patos/scripts/sbkeys

#!/usr/bin/env bash
# Copyright (c) 2015 by Roderick W. Smith
# Copyright (c) 2020 Corey Hinshaw
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

[ -n "${DEBUG}" ] && set -x
set -e

usage() {
  cat <<EOF
Usage: sbkeys [OPTION]...
Generate secure boot keys

Options:
  -h      Print this help text
  -m      Generate signature database entries for Microsoft certificates
EOF
}

generate_keys() {
  # Do not create new keys if key files already exist
  KEYS=(
    PK.key PK.crt PK.cer PK.esl PK.auth
    KEK.key KEK.crt KEK.cer KEK.esl KEK.auth
    DB.key DB.crt DB.cer DB.esl DB.auth
    noPK.esl noPK.auth
    myGUID.txt
  )
  for file in ${KEYS[@]}; do
    if [ -f ${file} ]; then
      echo "Skipping key generation: keys already exist in $(pwd)"
      return
    fi
  done

  echo -n "Enter a Common Name to embed in the keys: "
  read NAME

  # Platform key
  openssl req -new -x509 \
      -subj "/CN=${NAME} PK/" -days 3650 -nodes \
      -newkey rsa:2048 -sha256 \
      -keyout PK.key -out PK.crt
  openssl x509 -in PK.crt -out PK.cer -outform DER

  # Key exchange key
  openssl req -new -x509 \
      -subj "/CN=${NAME} KEK/" -days 3650 -nodes \
      -newkey rsa:2048 -sha256 \
      -keyout KEK.key -out KEK.crt
  openssl x509 -in KEK.crt -out KEK.cer -outform DER

  # Signature database
  openssl req -new -x509 \
      -subj "/CN=${NAME} DB/" -days 3650 -nodes \
      -newkey rsa:2048 -sha256 \
      -keyout DB.key -out DB.crt
  openssl x509 -in DB.crt -out DB.cer -outform DER

  GUID="$(uuidgen -r)"
  echo ${GUID} > myGUID.txt

  cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl
  cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl
  cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl
  rm -f noPK.esl
  touch noPK.esl

  sign-efi-sig-list \
      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
      -k PK.key -c PK.crt \
      PK PK.esl PK.auth
  sign-efi-sig-list \
      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
      -k PK.key -c PK.crt \
      PK noPK.esl noPK.auth
  sign-efi-sig-list \
      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
      -k PK.key -c PK.crt \
      KEK KEK.esl KEK.auth
  sign-efi-sig-list \
      -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
      -k KEK.key -c KEK.crt \
      DB DB.esl DB.auth

  chmod 0600 *.key
}

generate_ms_db() {
  msguid=77fa9abd-0359-4d32-bd60-28f4e78f784b

  msdb="MS_db.esl add_MS_db.auth"
  for file in $msdb; do
    if [ -f $file ]; then
      echo "Microsoft signature lists already exist in $(pwd)"
      return
    fi
  done

  wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
  wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt

  sbsiglist --owner "$msguid" --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
  sbsiglist --owner "$msguid" --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
  cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
  sign-efi-sig-list -a -g "$msguid" -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth

  rm MS_Win_db.esl MS_UEFI_db.esl MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt
}

mskeys=0

while getopts ":hm" opt; do
  case $opt in
    h)
      usage
      cat <<EOF

For use with KeyTool, copy the *.auth and *.esl files to a FAT USB
flash drive or to your EFI System Partition (ESP).
For use with most UEFIs' built-in key managers, copy the *.cer files.

To add Microsoft's certificates use KeyTool or UEFI to append
add_MS_db.auth to the signature database.
EOF
      exit 0
      ;;
    m)
      mskeys=1
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      usage >&2
      exit 1
      ;;
   esac
done

generate_keys
if [ $mskeys -eq 1 ]; then
  generate_ms_db
fi
feat: initial secure boot 2025-01-23 12:11:57 +01:00			`#!/usr/bin/env bash`
			`# Copyright (c) 2015 by Roderick W. Smith`
			`# Copyright (c) 2020 Corey Hinshaw`
			`#`
			`# This program is free software: you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`[ -n "${DEBUG}" ] && set -x`
			`set -e`

			`usage() {`
			`cat <<EOF`
			`Usage: sbkeys [OPTION]...`
			`Generate secure boot keys`

			`Options:`
			`-h Print this help text`
			`-m Generate signature database entries for Microsoft certificates`
			`EOF`
			`}`

			`generate_keys() {`
			`# Do not create new keys if key files already exist`
			`KEYS=(`
			`PK.key PK.crt PK.cer PK.esl PK.auth`
			`KEK.key KEK.crt KEK.cer KEK.esl KEK.auth`
			`DB.key DB.crt DB.cer DB.esl DB.auth`
			`noPK.esl noPK.auth`
			`myGUID.txt`
			`)`
			`for file in ${KEYS[@]}; do`
			`if [ -f ${file} ]; then`
			`echo "Skipping key generation: keys already exist in $(pwd)"`
			`return`
			`fi`
			`done`

			`echo -n "Enter a Common Name to embed in the keys: "`
			`read NAME`

			`# Platform key`
			`openssl req -new -x509 \`
			`-subj "/CN=${NAME} PK/" -days 3650 -nodes \`
			`-newkey rsa:2048 -sha256 \`
			`-keyout PK.key -out PK.crt`
			`openssl x509 -in PK.crt -out PK.cer -outform DER`

			`# Key exchange key`
			`openssl req -new -x509 \`
			`-subj "/CN=${NAME} KEK/" -days 3650 -nodes \`
			`-newkey rsa:2048 -sha256 \`
			`-keyout KEK.key -out KEK.crt`
			`openssl x509 -in KEK.crt -out KEK.cer -outform DER`

			`# Signature database`
			`openssl req -new -x509 \`
			`-subj "/CN=${NAME} DB/" -days 3650 -nodes \`
			`-newkey rsa:2048 -sha256 \`
			`-keyout DB.key -out DB.crt`
			`openssl x509 -in DB.crt -out DB.cer -outform DER`

			`GUID="$(uuidgen -r)"`
			`echo ${GUID} > myGUID.txt`

			`cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl`
			`cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl`
			`cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl`
			`rm -f noPK.esl`
			`touch noPK.esl`

			`sign-efi-sig-list \`
			`-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \`
			`-k PK.key -c PK.crt \`
			`PK PK.esl PK.auth`
			`sign-efi-sig-list \`
			`-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \`
			`-k PK.key -c PK.crt \`
			`PK noPK.esl noPK.auth`
			`sign-efi-sig-list \`
			`-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \`
			`-k PK.key -c PK.crt \`
			`KEK KEK.esl KEK.auth`
			`sign-efi-sig-list \`
			`-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \`
			`-k KEK.key -c KEK.crt \`
			`DB DB.esl DB.auth`

			`chmod 0600 *.key`
			`}`

			`generate_ms_db() {`
			`msguid=77fa9abd-0359-4d32-bd60-28f4e78f784b`

			`msdb="MS_db.esl add_MS_db.auth"`
			`for file in $msdb; do`
			`if [ -f $file ]; then`
			`echo "Microsoft signature lists already exist in $(pwd)"`
			`return`
			`fi`
			`done`

			`wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt`
			`wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt`

			`sbsiglist --owner "$msguid" --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt`
			`sbsiglist --owner "$msguid" --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt`
			`cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl`
			`sign-efi-sig-list -a -g "$msguid" -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth`

			`rm MS_Win_db.esl MS_UEFI_db.esl MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt`
			`}`

			`mskeys=0`

			`while getopts ":hm" opt; do`
			`case $opt in`
			`h)`
			`usage`
			`cat <<EOF`

			`For use with KeyTool, copy the .auth and .esl files to a FAT USB`
			`flash drive or to your EFI System Partition (ESP).`
			`For use with most UEFIs' built-in key managers, copy the *.cer files.`

			`To add Microsoft's certificates use KeyTool or UEFI to append`
			`add_MS_db.auth to the signature database.`
			`EOF`
			`exit 0`
			`;;`
			`m)`
			`mskeys=1`
			`;;`
			`\?)`
			`echo "Invalid option: -$OPTARG" >&2`
			`usage >&2`
			`exit 1`
			`;;`
			`esac`
			`done`

			`generate_keys`
			`if [ $mskeys -eq 1 ]; then`
			`generate_ms_db`
			`fi`