shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-02-28 05:57:33 +03:00
Code

man: Use sbsigntools for secure boot key generation example

Browse Source 
This way, people do not need efitools installed to generate these as
sbsigntools has everything needed to produce signed EFI variables.
This commit is contained in:
Jan Janssen 2023-02-01 14:43:59 +01:00
parent 951174e4fe
commit 6ba14371c7
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
man/loader.conf.xml
View File

@ -254,8 +254,8 @@
<programlisting>uuid=$(systemd-id128 new --uuid) <programlisting>uuid=$(systemd-id128 new --uuid)
for key in PK KEK db; do for key in PK KEK db; do
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt" openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" openssl x509 -outform DER -in "${key}.crt" -out "${key}.der"
cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl" sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der"
done done
for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
@ -266,7 +266,7 @@ done
# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows). # Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
cat MicWinProPCA2011_2011-10-19.esl >> db.esl cat MicWinProPCA2011_2011-10-19.esl >> db.esl
# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs # Optionally add Microsoft Corporation UEFI CA 2011 for firmware drivers / option ROMs
# and third-party boot loaders (including shim). This is highly recommended on real # and third-party boot loaders (including shim). This is highly recommended on real
# hardware as not including this may soft-brick your device (see next paragraph). # hardware as not including this may soft-brick your device (see next paragraph).
cat MicCorUEFCA2011_2011-06-27.esl >> db.esl cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
@ -276,9 +276,10 @@ cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
# key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>. # key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS
sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output PK.auth PK PK.esl
sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output KEK.auth KEK KEK.esl
sbvarsign --attr ${attr} --key KEK.key --cert KEK.crt --output db.auth db db.esl
</programlisting> </programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the <para>This feature is considered dangerous because even if all the required files are signed with the