54 lines
1.5 KiB
Bash
Executable File
54 lines
1.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
if [ -z "$BUILDDIR" ]; then
|
|
echo "BUILDDIR is not defined"
|
|
exit 1
|
|
fi
|
|
|
|
KEYDIR="${BUILDDIR}/keys"
|
|
|
|
if [ -d "${KEYDIR}" ]; then
|
|
echo "${KEYDIR} directory already is exist"
|
|
echo "Skipping generating keys"
|
|
exit 1
|
|
fi
|
|
|
|
mkdir "${KEYDIR}"
|
|
cd "${KEYDIR}"
|
|
|
|
echo "Generating private/public keys in .key/.crt format for PK, KEK et db"
|
|
|
|
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_PK/ \
|
|
-keyout PK.key -out PK.crt -nodes -days 365
|
|
|
|
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_KEK/ \
|
|
-keyout KEK.key -out KEK.crt -nodes -days 365
|
|
|
|
openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_db/ \
|
|
-keyout db.key -out db.crt -nodes -days 365
|
|
|
|
|
|
echo "Generatic EFI signature list file with PK, KEK et db public key"
|
|
|
|
cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
|
|
PK.crt PK.esl;
|
|
|
|
cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
|
|
KEK.crt KEK.esl
|
|
|
|
cert-to-efi-sig-list -g 11111111-2222-3333-4444-123456789abc \
|
|
db.crt db.esl
|
|
|
|
echo "Generatic EFI AUTH file with PK, KEK et db public key"
|
|
|
|
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
|
|
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
|
|
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
|
|
|
|
echo "Generatic DER files with PK, KEK et db public key"
|
|
|
|
# der certificate are need for OVMF based firmware (virtual machine)
|
|
openssl x509 -in PK.crt -outform der -out PK.der
|
|
openssl x509 -in KEK.crt -outform der -out KEK.der
|
|
openssl x509 -in db.crt -outform der -out db.der
|