Skip to content

Commit ebb9d57

Browse files
derenvderenv
authored
Merge pull request #16 from derenv/fix-key-creation
Fix key creation
2 parents 1336dcf + 082012c commit ebb9d57

1 file changed

Lines changed: 37 additions & 25 deletions

File tree

bash-kernel-signer.sh

Lines changed: 37 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -223,7 +223,7 @@ function create_keys()
223223
{
224224
# Get user input
225225
tput reset
226-
read -r user_input -p "Please specify (existing) directory for new keys & certificates:"
226+
read -p "Please specify (existing) directory for new keys & certificates:" -r user_input
227227

228228
# Validate folder exists
229229
if [[ "$user_input" == "0" ]]; then
@@ -236,42 +236,54 @@ function create_keys()
236236
efi-readvar -v KEK -o "${user_input}/old_KEK.esl"
237237
efi-readvar -v db -o "${user_input}/old_db.esl"
238238
efi-readvar -v dbx -o "${user_input}/old_dbx.esl"
239+
# (continue)
239240
read -n 1 -s -r -p "Old keys successfully read into files, press any key to continue.."
240241

241242
# Generate keys and certificates
242-
echo "generating keys & certificates..."
243-
openssl req -new -x509 -newkey rsa:2048 -keyout "${user_input}/PK.key" -out "${user_input}/PK.crt" -days 3650 -nodes -sha256
244-
openssl req -new -x509 -newkey rsa:2048 -keyout "${user_input}/KEK.key" -out "${user_input}/KEK.crt" -days 3650 -nodes -sha256
245-
openssl req -new -x509 -newkey rsa:2048 -keyout "${user_input}/db.key" -out "${user_input}/db.crt" -days 3650 -nodes -sha256
243+
echo -e "\ngenerating keys & certificates..."
244+
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=new platform key/" -keyout "${user_input}/new_PK.key" -out "${user_input}/new_PK.crt" -days 3650 -nodes -sha256
245+
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=new key exchange key/" -keyout "${user_input}/new_KEK.key" -out "${user_input}/new_KEK.crt" -days 3650 -nodes -sha256
246+
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=new kernel signing key/" -keyout "${user_input}/new_db.key" -out "${user_input}/new_db.crt" -days 3650 -nodes -sha256
246247
# Change permissions to read-only for root (precaution)
247-
sudo chmod -v 400 "${user_input}/PK.key"
248-
sudo chmod -v 400 "${user_input}/KEK.key"
249-
sudo chmod -v 400 "${user_input}/db.key"
248+
sudo chmod -v 400 "${user_input}/new_PK.key"
249+
sudo chmod -v 400 "${user_input}/new_KEK.key"
250+
sudo chmod -v 400 "${user_input}/new_db.key"
251+
# (continue)
250252
read -n 1 -s -r -p "Keys successfully generated, press any key to continue.."
251253

252254
# Create update files
253-
echo "creating update files for keystore.."
254-
cert-to-efi-sig-list -g "$(uuidgen)" "${user_input}/PK.crt" "${user_input}/PK.esl"
255-
sign-efi-sig-list -k "${user_input}/PK.key" -c "${user_input}/PK.crt" PK "${user_input}/PK.esl" "${user_input}/PK.auth"
256-
cert-to-efi-sig-list -g "$(uuidgen)" "${user_input}/KEK.crt" "${user_input}/KEK.esl"
257-
sign-efi-sig-list -a -k "${user_input}/PK.key" -c "${user_input}/PK.crt" KEK "${user_input}/KEK.esl" "${user_input}/KEK.auth"
258-
cert-to-efi-sig-list -g "$(uuidgen)" "${user_input}/db.crt" "${user_input}/db.esl"
259-
sign-efi-sig-list -a -k "${user_input}/KEK.key" -c "${user_input}/KEK.crt" db "${user_input}/db.esl" "${user_input}/db.auth"
260-
sign-efi-sig-list -k "${user_input}/KEK.key" -c "${user_input}/KEK.crt" dbx "${user_input}/old_dbx.esl" "${user_input}/old_dbx.auth"
255+
echo "\ncreating update files for keystore.."
256+
# PK
257+
cert-to-efi-sig-list -g "$(uuidgen)" "${user_input}/new_PK.crt" "${user_input}/new_PK.esl"
258+
sign-efi-sig-list -k "${user_input}/new_PK.key" -c "${user_input}/new_PK.crt" PK "${user_input}/new_PK.esl" "${user_input}/new_PK.auth"
259+
# KEK
260+
cert-to-efi-sig-list -g "$(uuidgen)" "${user_input}/new_KEK.crt" "${user_input}/new_KEK.esl"
261+
sign-efi-sig-list -a -k "${user_input}/new_PK.key" -c "${user_input}/new_PK.crt" KEK "${user_input}/new_KEK.esl" "${user_input}/new_KEK.auth"
262+
# db
263+
cert-to-efi-sig-list -g "$(uuidgen)" "${user_input}/new_db.crt" "${user_input}/new_db.esl"
264+
sign-efi-sig-list -a -k "${user_input}/new_KEK.key" -c "${user_input}/new_KEK.crt" db "${user_input}/new_db.esl" "${user_input}/new_db.auth"
265+
# dbx
266+
sign-efi-sig-list -k "${user_input}/new_KEK.key" -c "${user_input}/new_KEK.crt" dbx "${user_input}/old_dbx.esl" "${user_input}/old_dbx.auth"
267+
# (continue)
261268
read -n 1 -s -r -p "Update files successfully generated, press any key to continue.."
262269

263270
# Create DER (Distinguished Encoding Rules) files, needed for some BIOSes
264-
openssl x509 -outform DER -in "${user_input}/PK.crt" -out "${user_input}/PK.cer"
265-
openssl x509 -outform DER -in "${user_input}/KEK.crt" -out "${user_input}/KEK.cer"
266-
openssl x509 -outform DER -in "${user_input}/db.crt" -out "${user_input}/db.cer"
267-
read -n 1 -s -r -p "DER versions successfully generated, press any key to continue"
271+
openssl x509 -outform DER -in "${user_input}/new_PK.crt" -out "${user_input}/new_PK.cer"
272+
openssl x509 -outform DER -in "${user_input}/new_KEK.crt" -out "${user_input}/new_KEK.cer"
273+
openssl x509 -outform DER -in "${user_input}/new_db.crt" -out "${user_input}/new_db.cer"
274+
# (continue)
275+
read -n 1 -s -r -p "\nDER versions successfully generated, press any key to continue"
268276

269277
# Create compound esl files & auth counterparts
270-
cat "${user_input}/old_KEK.esl" "${user_input}/KEK.esl" > "${user_input}/compound_KEK.esl"
271-
cat "${user_input}/old_db.esl" "${user_input}/db.esl" > "${user_input}/compound_db.esl"
272-
sign-efi-sig-list -k "${user_input}/PK.key" -c "${user_input}/PK.crt" KEK "${user_input}/compound_KEK.esl" "${user_input}/compound_KEK.auth"
273-
sign-efi-sig-list -k "${user_input}/KEK.key" -c "${user_input}/KEK.crt" db "${user_input}/compound_db.esl" "${user_input}/compound_db.auth"
274-
read -n 1 -s -r -p "New esl & auth files successfully generated! See Sakaki's guide (https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot#Installing_New_Keys_into_the_Keystore) to update your keystore! (press any key to continue)"
278+
cat "${user_input}/old_KEK.esl" "${user_input}/new_KEK.esl" > "${user_input}/compound_KEK.esl"
279+
cat "${user_input}/old_db.esl" "${user_input}/new_db.esl" > "${user_input}/compound_db.esl"
280+
sign-efi-sig-list -k "${user_input}/new_PK.key" -c "${user_input}/new_PK.crt" KEK "${user_input}/compound_KEK.esl" "${user_input}/compound_KEK.auth"
281+
sign-efi-sig-list -k "${user_input}/new_KEK.key" -c "${user_input}/new_KEK.crt" db "${user_input}/compound_db.esl" "${user_input}/compound_db.auth"
282+
# (continue)
283+
echo "New esl & auth files successfully generated!"
284+
echo "Add /etc/efikeys/db.key abd /etc/efikeys/db.crt to config file!"
285+
echo "See Sakaki's guide (https://wiki.gentoo.org/wiki/User:Sakaki/Sakaki's_EFI_Install_Guide/Configuring_Secure_Boot#Installing_New_Keys_into_the_Keystore) on how to update your keystore!"
286+
read -n 1 -s -r -p "(press any key to continue)"
275287
else
276288
ERROR_MSG="invalid directory, please exit and create new directory (check permissions!).."
277289
return 1

0 commit comments

Comments
 (0)