#!/usr/bin/env bash # This script will generate key needed by the UEFI secure boot implementation # under $BUILDDIR/keys # db.auth db.der db.key KEK.crt KEK.esl PK.auth PK.der PK.key # db.crt db.esl KEK.auth KEK.der KEK.key PK.crt PK.esl # This script is used every time the build environment of CoreOS is sourced # Note: in the build environment stdout is redirected to /dev/null but not # stderr. set -e # Logging helper RED='\033[0;31m' GREEN='\033[0;32m' BOLD='\033[1m' RESET='\033[0m' # Ensure that BUILDDIR is defined # ============================================================================== # This is usually done inside the coreos-init-build-env script if [ -z "$BUILDDIR" ]; then echo -e "${RED}BUILDDIR is not defined${RESET}" 2>&1 echo -e "Have you run the coreos-init-buildenv script?" 2>&1 exit 1 fi # We need the KEYDIR directory to exist # ============================================================================== KEYDIR="${BUILDDIR}/keys" mkdir -p "${KEYDIR}" cd "${KEYDIR}" # we need openssl, cert-to-efi-sig-list and sign-efi-sig-list # ============================================================================== assert_command_in_path() { if command -v "$1" >/dev/null 2>&1; then echo -e "✓ Command ${GREEN}${1}${RESET} was found" else echo -e "✗ ${RED}Command ${BOLD}${1}${RESET}${RED} was not found in your path${RESET}" >&2 echo -e "Please check the coreos-documentation for the list of required packages" >&2 exit 1 fi } assert_command_in_path openssl assert_command_in_path cert-to-efi-sig-list assert_command_in_path sign-efi-sig-list # Generate all they keys, as needed # ============================================================================== # Only generate the file if it's missing and don't fail if the file already # exist check_files_exist() { for file in "$@"; do echo -e "✓ File ${GREEN}${file}${RESET} already exist" if [ ! -e "$file" ]; then return 1 fi done return 0 } echo "Generating private/public keys in .key/.crt format for PK, KEK et db" check_files_exist PK.key PK.crt || \ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \ -keyout PK.key -out PK.crt -nodes -days 365 check_files_exist KEK.key KEK.crt || \ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \ -keyout KEK.key -out KEK.crt -nodes -days 365 check_files_exist db.key db.crt || \ openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \ -keyout db.key -out db.crt -nodes -days 365 echo "Generatic EFI signature list file with PK, KEK et db public key" check_files_exist PK.esl || \ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ PK.crt PK.esl; check_files_exist KEK.esl || \ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ KEK.crt KEK.esl check_files_exist db.esl || \ cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \ db.crt db.esl echo "Generatic EFI AUTH file with PK, KEK et db public key" check_files_exist PK.auth || sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth check_files_exist KEK.auth || sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth check_files_exist db.auth || sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth echo "Generatic DER files with PK, KEK et db public key" # der certificate are need for OVMF based firmware (virtual machine) check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der # keys needed to sign and verify SWUpdate check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \ -out swupdate.crt -subj "/O=SWUpdate /CN=target"