Add BMOK installer, add uefi key generator.
This commit is contained in:
parent
a14a9436c0
commit
e303ba23a1
22
BMOK-cert-install-generate.sh
Executable file
22
BMOK-cert-install-generate.sh
Executable file
@ -0,0 +1,22 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
if [ -d /cert ]; then
|
||||||
|
echo "[-] Already installed!";
|
||||||
|
exit;
|
||||||
|
fi
|
||||||
|
echo "[+] Creating cert folder root...";
|
||||||
|
sudo mkdir -p /cert/mok;
|
||||||
|
sudo chown root:root /cert -Rf;
|
||||||
|
sudo chmod u=rw,g=r,o= /cert -Rf;
|
||||||
|
echo "[+] Obtaining and processing MOK key from /var/lib/shim-signed/mok...";
|
||||||
|
sudo openssl x509 -inform der -in /var/lib/shim-signed/mok/MOK.der -out /cert/mok/MOK.pem;
|
||||||
|
sudo cat /var/lib/shim-signed/mok/MOK.priv | sudo tee /cert/mok/signing_key.pem > /dev/null;
|
||||||
|
sudo cat /cert/mok/MOK.pem | sudo tee -a /cert/mok/signing_key.pem > /dev/null;
|
||||||
|
echo "[+] Creating BMOK cert...";
|
||||||
|
sudo openssl req -config BMOK-openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 --outform der -keyout /cert/BMOK.priv -out /cert/BMOK.der;
|
||||||
|
sudo openssl x509 -inform der -in /cert/BMOK.der -out /cert/BMOK.pem;
|
||||||
|
echo "[*] Ensuring permissions...";
|
||||||
|
sudo chown root:root /cert -Rf;
|
||||||
|
sudo chmod u=rw,g=r,o= /cert -Rf;
|
||||||
|
echo "[?] Enroling cert (MOK Manager on next reboot):";
|
||||||
|
sudo mokutil --import /cert/BMOK.der;
|
||||||
|
echo "[+] Done, now use the kernel-build command from bash_aliases after a reboot and the enrole ...";
|
17
uefi_db-openssl.cnf
Normal file
17
uefi_db-openssl.cnf
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# This definition stops the following lines choking if HOME isn't
|
||||||
|
# defined.
|
||||||
|
HOME = .
|
||||||
|
RANDFILE = $ENV::HOME/.rnd
|
||||||
|
[ req ]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
string_mask = utf8only
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = UK
|
||||||
|
stateOrProvinceName = Kent
|
||||||
|
localityName = Herne Bay
|
||||||
|
0.organizationName = Captain ALM
|
||||||
|
commonName = Secure Boot Signature Database
|
||||||
|
emailAddress = alfred@captainalm.com
|
||||||
|
|
17
uefi_kek-openssl.cnf
Normal file
17
uefi_kek-openssl.cnf
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# This definition stops the following lines choking if HOME isn't
|
||||||
|
# defined.
|
||||||
|
HOME = .
|
||||||
|
RANDFILE = $ENV::HOME/.rnd
|
||||||
|
[ req ]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
string_mask = utf8only
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = UK
|
||||||
|
stateOrProvinceName = Kent
|
||||||
|
localityName = Herne Bay
|
||||||
|
0.organizationName = Captain ALM
|
||||||
|
commonName = Secure Boot Key Exchange
|
||||||
|
emailAddress = alfred@captainalm.com
|
||||||
|
|
34
uefi_keys_generate_pk.sh
Executable file
34
uefi_keys_generate_pk.sh
Executable file
@ -0,0 +1,34 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
echo "[+] Generating..."
|
||||||
|
if [ -f PK-GUID ] && [ -f PK-vmpriv.key ] && [ -f PK-vm.crt ] && [ -f PK-vm.der ] && [ -f PK-vm.esl ] && [ -f PK-vm.auth ] &&
|
||||||
|
[ -f KEK-vmpriv.key ] && [ -f KEK-vm.crt ] && [ -f KEK-vm.der ] && [ -f KEK-vm.esl ] && [ -f KEK-vm.auth ] &&
|
||||||
|
[ -f db-vmpriv.key ] && [ -f db-vm.crt ] && [ -f db-vm.der ] && [ -f db-vm.esl ] && [ -f db-vm.auth ]; then
|
||||||
|
echo "[*] Keys already generated as {PK,KEK,db}-vm{priv.key,.crt,.der,.esl,.auth}";
|
||||||
|
else
|
||||||
|
rm -f PK-GUID;
|
||||||
|
rm -f PK-vm.der;
|
||||||
|
rm -f PK-vm.crt;
|
||||||
|
rm -f PK-vmpriv.key;
|
||||||
|
rm -f PK-vm.esl;
|
||||||
|
rm -f PK-vm.auth;
|
||||||
|
rm -f KEK-vm.der;
|
||||||
|
rm -f KEK-vm.crt;
|
||||||
|
rm -f KEK-vmpriv.key;
|
||||||
|
rm -f KEK-vm.esl;
|
||||||
|
rm -f KEK-vm.auth;
|
||||||
|
uuidgen --random > PK-GUID;
|
||||||
|
openssl req -config uefi_pk-openssl.cnf -newkey rsa:2048 -nodes -keyout PK-vmpriv.key -x509 -days 36500 -out PK-vm.crt;
|
||||||
|
openssl x509 -in PK-vm.crt -outform der -out PK-vm.der;
|
||||||
|
cert-to-efi-sig-list -g "$(< PK-GUID)" PK-vm.crt PK-vm.esl;
|
||||||
|
sign-efi-sig-list -g "$(< PK-GUID)" -k PK-vmpriv.key -c PK-vm.crt PK PK-vm.esl PK-vm.auth;
|
||||||
|
openssl req -config uefi_kek-openssl.cnf -newkey rsa:2048 -nodes -keyout KEK-vmpriv.key -x509 -days 36500 -out KEK-vm.crt;
|
||||||
|
openssl x509 -in KEK-vm.crt -outform der -out KEK-vm.der;
|
||||||
|
cert-to-efi-sig-list -g "$(< PK-GUID)" KEK-vm.crt KEK-vm.esl;
|
||||||
|
sign-efi-sig-list -g "$(< PK-GUID)" -k PK-vmpriv.key -c PK-vm.crt KEK KEK-vm.esl KEK-vm.auth;
|
||||||
|
openssl req -config uefi_db-openssl.cnf -newkey rsa:2048 -nodes -keyout db-vmpriv.key -x509 -days 36500 -out db-vm.crt;
|
||||||
|
openssl x509 -in db-vm.crt -outform der -out db-vm.der;
|
||||||
|
cert-to-efi-sig-list -g "$(< PK-GUID)" db-vm.crt db-vm.esl;
|
||||||
|
sign-efi-sig-list -g "$(< PK-GUID)" -k KEK-vmpriv.key -c KEK-vm.crt db db-vm.esl db-vm.auth;
|
||||||
|
echo "[+] Completed key generation as {PK,KEK,db}-vm{priv.key,.crt,.der,.esl,.auth}";
|
||||||
|
fi
|
||||||
|
echo "[i] Sign via 'sbsign --key db-vmpriv.key --cert db-vm.crt --output <file 1> ... <file n>'";
|
17
uefi_pk-openssl.cnf
Normal file
17
uefi_pk-openssl.cnf
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
# This definition stops the following lines choking if HOME isn't
|
||||||
|
# defined.
|
||||||
|
HOME = .
|
||||||
|
RANDFILE = $ENV::HOME/.rnd
|
||||||
|
[ req ]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
string_mask = utf8only
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = UK
|
||||||
|
stateOrProvinceName = Kent
|
||||||
|
localityName = Herne Bay
|
||||||
|
0.organizationName = Captain ALM
|
||||||
|
commonName = Secure Boot Platform
|
||||||
|
emailAddress = alfred@captainalm.com
|
||||||
|
|
Loading…
Reference in New Issue
Block a user