diff options
authordakkar <>2019-07-13 15:20:02 +0100
committerdakkar <>2019-07-13 15:20:02 +0100
commit50ad642fd3199fe97d522d91411ce9d1ef573766 (patch)
parentadd portage-scan (diff)
add make-efi-keys
1 files changed, 47 insertions, 0 deletions
diff --git a/bin/make-efi-keys b/bin/make-efi-keys
new file mode 100755
index 0000000..f6b424e
--- /dev/null
+++ b/bin/make-efi-keys
@@ -0,0 +1,47 @@
+# Copyright (c) 2015 by Roderick W. Smith
+# see
+# modified by Dakkar 2019
+# Licensed under the terms of the GPL v3
+mkdir -p "keys-for-$NAME"
+cd "keys-for-$NAME"
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
+ -out PK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
+ -out KEK.crt -days 3650 -nodes -sha256
+openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
+ -out DB.crt -days 3650 -nodes -sha256
+openssl x509 -in PK.crt -out PK.cer -outform DER
+openssl x509 -in KEK.crt -out KEK.cer -outform DER
+openssl x509 -in DB.crt -out DB.cer -outform DER
+echo $GUID > myGUID.txt
+cert-to-efi-sig-list -g $GUID PK.crt PK.esl
+cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
+cert-to-efi-sig-list -g $GUID DB.crt DB.esl
+rm -f noPK.esl
+touch noPK.esl
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt PK PK.esl PK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt PK noPK.esl noPK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k PK.key -c PK.crt KEK KEK.esl KEK.auth
+sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
+ -k KEK.key -c KEK.crt db DB.esl DB.auth
+chmod 0600 *.key
+echo ""
+echo ""
+echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
+echo "flash drive or to your EFI System Partition (ESP)."
+echo "For use with most UEFIs' built-in key managers, copy the *.cer files."
+echo ""