From e303ba23a103fcb7fb78fa7e28cb76d5d4a063a5 Mon Sep 17 00:00:00 2001 From: Captain ALM Date: Sat, 3 Aug 2024 01:59:01 +0100 Subject: [PATCH] Add BMOK installer, add uefi key generator. --- BMOK-cert-install-generate.sh | 22 ++++++++++++++++++++++ uefi_db-openssl.cnf | 17 +++++++++++++++++ uefi_kek-openssl.cnf | 17 +++++++++++++++++ uefi_keys_generate_pk.sh | 34 ++++++++++++++++++++++++++++++++++ uefi_pk-openssl.cnf | 17 +++++++++++++++++ 5 files changed, 107 insertions(+) create mode 100755 BMOK-cert-install-generate.sh create mode 100644 uefi_db-openssl.cnf create mode 100644 uefi_kek-openssl.cnf create mode 100755 uefi_keys_generate_pk.sh create mode 100644 uefi_pk-openssl.cnf diff --git a/BMOK-cert-install-generate.sh b/BMOK-cert-install-generate.sh new file mode 100755 index 0000000..0a703a6 --- /dev/null +++ b/BMOK-cert-install-generate.sh @@ -0,0 +1,22 @@ +#!/bin/bash +if [ -d /cert ]; then + echo "[-] Already installed!"; + exit; +fi +echo "[+] Creating cert folder root..."; +sudo mkdir -p /cert/mok; +sudo chown root:root /cert -Rf; +sudo chmod u=rw,g=r,o= /cert -Rf; +echo "[+] Obtaining and processing MOK key from /var/lib/shim-signed/mok..."; +sudo openssl x509 -inform der -in /var/lib/shim-signed/mok/MOK.der -out /cert/mok/MOK.pem; +sudo cat /var/lib/shim-signed/mok/MOK.priv | sudo tee /cert/mok/signing_key.pem > /dev/null; +sudo cat /cert/mok/MOK.pem | sudo tee -a /cert/mok/signing_key.pem > /dev/null; +echo "[+] Creating BMOK cert..."; +sudo openssl req -config BMOK-openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 --outform der -keyout /cert/BMOK.priv -out /cert/BMOK.der; +sudo openssl x509 -inform der -in /cert/BMOK.der -out /cert/BMOK.pem; +echo "[*] Ensuring permissions..."; +sudo chown root:root /cert -Rf; +sudo chmod u=rw,g=r,o= /cert -Rf; +echo "[?] Enroling cert (MOK Manager on next reboot):"; +sudo mokutil --import /cert/BMOK.der; +echo "[+] Done, now use the kernel-build command from bash_aliases after a reboot and the enrole ..."; diff --git a/uefi_db-openssl.cnf b/uefi_db-openssl.cnf new file mode 100644 index 0000000..465bf55 --- /dev/null +++ b/uefi_db-openssl.cnf @@ -0,0 +1,17 @@ +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +[ req ] +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +[ req_distinguished_name ] +countryName = UK +stateOrProvinceName = Kent +localityName = Herne Bay +0.organizationName = Captain ALM +commonName = Secure Boot Signature Database +emailAddress = alfred@captainalm.com + diff --git a/uefi_kek-openssl.cnf b/uefi_kek-openssl.cnf new file mode 100644 index 0000000..9b34a9b --- /dev/null +++ b/uefi_kek-openssl.cnf @@ -0,0 +1,17 @@ +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +[ req ] +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +[ req_distinguished_name ] +countryName = UK +stateOrProvinceName = Kent +localityName = Herne Bay +0.organizationName = Captain ALM +commonName = Secure Boot Key Exchange +emailAddress = alfred@captainalm.com + diff --git a/uefi_keys_generate_pk.sh b/uefi_keys_generate_pk.sh new file mode 100755 index 0000000..4cabdbc --- /dev/null +++ b/uefi_keys_generate_pk.sh @@ -0,0 +1,34 @@ +#!/bin/bash +echo "[+] Generating..." +if [ -f PK-GUID ] && [ -f PK-vmpriv.key ] && [ -f PK-vm.crt ] && [ -f PK-vm.der ] && [ -f PK-vm.esl ] && [ -f PK-vm.auth ] && +[ -f KEK-vmpriv.key ] && [ -f KEK-vm.crt ] && [ -f KEK-vm.der ] && [ -f KEK-vm.esl ] && [ -f KEK-vm.auth ] && +[ -f db-vmpriv.key ] && [ -f db-vm.crt ] && [ -f db-vm.der ] && [ -f db-vm.esl ] && [ -f db-vm.auth ]; then + echo "[*] Keys already generated as {PK,KEK,db}-vm{priv.key,.crt,.der,.esl,.auth}"; +else + rm -f PK-GUID; + rm -f PK-vm.der; + rm -f PK-vm.crt; + rm -f PK-vmpriv.key; + rm -f PK-vm.esl; + rm -f PK-vm.auth; + rm -f KEK-vm.der; + rm -f KEK-vm.crt; + rm -f KEK-vmpriv.key; + rm -f KEK-vm.esl; + rm -f KEK-vm.auth; + uuidgen --random > PK-GUID; + openssl req -config uefi_pk-openssl.cnf -newkey rsa:2048 -nodes -keyout PK-vmpriv.key -x509 -days 36500 -out PK-vm.crt; + openssl x509 -in PK-vm.crt -outform der -out PK-vm.der; + cert-to-efi-sig-list -g "$(< PK-GUID)" PK-vm.crt PK-vm.esl; + sign-efi-sig-list -g "$(< PK-GUID)" -k PK-vmpriv.key -c PK-vm.crt PK PK-vm.esl PK-vm.auth; + openssl req -config uefi_kek-openssl.cnf -newkey rsa:2048 -nodes -keyout KEK-vmpriv.key -x509 -days 36500 -out KEK-vm.crt; + openssl x509 -in KEK-vm.crt -outform der -out KEK-vm.der; + cert-to-efi-sig-list -g "$(< PK-GUID)" KEK-vm.crt KEK-vm.esl; + sign-efi-sig-list -g "$(< PK-GUID)" -k PK-vmpriv.key -c PK-vm.crt KEK KEK-vm.esl KEK-vm.auth; + openssl req -config uefi_db-openssl.cnf -newkey rsa:2048 -nodes -keyout db-vmpriv.key -x509 -days 36500 -out db-vm.crt; + openssl x509 -in db-vm.crt -outform der -out db-vm.der; + cert-to-efi-sig-list -g "$(< PK-GUID)" db-vm.crt db-vm.esl; + sign-efi-sig-list -g "$(< PK-GUID)" -k KEK-vmpriv.key -c KEK-vm.crt db db-vm.esl db-vm.auth; + echo "[+] Completed key generation as {PK,KEK,db}-vm{priv.key,.crt,.der,.esl,.auth}"; +fi +echo "[i] Sign via 'sbsign --key db-vmpriv.key --cert db-vm.crt --output ... '"; diff --git a/uefi_pk-openssl.cnf b/uefi_pk-openssl.cnf new file mode 100644 index 0000000..7bc900b --- /dev/null +++ b/uefi_pk-openssl.cnf @@ -0,0 +1,17 @@ +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd +[ req ] +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +[ req_distinguished_name ] +countryName = UK +stateOrProvinceName = Kent +localityName = Herne Bay +0.organizationName = Captain ALM +commonName = Secure Boot Platform +emailAddress = alfred@captainalm.com +