2022-12-14 07:06:55 +01:00
|
|
|
#!/usr/bin/env bash
|
2022-02-03 22:05:49 +01:00
|
|
|
# Copyright (c) 2015 by Roderick W. Smith
|
|
|
|
# Licensed under the terms of the GPL v3
|
2024-08-01 10:17:36 +02:00
|
|
|
# replaced GUID with uuidgen Tobias Powalowski - <tpowa@archlinux.org>
|
2022-02-03 22:05:49 +01:00
|
|
|
echo -n "Enter a Common Name to embed in the keys: "
|
2022-02-20 10:15:57 +01:00
|
|
|
read -r NAME
|
2022-02-03 22:05:49 +01:00
|
|
|
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
|
|
|
|
-out PK.crt -days 3650 -nodes -sha256
|
|
|
|
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
|
|
|
|
-out KEK.crt -days 3650 -nodes -sha256
|
|
|
|
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
|
|
|
|
-out DB.crt -days 3650 -nodes -sha256
|
|
|
|
openssl x509 -in PK.crt -out PK.cer -outform DER
|
|
|
|
openssl x509 -in KEK.crt -out KEK.cer -outform DER
|
|
|
|
openssl x509 -in DB.crt -out DB.cer -outform DER
|
|
|
|
uuidgen > myGUID.txt
|
2022-02-20 10:15:57 +01:00
|
|
|
cert-to-efi-sig-list -g "$GUID" PK.crt PK.esl
|
|
|
|
cert-to-efi-sig-list -g "$GUID" KEK.crt KEK.esl
|
|
|
|
cert-to-efi-sig-list -g "$GUID" DB.crt DB.esl
|
2022-02-03 22:05:49 +01:00
|
|
|
rm -f noPK.esl
|
2023-08-30 17:05:25 +02:00
|
|
|
: > noPK.esl
|
2022-02-03 22:05:49 +01:00
|
|
|
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
|
|
|
-k PK.key -c PK.crt PK PK.esl PK.auth
|
|
|
|
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
|
|
|
-k PK.key -c PK.crt PK noPK.esl noPK.auth
|
|
|
|
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
|
|
|
-k PK.key -c PK.crt KEK KEK.esl KEK.auth
|
|
|
|
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
|
|
|
-k KEK.key -c KEK.crt db DB.esl DB.auth
|
2022-02-20 10:15:57 +01:00
|
|
|
chmod 0600 ./*.key
|
2022-02-03 22:05:49 +01:00
|
|
|
echo ""
|
|
|
|
echo ""
|
|
|
|
echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
|
|
|
|
echo "flash drive or to your EFI System Partition (ESP)."
|
|
|
|
echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
|
|
|
|
echo "but some UEFIs require the *.auth files."
|
|
|
|
echo ""
|