From 5e379267eed22ad037e0d90a2d5b0cdfd59ea1b9 Mon Sep 17 00:00:00 2001
From: Tobias Powalowski <tpowa@archlinux.org>
Date: Thu, 3 Feb 2022 22:05:49 +0100
Subject: [PATCH] replace mkkeys.sh with a modified uuidgen one

---
 usr/bin/archboot-mkkeys.sh                    | 81 ++++++++++---------
 usr/bin/archboot-secureboot-keys.sh           | 10 +--
 usr/lib/initcpio/install/archboot_secure_boot | 29 ++-----
 3 files changed, 48 insertions(+), 72 deletions(-)

diff --git a/usr/bin/archboot-mkkeys.sh b/usr/bin/archboot-mkkeys.sh
index 1979137fb..3c71e993d 100755
--- a/usr/bin/archboot-mkkeys.sh
+++ b/usr/bin/archboot-mkkeys.sh
@@ -1,41 +1,44 @@
 #!/bin/bash
-_MKKEYS_SERVER="https://www.rodsbooks.com/efi-bootloaders"
-_MKKEYS_URL="${_MKKEYS_SERVER}/mkkeys.sh"
-_USER="tobias"
-_GROUP="users"
-_GPG="--detach-sign --no-armor --batch --passphrase-file /etc/archboot/gpg.passphrase --pinentry-mode loopback -u 7EDF681F"
-_SERVER="pkgbuild.com"
-_MKKEYS_ARCH_SERVERDIR="/home/tpowa/public_html/archboot-helper/mkkeys"
+# Copyright (c) 2015 by Roderick W. Smith
+# Licensed under the terms of the GPL v3
+# replaced GUID with uuidgen 
 
-### check for root
-if ! [[ ${UID} -eq 0 ]]; then 
-    echo "ERROR: Please run as root user!"
-    exit 1
-fi
-### check for tpowa's build server
-if [[ ! "$(cat /etc/hostname)" == "T-POWA-LX" ]]; then
-    echo "This script should only be run on tpowa's build server. Aborting..."
-    exit 1
-fi
-# download packages from fedora server
-echo "Downloading mkkeys.sh..."
-mkdir -m 777 mkkeys
-curl -s --create-dirs -L -O --output-dir ./mkkeys/ ${_MKKEYS_URL} || exit 1
-# sign files
-echo "Sign files and upload ..."
-#shellcheck disable=SC2086
-cd mkkeys/ || exit 1
-chown "${_USER}" ./*
-chgrp "${_GROUP}" ./*
-for i in *; do
-    #shellcheck disable=SC2086
-    [[ -f "${i}" ]] && sudo -u "${_USER}" gpg ${_GPG} "${i}" || exit 1
-    [[ -f "${i}" ]] && cksum -a sha256 "${i}" >> sha256sum.txt
-    [[ -f "${i}.sig" ]] && cksum -a sha256 "${i}.sig" >> sha256sum.txt
-done
-sudo -u "${_USER}" scp ./* "${_SERVER}:${_MKKEYS_ARCH_SERVERDIR}" || exit 1
-# cleanup
-echo "Remove mkkeys directory."
-cd ..
-rm -r mkkeys
-echo "Finished fedora Shim."
+echo -n "Enter a Common Name to embed in the keys: "
+read NAME
+
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
+        -out PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
+        -out KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
+        -out DB.crt -days 3650 -nodes -sha256
+openssl x509 -in PK.crt -out PK.cer -outform DER
+openssl x509 -in KEK.crt -out KEK.cer -outform DER
+openssl x509 -in DB.crt -out DB.cer -outform DER
+
+uuidgen > myGUID.txt
+
+cert-to-efi-sig-list -g $GUID PK.crt PK.esl
+cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
+cert-to-efi-sig-list -g $GUID DB.crt DB.esl
+rm -f noPK.esl
+touch noPK.esl
+
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK PK.esl PK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt PK noPK.esl noPK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k PK.key -c PK.crt KEK KEK.esl KEK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+                  -k KEK.key -c KEK.crt db DB.esl DB.auth
+
+chmod 0600 *.key
+
+echo ""
+echo ""
+echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
+echo "flash drive or to your EFI System Partition (ESP)."
+echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
+echo "but some UEFIs require the *.auth files."
+echo ""
diff --git a/usr/bin/archboot-secureboot-keys.sh b/usr/bin/archboot-secureboot-keys.sh
index 1ca40d358..44ead4b72 100755
--- a/usr/bin/archboot-secureboot-keys.sh
+++ b/usr/bin/archboot-secureboot-keys.sh
@@ -53,17 +53,9 @@ if [[ -n "${_DIR}" ]]; then
     cd BACKUP || exit 1; mokutil --export; cd .. || exit 1
     echo "Generating Keys in $_DIR"
     # add mkkeys.sh
-    if [[ ! -f /usr/bin/mkkeys.sh ]]; then
-        curl -s -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh || exit 1
-        chmod 755 mkkeys.sh
-        ./mkkeys.sh <<EOF 
+    ./mkkeys.sh <<EOF 
 ${NAME} 
 EOF
-    else
-        mkkeys.sh <<EOF 
-${NAME} 
-EOF
-    fi
     # download MS Certificates, else EFI might get broken!
     curl -s -L -O https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
     curl -s -L -O https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
diff --git a/usr/lib/initcpio/install/archboot_secure_boot b/usr/lib/initcpio/install/archboot_secure_boot
index ed30fa36a..1ee8a13b8 100644
--- a/usr/lib/initcpio/install/archboot_secure_boot
+++ b/usr/lib/initcpio/install/archboot_secure_boot
@@ -5,36 +5,17 @@ build ()
 {
     # https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
     _RUNNING_ARCH="$(uname -m)"
-    apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \
+    apps="openssl cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \
           hash-to-efi-sig-list sig-list-to-certs cert-to-efi-sig-list sign-efi-sig-list sbattach sbkeysync \
           sbsiglist sbsign sbvarsign sbverify mokutil"
     add_file "/etc/ssl/openssl.cnf"
     for i in $apps; do
         add_binary "$i"
     done
-    # add mkkeys.sh
-    MKKEYS=$(mktemp /var/tmp/mkkeys.XXXX)
-    curl -s -L -o "${MKKEYS}" https://pkgbuild.com/~tpowa/archboot-helper/mkkeys/mkkeys.sh 
-    chmod 755 "${MKKEYS}"
-    add_file "${MKKEYS}" "/usr/bin/mkkeys.sh"
-    # add python3 files for script
-    add_full_dir /usr/lib/python3.10/encodings
-    add_full_dir /usr/lib/python3.10/collections
-    add_full_dir /usr/lib/python3.10/logging
-    PYTHON_FILES="_collections_abc keyword heapq platform types enum uuid \
-                  _sitebuiltins genericpath posixpath _collections_abc stat os site abc io codecs \
-                  operator reprlib re sre_compile sre_parse sre_constants functools copyreg subprocess \
-                  signal threading _weakrefset warnings contextlib random bisect hashlib traceback \
-                  linecache tokenize token weakref string selectors"
-    for i in ${PYTHON_FILES}; do
-        add_file "/usr/lib/python3.10/$i.py"
-    done
-    PYTHON_DYN="select.cpython-310-${_RUNNING_ARCH}-linux-gnu math.cpython-310-${_RUNNING_ARCH}-linux-gnu \
-                _random.cpython-310-${_RUNNING_ARCH}-linux-gnu _sha512.cpython-310-${_RUNNING_ARCH}-linux-gnu \
-                _posixsubprocess.cpython-310-${_RUNNING_ARCH}-linux-gnu"
-    for i in ${PYTHON_DYN}; do
-        add_file "/usr/lib/python3.10/lib-dynload/$i.so"
-    done
+    # add mkkeys.sh, 
+    # curl -s -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
+    # modiiied to use uuidgen instead of python
+    add_file "/usr/bin/archboot-mkkeys.sh" "/usr/bin/mkkeys.sh"
     # add efitools files
     [[ "${_RUNNING_ARCH}" == "x86_64" ]] && add_file "/usr/share/efitools/efi/PreLoader.efi"
     add_file "/usr/share/efitools/efi/HashTool.efi"