diff options
| author | Jan Janssen <medhefgo@web.de> | 2023-02-01 14:43:59 +0100 |
|---|---|---|
| committer | Jan Janssen <medhefgo@web.de> | 2023-02-01 16:52:28 +0100 |
| commit | 6ba14371c7fbab2e40c6d1d6329cd1fafacd070e (patch) | |
| tree | 7a66117d00973da446dc17594affb897e5c08b5f /man/loader.conf.xml | |
| parent | 951174e4fe3a704e385547a875811723ba00ef7c (diff) | |
| download | systemd-6ba14371c7fbab2e40c6d1d6329cd1fafacd070e.tar.gz | |
man: Use sbsigntools for secure boot key generation example
This way, people do not need efitools installed to generate these as
sbsigntools has everything needed to produce signed EFI variables.
Diffstat (limited to 'man/loader.conf.xml')
| -rw-r--r-- | man/loader.conf.xml | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/man/loader.conf.xml b/man/loader.conf.xml index 80122177e5..8808461ceb 100644 --- a/man/loader.conf.xml +++ b/man/loader.conf.xml @@ -254,8 +254,8 @@ <programlisting>uuid=$(systemd-id128 new --uuid) for key in PK KEK db; do openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt" - openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer" - cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl" + openssl x509 -outform DER -in "${key}.crt" -out "${key}.der" + sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der" done for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do @@ -266,7 +266,7 @@ done # Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows). cat MicWinProPCA2011_2011-10-19.esl >> db.esl -# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs +# Optionally add Microsoft Corporation UEFI CA 2011 for firmware drivers / option ROMs # and third-party boot loaders (including shim). This is highly recommended on real # hardware as not including this may soft-brick your device (see next paragraph). cat MicCorUEFCA2011_2011-06-27.esl >> db.esl @@ -276,9 +276,10 @@ cat MicCorUEFCA2011_2011-06-27.esl >> db.esl # key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>. cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl -sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth -sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth -sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth +attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS +sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output PK.auth PK PK.esl +sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output KEK.auth KEK KEK.esl +sbvarsign --attr ${attr} --key KEK.key --cert KEK.crt --output db.auth db db.esl </programlisting> <para>This feature is considered dangerous because even if all the required files are signed with the |