Add BMOK installer, add uefi key generator.

2024-08-03 01:59:01 +01:00 · 2024-08-03 01:59:01 +01:00 · e303ba23a1
commit e303ba23a1
parent a14a9436c0
5 changed files with 107 additions and 0 deletions
--- a/BMOK-cert-install-generate.sh
+++ b/BMOK-cert-install-generate.sh
@ -0,0 +1,22 @@
+#!/bin/bash
+if [ -d  /cert ]; then
+    echo "[-] Already installed!";
+    exit;
+fi
+echo "[+] Creating cert folder root...";
+sudo mkdir -p /cert/mok;
+sudo chown root:root /cert -Rf;
+sudo chmod u=rw,g=r,o= /cert -Rf;
+echo "[+] Obtaining and processing MOK key from /var/lib/shim-signed/mok...";
+sudo openssl x509 -inform der -in /var/lib/shim-signed/mok/MOK.der -out /cert/mok/MOK.pem;
+sudo cat /var/lib/shim-signed/mok/MOK.priv | sudo tee /cert/mok/signing_key.pem > /dev/null;
+sudo cat /cert/mok/MOK.pem | sudo tee -a /cert/mok/signing_key.pem > /dev/null;
+echo "[+] Creating BMOK cert...";
+sudo openssl req -config BMOK-openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 --outform der -keyout /cert/BMOK.priv -out /cert/BMOK.der;
+sudo openssl x509 -inform der -in /cert/BMOK.der -out /cert/BMOK.pem;
+echo "[*] Ensuring permissions...";
+sudo chown root:root /cert -Rf;
+sudo chmod u=rw,g=r,o= /cert -Rf;
+echo "[?] Enroling cert (MOK Manager on next reboot):";
+sudo mokutil --import /cert/BMOK.der;
+echo "[+] Done, now use the kernel-build command from bash_aliases after a reboot and the enrole ...";
--- a/uefi_db-openssl.cnf
+++ b/uefi_db-openssl.cnf
@ -0,0 +1,17 @@
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+[ req ]
+distinguished_name      = req_distinguished_name
+string_mask             = utf8only
+prompt                  = no
+
+[ req_distinguished_name ]
+countryName             = UK
+stateOrProvinceName     = Kent
+localityName            = Herne Bay
+0.organizationName      = Captain ALM
+commonName              = Secure Boot Signature Database
+emailAddress            = alfred@captainalm.com
+
--- a/uefi_kek-openssl.cnf
+++ b/uefi_kek-openssl.cnf
@ -0,0 +1,17 @@
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+[ req ]
+distinguished_name      = req_distinguished_name
+string_mask             = utf8only
+prompt                  = no
+
+[ req_distinguished_name ]
+countryName             = UK
+stateOrProvinceName     = Kent
+localityName            = Herne Bay
+0.organizationName      = Captain ALM
+commonName              = Secure Boot Key Exchange
+emailAddress            = alfred@captainalm.com
+
--- a/uefi_keys_generate_pk.sh
+++ b/uefi_keys_generate_pk.sh
@ -0,0 +1,34 @@
+#!/bin/bash
+echo "[+] Generating..."
+if [ -f PK-GUID ] && [ -f PK-vmpriv.key ] && [ -f PK-vm.crt ] && [ -f PK-vm.der ] && [ -f PK-vm.esl ] && [ -f PK-vm.auth ] &&
+[ -f KEK-vmpriv.key ] && [ -f KEK-vm.crt ] && [ -f KEK-vm.der ] && [ -f KEK-vm.esl ] && [ -f KEK-vm.auth ] &&
+[ -f db-vmpriv.key ] && [ -f db-vm.crt ] && [ -f db-vm.der ] && [ -f db-vm.esl ] && [ -f db-vm.auth ]; then
+    echo "[*] Keys already generated as {PK,KEK,db}-vm{priv.key,.crt,.der,.esl,.auth}";
+else
+    rm -f PK-GUID;
+    rm -f PK-vm.der;
+    rm -f PK-vm.crt;
+    rm -f PK-vmpriv.key;
+    rm -f PK-vm.esl;
+    rm -f PK-vm.auth;
+    rm -f KEK-vm.der;
+    rm -f KEK-vm.crt;
+    rm -f KEK-vmpriv.key;
+    rm -f KEK-vm.esl;
+    rm -f KEK-vm.auth;
+    uuidgen --random > PK-GUID;
+    openssl req -config uefi_pk-openssl.cnf -newkey rsa:2048 -nodes -keyout PK-vmpriv.key -x509 -days 36500 -out PK-vm.crt;
+    openssl x509 -in PK-vm.crt -outform der -out PK-vm.der;
+    cert-to-efi-sig-list -g "$(< PK-GUID)" PK-vm.crt PK-vm.esl;
+    sign-efi-sig-list -g "$(< PK-GUID)" -k PK-vmpriv.key -c PK-vm.crt PK PK-vm.esl PK-vm.auth;
+    openssl req -config uefi_kek-openssl.cnf -newkey rsa:2048 -nodes -keyout KEK-vmpriv.key -x509 -days 36500 -out KEK-vm.crt;
+    openssl x509 -in KEK-vm.crt -outform der -out KEK-vm.der;
+    cert-to-efi-sig-list -g "$(< PK-GUID)" KEK-vm.crt KEK-vm.esl;
+    sign-efi-sig-list -g "$(< PK-GUID)" -k PK-vmpriv.key -c PK-vm.crt KEK KEK-vm.esl KEK-vm.auth;
+    openssl req -config uefi_db-openssl.cnf -newkey rsa:2048 -nodes -keyout db-vmpriv.key -x509 -days 36500 -out db-vm.crt;
+    openssl x509 -in db-vm.crt -outform der -out db-vm.der;
+    cert-to-efi-sig-list -g "$(< PK-GUID)" db-vm.crt db-vm.esl;
+    sign-efi-sig-list -g "$(< PK-GUID)" -k KEK-vmpriv.key -c KEK-vm.crt db db-vm.esl db-vm.auth;
+    echo "[+] Completed key generation as {PK,KEK,db}-vm{priv.key,.crt,.der,.esl,.auth}";
+fi
+echo "[i] Sign via 'sbsign --key db-vmpriv.key --cert db-vm.crt --output <file 1> ... <file n>'";
--- a/uefi_pk-openssl.cnf
+++ b/uefi_pk-openssl.cnf
@ -0,0 +1,17 @@
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+[ req ]
+distinguished_name      = req_distinguished_name
+string_mask             = utf8only
+prompt                  = no
+
+[ req_distinguished_name ]
+countryName             = UK
+stateOrProvinceName     = Kent
+localityName            = Herne Bay
+0.organizationName      = Captain ALM
+commonName              = Secure Boot Platform
+emailAddress            = alfred@captainalm.com
+