Difference between revisions of "User:Pnoecker/sbkeygen"
(sb keygen with a set directory) |
(→Generating and Installing Secure Boot Certificates: 10 years not 30 lol) |
||
| Line 28: | Line 28: | ||
}} | }} | ||
Generate new certificates valid for | Generate new certificates valid for 10 years: | ||
{{console|body= | {{console|body= | ||
###i## openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days | ###i## openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 | ||
###i## openssl req -new -x509 -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days | ###i## openssl req -new -x509 -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 | ||
###i## openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout db.key -out db.crt -days | ###i## openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 | ||
}} | }} | ||
Revision as of 03:20, January 20, 2023
Generating and Installing Secure Boot Certificates
Enter the firmware setup utility and put secure boot in setup mode.
Install efitools and sbsigntools:
root # emerge -av app-crypt/efitools app-crypt/sbsigntools
Decide where you want to keep your keys. You may keep them on the hard disk (not recommended), on another machine or on an external drive.
If you keep the keys on an external drive, be aware that gpg creates a socket for gpg-agent in its config directory, so it should reside on a filesystem that supports sockets (i.e., not FAT) and be mounted read-write for signing.
Create the directory in which you will keep the keys:
root # mkdir -p 700 /etc/kernel/sbkeys root # cd /etc/kernel/sbkeys
Save old secure boot certificates:
root # efi-readvar -v PK -o old_PK.esl root # efi-readvar -v KEK -o old_KEK.esl root # efi-readvar -v db -o old_db.esl root # efi-readvar -v dbx -o old_dbx.esl
Generate new certificates valid for 10 years:
root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 root # openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout db.key -out db.crt -days 3650 -nodes -sha256
Prepare certificate lists:
root # cert-to-efi-sig-list PK.crt PK.esl root # cert-to-efi-sig-list KEK.crt KEK.esl root # cert-to-efi-sig-list db.crt db.esl
If you want to dual boot preinstalled OSes, add old KEK and db certificates to the new lists:
root # cat old_KEK.esl >>KEK.esl root # cat old_db.esl >>db.esl
Sign the certificate lists:
root # sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth root # sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth root # sign-efi-sig-list -k KEK.key -c KEK.crt dbx old_dbx.esl old_dbx.auth
Remount the efivars partition read-write:
root # mount -o remount,rw /sys/firmware/efi/efivars
Install the certificates into EFI:
root # efi-updatevar -f old_dbx.auth dbx root # efi-updatevar -f db.auth db root # efi-updatevar -f KEK.auth KEK root # efi-updatevar -f PK.auth PK