-
Notifications
You must be signed in to change notification settings - Fork 3
/
sbtool-genkey
executable file
·153 lines (127 loc) · 2.82 KB
/
sbtool-genkey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
#!/bin/bash
set -e
progname=$(basename "$0")
cleanup() {
test -n "$genkey" && rm -f "$genkey"
}
default_common_name() {
name=$(getent passwd $USER|cut -d : -f 5|cut -d, -f 1)
if test -z "$name"; then
name="$USER"
fi
echo "${name}'s Secure Boot Signkey"
}
CN=$(default_common_name)
EMAIL="${USER}@$(hostname -f)"
HASH=sha256
_usage() {
cat <<END
$progname [options ...] /path/to/certificate
options:
-h|--help: This message
-H|--hash <hash>: Specify which hash to use in the key (default: sha256)
-f|--force: Force overwrite of existing certificate and ignore warnings
about mismatched hashes.
-e|--email: Email address to associate with the key
(default: $EMAIL)
-c|--common-name: Common Name to associate with the key.
(default: $CN)
END
}
warn() {
echo "$@" 1>&2
}
error() {
warn "$@"
exit 1
}
help() {
cat <<END
$progname will generate an x509 key suitable for use in signing kernel
binaries and modules. It will also generate a certificate suitable for
use by UEFI Secure Boot to validate the kernel and modules at boot time.
END
_usage
exit 0
}
usage() {
_usage 1>&2
exit 1
}
options=$(getopt -o H:hfc:e: --long hash:,help,force,email:,common-name: -- "$@")
if test $? -ne 0; then
usage
fi
eval set -- $options
FORCE=false
while true; do
case "$1" in
-H|--hash)
HASH=$2
shift ;;
-f|--force)
FORCE=true
;;
-h|--help)
help
;;
-c|--common-name)
CN=$2
shift
;;
-e|--email)
EMAIL=$2
shift
;;
--)
shift
break ;;
*)
usage ;;
esac
shift
done
if test $# -eq 0; then
echo "missing output file"
usage
fi
OUTPUT=$1
if test -e "$OUTPUT" -a "$FORCE" = "false"; then
error "$OUTPUT already exists. Overwrite with --force"
fi
if test -z "$CN"; then
error "Emtpy CN is not valid."
fi
if test -z "$EMAIL"; then
error "Empty email is not valid."
fi
if test -z "$HASH"; then
error "Empty hash is not valid."
fi
trap cleanup EXIT
genkey=$(mktemp /tmp/genkey.XXXXXX)
# Notes on key usage:
# Module signing requries digitalSignature
# Secure Boot requires codeSigning
cat << END > $genkey
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
CN = "${CN}"
emailAddress = "${EMAIL}"
[ myexts ]
basicConstraints=critical,CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
keyUsage=critical, digitalSignature
extendedKeyUsage=codeSigning
END
if ! openssl req -new -nodes -utf8 -"$HASH" -days 36500 -batch -x509 \
-config "$genkey" -outform PEM -out "$OUTPUT" \
-keyout "$OUTPUT"; then
error "Failed to generate signing key and certificate."
fi