creating, installing and signing secureboot keys/images

efitools.nix

{ stdenv, fetchurl, gnu-efi, openssl, sbsigntool, perl, perlPackages, help2man }:
let
  version = "1.8.1";
in stdenv.mkDerivation {
  name = "efitools-${version}";

  buildInputs = [ gnu-efi ];
  nativeBuildInputs = [ openssl sbsigntool perl help2man ];

  PERL5LIB = stdenv.lib.makePerlPath (with perlPackages; [ FileSlurp ]);

  src = fetchurl {
    url = "https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/snapshot/efitools-${version}.tar.gz";
    sha256 = "0f1xkmlh8cn09kh7kl65x3q4xsx3bg5yvsgs9j6g74hv38xgbx34";
  };

  postPatch = ''
    substituteInPlace Make.rules \
      --replace '/usr/include/efi' '${gnu-efi}/include/efi' \
      --replace '/usr/lib/gnuefi' '${gnu-efi}/lib' \
      --replace "/usr/" "/"

    sed  -e '1 s@/usr/bin/env perl@${perl}/bin/perl@' -i ./xxdi.pl
  '';


  preInstall = ''
    export DESTDIR=$out
  '';
}

secure_boot_signing_keygen.sh

mkdir secure_boot
for key in PK KEK db; do\
        openssl req -new -x509 -newkey rsa:2048 \\
                -subj "/CN=$key/" -keyout "$key.key" \\
                -out "$key.crt" -days 7300 -nodes -sha256\
done
efivar
efivar --help
efivar -l
mkdir .original
cp -avr /sys/firmware/efi/efivars/* .
sbsign --key db.key --cert db.crt /boot/efi/EFI/grub/grubx64.efi
cert-to-efi-sig-list PK.crt PK.esl
sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth
cert-to-efi-sig-list KEK.crt KEK.esl
sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth
cert-to-efi-sig-list db.crt db.esl
sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth
chattr -i /sys/firmware/efi/efivars/{PK,KEK,db,dbx}-*
efi-readvar PK
efi-updatevar -f PK.auth PK
efi-updatevar -f KEK.auth KEK
efi-updatevar -f db.auth db
efi-readvar
cd /boot/efi/EFI/grub
cp -rv grub grub_signed