Skip to content

Instantly share code, notes, and snippets.

@Tatsh
Last active May 24, 2022 02:49
Show Gist options
  • Save Tatsh/826d06d09056b1391308057002e0f4d2 to your computer and use it in GitHub Desktop.
Save Tatsh/826d06d09056b1391308057002e0f4d2 to your computer and use it in GitHub Desktop.
Dual boot with secure boot enabled. Install app-crypt/efitools
#!/usr/bin/env bash
set -e
rm -fR ~/keystuff/{esl,key,crt,auth,der}
mkdir -p ~/keystuff/{esl,key,crt,auth,der}
cd ~/keystuff
for i in PK KEK db dbx; do
efi-readvar -v "$i" -o "esl/old_${i}.esl"
done
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname) platform key/" -keyout key/PK.key -out crt/PK.crt -days 36500 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname) key-exchange-key/" -keyout key/KEK.key -out crt/KEK.crt -days 36500 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname) kernel signing key/" -keyout key/db.key -out crt/db.crt -days 36500 -nodes -sha256
chmod -v 0400 key/*.key
cert-to-efi-sig-list -g "$(uuidgen)" crt/PK.crt esl/PK.esl
sign-efi-sig-list -k key/PK.key -c crt/PK.crt PK esl/PK.esl auth/PK.auth
cert-to-efi-sig-list -g "$(uuidgen)" crt/KEK.crt esl/KEK.esl
sign-efi-sig-list -a -k key/PK.key -c crt/PK.crt KEK esl/KEK.esl auth/KEK.auth
cert-to-efi-sig-list -g "$(uuidgen)" crt/db.crt esl/db.esl
sign-efi-sig-list -a -k key/KEK.key -c crt/KEK.crt db esl/db.esl auth/db.auth
sign-efi-sig-list -k key/KEK.key -c crt/KEK.crt dbx esl/old_dbx.esl auth/old_dbx.auth
for i in PK KEK db; do
openssl x509 -outform DER -in "crt/${i}.crt" -out "der/${i}.der"
done
for i in KEK db; do
cat "esl/old_${i}.esl" "esl/${i}.esl" > "esl/compound_${i}.esl"
done
sign-efi-sig-list -k key/PK.key -c crt/PK.crt KEK esl/compound_KEK.esl auth/compound_KEK.auth
sign-efi-sig-list -k key/KEK.key -c crt/KEK.crt db esl/compound_db.esl auth/compound_db.auth
mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK}
cp auth/compound_KEK.auth /etc/secureboot/keys/KEK/
cp auth/compound_db.auth /etc/secureboot/keys/db/
cp auth/old_dbx.auth /etc/secureboot/keys/dbx/
cp auth/PK.auth /etc/secureboot/PK/
echo "Enter BIOS and clear the keystore, then run step2.sh"
#!/usr/bin/env bash
set -e
cd ~/keystuff
efi-updatevar -e -f esl/old_dbx.esl dbx
for i in db KEK; do
efi-updatevar -e -f "esl/compound_${i}.esl" "$i"
done
efi-updatevar -f auth/PK.auth PK
cp key/db.key crt/db.crt /etc/efikeys
mkdir esl/post-step2
for i in PK KEK db dbx; do
efi-readvar -v "$i" -o "esl/post-step2/new_${i}.esl"
done
rebuild-kernel
echo "Enter BIOS and enable (Windows) Secure Boot"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment