From 3fd9be3ac621ac01d98a291187d1a2c58f15ca64 Mon Sep 17 00:00:00 2001 From: Kevin Reeuwijk Date: Fri, 20 Sep 2024 15:57:51 +0200 Subject: [PATCH] Support extra KEK/db keys --- Earthfile | 6 ++++-- README.md | 13 +++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Earthfile b/Earthfile index 4db04ef..9fbbaf3 100644 --- a/Earthfile +++ b/Earthfile @@ -419,6 +419,8 @@ uki-byok: RUN apt-get update && apt-get install -y efitools curl COPY +download-sbctl/sbctl /usr/bin/sbctl COPY --if-exists secure-boot/exported-keys/ /exported-keys + COPY --if-exists secure-boot/extra-KEK-keys/ /usr/share/secureboot/keys/custom/KEK/ + COPY --if-exists secure-boot/extra-db-keys/ /usr/share/secureboot/keys/custom/db/ COPY secure-boot/private-keys/ secure-boot/public-keys /keys WORKDIR /keys RUN sbctl import-keys \ @@ -430,9 +432,9 @@ uki-byok: --db-cert /keys/db.pem RUN sbctl create-keys IF [ "$INCLUDE_MS_SECUREBOOT_KEYS" = "false" ] - RUN sbctl enroll-keys --export esl --yes-this-might-brick-my-machine + RUN sbctl enroll-keys --custom --export esl --yes-this-might-brick-my-machine ELSE - RUN sbctl enroll-keys --export esl --yes-this-might-brick-my-machine --microsoft + RUN sbctl enroll-keys --custom --export esl --yes-this-might-brick-my-machine --microsoft END RUN mkdir -p /output RUN cp PK.esl /output/PK.esl 2>/dev/null diff --git a/README.md b/README.md index 4664dbc..4a662fa 100644 --- a/README.md +++ b/README.md @@ -270,6 +270,19 @@ secure-boot/ | | PK.pem ``` +Optionally, you can add additional public keys to be added to the KEK and/or db database, by placing them in the following directories: +```shell +secure-boot/ +| extra-KEK-keys <-- extra KEK keys to include, can be any filename, supports PEM and DER certificates +| | key1.pem +| | key2.pem +| | ... +| extra-db-keys <-- extra db keys to include, can be any filename, supports PEM and DER certificates +| | key1.pem +| | key2.pem +| | ... +``` + 3. Generate keys for Trusted Boot ```shell