<programlisting>uuid=$(systemd-id128 new --uuid)
for key in PK KEK db; do
openssl req -new -x509 -subj "/CN=${key}/" -keyout "${key}.key" -out "${key}.crt"
- openssl x509 -outform DER -in "${key}.crt" -out "${key}.cer"
- cert-to-efi-sig-list -g "${uuid}" "${key}.crt" "${key}.esl"
+ openssl x509 -outform DER -in "${key}.crt" -out "${key}.der"
+ sbsiglist --owner "${uuid}" --type x509 --output "${key}.esl" "${key}.der"
done
for key in MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt MicCorKEKCA2011_2011-06-24.crt; do
# Optionally add Microsoft Windows Production CA 2011 (needed to boot into Windows).
cat MicWinProPCA2011_2011-10-19.esl >> db.esl
-# Optionally add Microsoft Corporation UEFI CA 2011 (for firmware drivers / option ROMs
+# Optionally add Microsoft Corporation UEFI CA 2011 for firmware drivers / option ROMs
# and third-party boot loaders (including shim). This is highly recommended on real
# hardware as not including this may soft-brick your device (see next paragraph).
cat MicCorUEFCA2011_2011-06-27.esl >> db.esl
# key. The revocation database can be updated with <citerefentry><refentrytitle>fwupdmgr</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
cat MicCorKEKCA2011_2011-06-24.esl >> KEK.esl
-sign-efi-sig-list -c PK.crt -k PK.key PK PK.esl PK.auth
-sign-efi-sig-list -c PK.crt -k PK.key KEK KEK.esl KEK.auth
-sign-efi-sig-list -c KEK.crt -k KEK.key db db.esl db.auth
+attr=NON_VOLATILE,RUNTIME_ACCESS,BOOTSERVICE_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS
+sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output PK.auth PK PK.esl
+sbvarsign --attr ${attr} --key PK.key --cert PK.crt --output KEK.auth KEK KEK.esl
+sbvarsign --attr ${attr} --key KEK.key --cert KEK.crt --output db.auth db db.esl
</programlisting>
<para>This feature is considered dangerous because even if all the required files are signed with the
projects / thirdparty / systemd.git / commitdiff
