhhSw6MxcW5g9URnU9w/T49pE4wDQYJKoZIhvcNAQEL
+BQAwHTEbMBkGA1UEAwwSUmFwaWQuU3BhY2UtMDAxIFBLMB4XDTIyMDQwNTEzNTE1
+NloXDTMyMDQwMjEzNTE1NlowHTEbMBkGA1UEAwwSUmFwaWQuU3BhY2UtMDAxIFBL
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgOou89JigTfr/Ub38gD
+udJfu1+0PSN37Umt6aFxEMNVrCubJlqbAUGmeMeD90puZnJhqJnh2EFU2LJyvQDb
+wnkAuiai5sNRbLgWhQrgGZNBPZxJT/T4FS0RxhgfeKy9dzcOGwroX3Sakemq2C63
+ajy2Zcx/PX0ozZMwIW3jLD9USLvnvvwZcLpubny9T2CSugIagVGQas8dQx2wfKne
+zw4GylJl6QaSNPZfy/rt17gFzRbR2aR5l8fiG8MUmYwu783SSM4SjuOh1x1L+KPt
+3+jBtP5EiM0ljwaUv6JniJIaun615vr1G0RDirq0AeioRsxS60lCCYJHAaU1bj2j
+WQIDAQABo1MwUTAdBgNVHQ4EFgQUPOa6b+3JP1R5KihIQRUpHCk6tFYwHwYDVR0j
+BBgwFoAUPOa6b+3JP1R5KihIQRUpHCk6tFYwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAcgUeqwJ347KeFwWLdNBMGn3PT9t8SbkYuMjBDXdFm0ef
+P+T7FnIhJdIrmJBn52hDkZTqOr4GZKKw22gegYQprNvda+WYf+yR/yr3YuUaz5lZ
+00NzJs+Lgm1K+ti2NjEu+QBmnALfghwLw8aG2d55r0nNjYy9q9j4BgqErTL6kCJ0
+grBdwglASM1Jme3Sd/m7Ykc+h+3gtKhaLTJvWOwpd7x/CXO2Q9qdmhlv8zaQ8Cd+
+TOCEuAnp5PfifiFf12cWGNi+WBU24OcJtVjlR3Yns2b0z5+JP4ZMGndt4rOpBkib
+rM3S9IgaI2xyurqptrH6WPMvuudVhctX8vRALAhLLg==
+-----END CERTIFICATE-----

uefi-keys/keys/db.crt

+-----BEGIN CERTIFICATE-----
+MIIDGzCCAgOgAwIBAgIUBkkfRy4AkHzZPTcO4RaCnpUxZEMwDQYJKoZIhvcNAQEL
+BQAwHTEbMBkGA1UEAwwSUmFwaWQuU3BhY2UtMDAxIGRiMB4XDTIyMDQwNTEzNTE1
+NloXDTMyMDQwMjEzNTE1NlowHTEbMBkGA1UEAwwSUmFwaWQuU3BhY2UtMDAxIGRi
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFCxjUUOVTrFcFnh/efa
+EGxo+T1BhVBg8TVK/mKUaHPI6JLo3ok/eOaVemnjAKT4S9RESb1FXfUi6M2EX4bx
+0uRFq/64PFaIKAjfKxHHk9OjmxKi9mzB2Z6jJ6e5dBxuUzQWMWdUdubleH3dvSKI
+pm4T+MCJqdNEu6n4mDxwE/ZQV9Aee6f4KUXr0rAGmVLAaz89VD5zktu0qVnehyEo
+MgP8gvW34SIfSEogA2hI8mn5VRd8tKdYU/tjx7aiENF8P03kfjXcvezdO5oykZo3
+9h9ytPLaixoFHUwOY2HmVe5BGj4neutSCR1uLBqutiFD9YQEktAf5AxI0fO28FZn
+xwIDAQABo1MwUTAdBgNVHQ4EFgQUKu4DrUoSpMepZZvZAJqgpODMIOUwHwYDVR0j
+BBgwFoAUKu4DrUoSpMepZZvZAJqgpODMIOUwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAQEAvqtf3dX1QLUAO5A0Y1UgvDsqEP1NXEfo5Jtvt+pxGfif
+8pts7EkIsPypCTnpw5IOu4IuCUd1Jj/zGibuLu/Y2HrBTKlfzR78mtvdQCMRRyiB
+ypmFXWm+Clmth7lOjerNRclxHomiyy37pYcgKzmPWIWOzBLoBONW2tsIQmZO26Qj
+QYDty8jD2mWuG2qTkIMoUabqHYXmRIXpwN8/YHfHojGBz9tFU5FVZg+dCNtiyO+8
+cKX82lqTK/OTzPD7imQz2qzMenE+Ol/2MrnHYIcXQpU5xE75e3x1gOz82WVO9AJ4
+e+QljZoWbh5sFPm70j+ufB3C25U5RLj1f0PbtbTtPQ==
+-----END CERTIFICATE-----

uefi-keys/keys/myGUID.txt

+8e75ae9a-b4e7-11ec-b245-00224ddacaa7

uefi-keys/mkkeys.sh → uefi-keys/make_keys.sh

 #!/bin/bash
 # Copyright (c) 2015 by Roderick W. Smith
 # Licensed under the terms of the GPL v3
+# Modified by Nexedi 2021-2022
 
 echo -n "Enter a Common Name to embed in the keys: "
 read NAME
 
+mkdir -p keys
+cd keys
+
 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
         -out PK.crt -days 3650 -nodes -sha256
 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
         -out KEK.crt -days 3650 -nodes -sha256
-openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
-        -out DB.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME db/" -keyout db.key \
+        -out db.crt -days 3650 -nodes -sha256
 openssl x509 -in PK.crt -out PK.cer -outform DER
 openssl x509 -in KEK.crt -out KEK.cer -outform DER
-openssl x509 -in DB.crt -out DB.cer -outform DER
+openssl x509 -in db.crt -out db.cer -outform DER
 
 GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
 echo $GUID > myGUID.txt
 
 cert-to-efi-sig-list -g $GUID PK.crt PK.esl
 cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
-cert-to-efi-sig-list -g $GUID DB.crt DB.esl
+cert-to-efi-sig-list -g $GUID db.crt db.esl
 rm -f noPK.esl
 touch noPK.esl
 
@@ -31,7 +35,7 @@ sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
 sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                   -k PK.key -c PK.crt KEK KEK.esl KEK.auth
 sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-                  -k KEK.key -c KEK.crt db DB.esl DB.auth
+                  -k KEK.key -c KEK.crt db db.esl db.auth
 
 chmod 0600 *.key
 

uefi-keys/myGUID.txt

-89da4706-b3f7-11ec-92f8-00224ddacaa7