2021-10-15 11:12:15 +02:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
# created by Tobias Powalowski <tpowa@archlinux.org>
|
2022-04-07 10:51:18 +02:00
|
|
|
. /usr/lib/archboot/common.sh
|
2024-08-01 12:34:52 +02:00
|
|
|
_usage () {
|
2024-08-01 13:24:04 +02:00
|
|
|
echo -e "\e[1m\e[36mArchboot\e[m\e[1m - Generate Secure Boot Keys, MOK Files\e[m"
|
2024-08-01 11:06:19 +02:00
|
|
|
echo -e "\e[1m-----------------------------------------------\e[m"
|
2022-04-07 10:43:04 +02:00
|
|
|
echo "This script generates all needed keys for a Secure Boot setup."
|
2023-02-07 20:19:31 +01:00
|
|
|
echo -e "It will include the \e[1m2\e[m needed Microsoft certificates, in order"
|
2022-04-07 10:43:04 +02:00
|
|
|
echo "to avoid soft bricking of devices."
|
2023-02-07 20:19:31 +01:00
|
|
|
echo -e "Backup of your existing keys are put to \e[1mBACKUP\e[m directory."
|
2022-04-07 10:43:04 +02:00
|
|
|
echo ""
|
2024-08-01 11:06:19 +02:00
|
|
|
echo -e "Usage: \e[1m${_BASENAME} -name=<your name> <directory>\e[m"
|
2022-04-07 10:43:04 +02:00
|
|
|
exit 0
|
2021-10-15 11:12:15 +02:00
|
|
|
}
|
2024-08-01 12:34:52 +02:00
|
|
|
[[ -z "${1}" || -z "${2}" ]] && _usage
|
2023-01-09 18:38:55 +01:00
|
|
|
_DIR="${2}"
|
2021-10-15 11:12:15 +02:00
|
|
|
while [ $# -gt 0 ]; do
|
2024-08-01 12:34:52 +02:00
|
|
|
case ${1} in
|
|
|
|
-name=*|--name=*) NAME="$(echo "${1}" | rg -o '=(.*)' -r '$1')" ;;
|
2024-08-13 19:37:33 +02:00
|
|
|
-h|--h|-help|--help|?) _usage ;;
|
2021-10-15 11:12:15 +02:00
|
|
|
esac
|
2024-08-01 12:34:52 +02:00
|
|
|
shift
|
2021-10-15 11:12:15 +02:00
|
|
|
done
|
2021-10-15 11:55:44 +02:00
|
|
|
if [[ -z "${NAME}" ]]; then
|
2021-10-15 12:17:05 +02:00
|
|
|
echo "ERROR: no name specified"
|
2024-08-01 12:34:52 +02:00
|
|
|
_usage
|
2022-12-29 12:49:26 +01:00
|
|
|
#shellcheck disable=2317
|
2021-10-15 11:55:44 +02:00
|
|
|
exit 1
|
|
|
|
fi
|
2022-04-07 10:43:04 +02:00
|
|
|
_root_check
|
2022-04-07 10:52:00 +02:00
|
|
|
# archboot
|
2022-04-07 10:51:18 +02:00
|
|
|
[[ -e /usr/bin/mkkeys.sh ]] && MKKEYS="mkkeys.sh"
|
2022-04-07 10:52:00 +02:00
|
|
|
# normal system
|
2022-04-07 10:51:18 +02:00
|
|
|
[[ -e /usr/bin/archboot-mkkeys.sh ]] && MKKEYS="archboot-mkkeys.sh"
|
2022-01-21 11:40:32 +01:00
|
|
|
if [[ -n "${_DIR}" ]]; then
|
|
|
|
[[ ! -d "${_DIR}" ]] && mkdir -p "${_DIR}"
|
|
|
|
cd "${_DIR}" || exit 1
|
2023-01-19 08:04:48 +01:00
|
|
|
echo "Backup old keys in $_DIR/BACKUP..."
|
2021-10-16 23:14:46 +02:00
|
|
|
[[ ! -d "BACKUP" ]] && mkdir BACKUP
|
2021-10-15 11:12:15 +02:00
|
|
|
efi-readvar -v PK -o BACKUP/old_PK.esl
|
|
|
|
efi-readvar -v KEK -o BACKUP/old_KEK.esl
|
|
|
|
efi-readvar -v db -o BACKUP/old_db.esl
|
|
|
|
efi-readvar -v dbx -o BACKUP/old_dbx.esl
|
2022-01-21 11:40:32 +01:00
|
|
|
cd BACKUP || exit 1; mokutil --export; cd .. || exit 1
|
2021-10-15 11:12:15 +02:00
|
|
|
echo "Generating Keys in $_DIR"
|
2021-10-15 11:55:44 +02:00
|
|
|
# add mkkeys.sh
|
2022-04-07 10:51:18 +02:00
|
|
|
${MKKEYS} <<EOF
|
2021-10-15 11:55:44 +02:00
|
|
|
${NAME}
|
|
|
|
EOF
|
2021-10-15 11:12:15 +02:00
|
|
|
# download MS Certificates, else EFI might get broken!
|
2023-09-04 15:39:48 +02:00
|
|
|
${_DLPROG} -O https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
|
|
|
|
${_DLPROG} -O https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
|
2021-10-15 11:12:15 +02:00
|
|
|
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
|
|
|
|
sbsiglist --owner 77fa9abd-0359-4d32-bd60-28f4e78f784b --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
|
|
|
|
cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
|
|
|
|
sign-efi-sig-list -a -g 77fa9abd-0359-4d32-bd60-28f4e78f784b -k KEK.key -c KEK.crt db MS_db.esl add_MS_db.auth
|
2021-10-15 11:55:44 +02:00
|
|
|
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -nodes -days 3650 -subj "/CN=${NAME}/"
|
2021-10-15 11:12:15 +02:00
|
|
|
openssl x509 -in MOK.crt -out MOK.cer -outform DER
|
|
|
|
DIRS="DB KEK MOK PK noPK"
|
|
|
|
for i in $DIRS; do
|
2022-01-21 11:40:32 +01:00
|
|
|
[[ ! -d "$i" ]] && mkdir "$i"
|
2022-04-06 22:32:06 +02:00
|
|
|
mv "${i}".* "${i}"
|
2021-10-15 11:12:15 +02:00
|
|
|
done
|
2021-10-16 09:41:42 +02:00
|
|
|
mv DB db
|
2021-10-16 23:14:46 +02:00
|
|
|
[[ ! -d "GUID" ]] && mkdir GUID
|
|
|
|
[[ ! -d "MS" ]] && mkdir MS
|
2021-10-15 11:12:15 +02:00
|
|
|
mv myGUID.txt GUID
|
2022-01-21 11:40:32 +01:00
|
|
|
mv ./*.crt ./*.auth ./*.esl MS
|
2021-10-15 11:12:15 +02:00
|
|
|
cd ..
|
2022-01-21 11:40:32 +01:00
|
|
|
chmod 700 "${_DIR}"
|
|
|
|
echo "Finished: Keys created in ${_DIR}"
|
2021-10-15 11:55:44 +02:00
|
|
|
else
|
2021-10-15 12:17:05 +02:00
|
|
|
echo "ERROR: no directory specified"
|
2024-08-01 12:37:22 +02:00
|
|
|
_usage
|
2022-12-29 12:49:26 +01:00
|
|
|
#shellcheck disable=2317
|
2021-10-15 11:55:44 +02:00
|
|
|
exit 1
|
2021-10-15 11:12:15 +02:00
|
|
|
fi
|