Last active
May 24, 2022 02:49
-
-
Save Tatsh/826d06d09056b1391308057002e0f4d2 to your computer and use it in GitHub Desktop.
Dual boot with secure boot enabled. Install app-crypt/efitools
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -e | |
| rm -fR ~/keystuff/{esl,key,crt,auth,der} | |
| mkdir -p ~/keystuff/{esl,key,crt,auth,der} | |
| cd ~/keystuff | |
| for i in PK KEK db dbx; do | |
| efi-readvar -v "$i" -o "esl/old_${i}.esl" | |
| done | |
| openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname) platform key/" -keyout key/PK.key -out crt/PK.crt -days 36500 -nodes -sha256 | |
| openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname) key-exchange-key/" -keyout key/KEK.key -out crt/KEK.crt -days 36500 -nodes -sha256 | |
| openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname) kernel signing key/" -keyout key/db.key -out crt/db.crt -days 36500 -nodes -sha256 | |
| chmod -v 0400 key/*.key | |
| cert-to-efi-sig-list -g "$(uuidgen)" crt/PK.crt esl/PK.esl | |
| sign-efi-sig-list -k key/PK.key -c crt/PK.crt PK esl/PK.esl auth/PK.auth | |
| cert-to-efi-sig-list -g "$(uuidgen)" crt/KEK.crt esl/KEK.esl | |
| sign-efi-sig-list -a -k key/PK.key -c crt/PK.crt KEK esl/KEK.esl auth/KEK.auth | |
| cert-to-efi-sig-list -g "$(uuidgen)" crt/db.crt esl/db.esl | |
| sign-efi-sig-list -a -k key/KEK.key -c crt/KEK.crt db esl/db.esl auth/db.auth | |
| sign-efi-sig-list -k key/KEK.key -c crt/KEK.crt dbx esl/old_dbx.esl auth/old_dbx.auth | |
| for i in PK KEK db; do | |
| openssl x509 -outform DER -in "crt/${i}.crt" -out "der/${i}.der" | |
| done | |
| for i in KEK db; do | |
| cat "esl/old_${i}.esl" "esl/${i}.esl" > "esl/compound_${i}.esl" | |
| done | |
| sign-efi-sig-list -k key/PK.key -c crt/PK.crt KEK esl/compound_KEK.esl auth/compound_KEK.auth | |
| sign-efi-sig-list -k key/KEK.key -c crt/KEK.crt db esl/compound_db.esl auth/compound_db.auth | |
| mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK} | |
| cp auth/compound_KEK.auth /etc/secureboot/keys/KEK/ | |
| cp auth/compound_db.auth /etc/secureboot/keys/db/ | |
| cp auth/old_dbx.auth /etc/secureboot/keys/dbx/ | |
| cp auth/PK.auth /etc/secureboot/PK/ | |
| echo "Enter BIOS and clear the keystore, then run step2.sh" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -e | |
| cd ~/keystuff | |
| efi-updatevar -e -f esl/old_dbx.esl dbx | |
| for i in db KEK; do | |
| efi-updatevar -e -f "esl/compound_${i}.esl" "$i" | |
| done | |
| efi-updatevar -f auth/PK.auth PK | |
| cp key/db.key crt/db.crt /etc/efikeys | |
| mkdir esl/post-step2 | |
| for i in PK KEK db dbx; do | |
| efi-readvar -v "$i" -o "esl/post-step2/new_${i}.esl" | |
| done | |
| rebuild-kernel | |
| echo "Enter BIOS and enable (Windows) Secure Boot" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment