#!/usr/bin/env bash
# Copyright (c) 2015 by Roderick W. Smith
# Copyright (c) 2020 Corey Hinshaw
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
[ -n "${DEBUG}" ] && set -x
set -e
usage() {
cat <<EOF
Usage: sbkeys [OPTION]...
Generate secure boot keys
Options:
-h Print this help text
-m Generate signature database entries for Microsoft certificates
EOF
}
generate_keys() {
# Do not create new keys if key files already exist
KEYS=(
PK.key PK.crt PK.cer PK.esl PK.auth
KEK.key KEK.crt KEK.cer KEK.esl KEK.auth
DB.key DB.crt DB.cer DB.esl DB.auth
noPK.esl noPK.auth
myGUID.txt
)
for file in ${KEYS[@]}; do
if [ -f ${file} ]; then
echo "Skipping key generation: keys already exist in $(pwd)"
return
fi
done
echo -n "Enter a Common Name to embed in the keys: "
read NAME
# Platform key
openssl req -new -x509 \
-subj "/CN=${NAME} PK/" -days 3650 -nodes \
-newkey rsa:2048 -sha256 \
-keyout PK.key -out PK.crt
openssl x509 -in PK.crt -out PK.cer -outform DER
# Key exchange key
openssl req -new -x509 \
-subj "/CN=${NAME} KEK/" -days 3650 -nodes \
-newkey rsa:2048 -sha256 \
-keyout KEK.key -out KEK.crt
openssl x509 -in KEK.crt -out KEK.cer -outform DER
# Signature database
openssl req -new -x509 \
-subj "/CN=${NAME} DB/" -days 3650 -nodes \
-newkey rsa:2048 -sha256 \
-keyout DB.key -out DB.crt
openssl x509 -in DB.crt -out DB.cer -outform DER
GUID="$(uuidgen -r)"
echo ${GUID} > myGUID.txt
cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl
cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl
cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl
rm -f noPK.esl
touch noPK.esl
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt \
PK PK.esl PK.auth
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt \
PK noPK.esl noPK.auth
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k PK.key -c PK.crt \
KEK KEK.esl KEK.auth
sign-efi-sig-list \
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
-k KEK.key -c KEK.crt \
DB DB.esl DB.auth
chmod 0600 *.key
}
generate_ms_db() {
msguid=77fa9abd-0359-4d32-bd60-28f4e78f784b
msdb="MS_db.esl add_MS_db.auth"
for file in $msdb; do
if [ -f $file ]; then
echo "Microsoft signature lists already exist in $(pwd)"
return
fi
done
wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
sbsiglist --owner "$msguid" --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
sbsiglist --owner "$msguid" --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
sign-efi-sig-list -a -g "$msguid" -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth
rm MS_Win_db.esl MS_UEFI_db.esl MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt
}
mskeys=0
while getopts ":hm" opt; do
case $opt in
h)
usage
cat <<EOF
For use with KeyTool, copy the *.auth and *.esl files to a FAT USB
flash drive or to your EFI System Partition (ESP).
For use with most UEFIs' built-in key managers, copy the *.cer files.
To add Microsoft's certificates use KeyTool or UEFI to append
add_MS_db.auth to the signature database.
EOF
exit 0
;;
m)
mskeys=1
;;
\?)
echo "Invalid option: -$OPTARG" >&2
usage >&2
exit 1
;;
esac
done
generate_keys
if [ $mskeys -eq 1 ]; then
generate_ms_db
fi