Commit c8087ac0 authored by test's avatar test

Add a sub-script to create and set the keys in Secure Boot. Modify install.sh...

Add a sub-script to create and set the keys in Secure Boot. Modify install.sh to make it call the new sub-script.
parent 2a69c731
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
set -eux set -eux
# installing miscellaneous useful packages # installing miscellaneous useful packages
apt -y install make autopoint autoconf libtool libattr1.dev musl-tools sbsigntool apt -y install make autopoint autoconf libtool libattr1.dev musl-tools mmv sbsigntool
# installing more necessary packages to activate Secure Boot with our own keys # installing more necessary packages to activate Secure Boot with our own keys
apt -y install efitools apt -y install efitools
...@@ -27,11 +27,6 @@ if [ ! -e /etc/uefi-key ]; then ...@@ -27,11 +27,6 @@ if [ ! -e /etc/uefi-key ]; then
mkdir /etc/uefi-key mkdir /etc/uefi-key
fi fi
if [ ! -e /etc/uefi-key/db.crt ]; then
openssl req -newkey rsa:2048 -nodes -keyout /etc/uefi-key/db.key -new -x509 -sha256 -days 36500 -subj "/CN=TEST" -out /etc/uefi-key/db.crt
openssl x509 -outform DER -in /etc/uefi-key/db.crt -out /etc/uefi-key/db.cer
fi
## Install others ## Install others
apt -y install libssl-dev apt -y install libssl-dev
...@@ -77,6 +72,7 @@ fi ...@@ -77,6 +72,7 @@ fi
cd dracut.module cd dracut.module
make install make install
cd ..
apt -y autoremove apt -y autoremove
...@@ -86,8 +82,17 @@ read ...@@ -86,8 +82,17 @@ read
## Build UEFI application ## Build UEFI application
# TODO: write a separate script: one to install stuff, the other to build the UEFI application # TODO: write a separate script: one to install stuff, the other to build the UEFI application
: '
# creates the keys needed to sign the UEFI application if they do not exist
# when creating and copying (or simply copying) the keys in /etc/uefi-key/ by hand,
# the following lines wont be executed
if [ ! -e /etc/uefi-key/db.crt ]; then
openssl req -newkey rsa:2048 -nodes -keyout /etc/uefi-key/db.key -new -x509 -sha256 -days 36500 -subj "/CN=TEST" -out /etc/uefi-key/db.crt
openssl x509 -outform DER -in /etc/uefi-key/db.crt -out /etc/uefi-key/db.cer
fi
'
source secure-boot-automation.sh
cd ..
rm -rf dracut_tmp rm -rf dracut_tmp
mkdir dracut_tmp mkdir dracut_tmp
...@@ -99,12 +104,13 @@ disk_info_list=(${disk_info//' '/}) ...@@ -99,12 +104,13 @@ disk_info_list=(${disk_info//' '/})
/sbin/e2label ${disk_info_list[4]} ROOT /sbin/e2label ${disk_info_list[4]} ROOT
rm -rf /boot/efi/EFI/Linux/* rm -rf /boot/efi/EFI/Linux/*
#mmv '/boot/efi/EFI/Linux/*.*' '/boot/efi/EFI/Linux/#1_1.#2'
dracut --force -c ./dracut.module/dracut.conf --confdir dracut_tmp dracut --force -c ./dracut.module/dracut.conf --confdir dracut_tmp
cp -r /boot/efi/EFI /EFI cp -r /boot/efi/EFI /EFI
#maybe not necessairy #maybe not necessary
cp /etc/uefi-key/db.cer /EFI/db.cer cp /etc/uefi-key/db.cer /EFI/db.cer
cp /etc/uefi-key/db.cer /boot/efi/db.cer cp /etc/uefi-key/db.cer /boot/efi/db.cer
uefi=$(ls /EFI/Linux) uefi=$(ls /EFI/Linux)
efibootmgr --quiet --create --disk ${disk_info_list[3]} --label 'debian UEFI current' --loader /EFI/Linux/$uefi efibootmgr --quiet --create --disk ${disk_info_list[3]} --label 'debian UEFI wrong keys' --loader /EFI/Linux/$uefi
#!/bin/bash
# Copyright (c) 2015 by Roderick W. Smith
# Licensed under the terms of the GPL v3
## KEYS CREATION
rm -rf secure-boot-automation
mkdir -p secure-boot-automation
cd secure-boot-automation
echo -n "Enter a Common Name to embed in the keys: "
read NAME
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
-out PK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
-out KEK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
-out DB.crt -days 3650 -nodes -sha256
openssl x509 -in PK.crt -out PK.cer -outform DER
openssl x509 -in KEK.crt -out KEK.cer -outform DER
openssl x509 -in DB.crt -out DB.cer -outform DER
GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
echo $GUID > myGUID.txt
cert-to-efi-sig-list -g $GUID PK.crt PK.esl
cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
cert-to-efi-sig-list -g $GUID DB.crt DB.esl
rm -f noPK.esl
touch noPK.esl
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt PK noPK.esl noPK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt KEK KEK.esl KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k KEK.key -c KEK.crt db DB.esl DB.auth
chmod 0600 *.key
if [ ! -e /etc/uefi-key/db.crt ]; then
cp DB.crt /etc/uefi-key/db.crt
cp DB.cer /etc/uefi-key/db.cer
fi
## SECURE BOOT SETUP
# if one of the following fails, refer to signing_uefi_application.txt
efi-updatevar -f PK.auth PK
efi-updatevar -a -c KEK.crt -k PK.key KEK
efi-updatevar -a -c DB.crt -k KEK.key db
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment