#!/bin/bash
if [ -d  /cert ]; then
    echo "[-] Already installed!";
    exit;
fi
echo "[+] Creating cert folder root...";
sudo mkdir -p /cert/mok;
sudo chown root:root /cert -Rf;
sudo chmod u=rw,g=r,o= /cert -Rf;
echo "[+] Obtaining and processing MOK key from /var/lib/shim-signed/mok...";
sudo openssl x509 -inform der -in /var/lib/shim-signed/mok/MOK.der -out /cert/mok/MOK.pem;
sudo cat /var/lib/shim-signed/mok/MOK.priv | sudo tee /cert/mok/signing_key.pem > /dev/null;
sudo cat /cert/mok/MOK.pem | sudo tee -a /cert/mok/signing_key.pem > /dev/null;
echo "[+] Creating BMOK cert...";
sudo openssl req -config BMOK-openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 --outform der -keyout /cert/BMOK.priv -out /cert/BMOK.der;
sudo openssl x509 -inform der -in /cert/BMOK.der -out /cert/BMOK.pem;
echo "[*] Ensuring permissions...";
sudo chown root:root /cert -Rf;
sudo chmod u=rw,g=r,o= /cert -Rf;
echo "[?] Enroling cert (MOK Manager on next reboot):";
sudo mokutil --import /cert/BMOK.der;
echo "[+] Done, now use the kernel-build command from bash_aliases after a reboot and the enrole ...";