-
Notifications
You must be signed in to change notification settings - Fork 0
/
ocsb-tool.sh
177 lines (144 loc) · 6.66 KB
/
ocsb-tool.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#!/bin/bash
# Opencore SecureBoot Tool 0.0.1
# Author: ryanamay, inspo: profzei
echo "============================================================="
echo "OpenCore SecureBoot Tool 0.0.1 by ryanamay, inspired by profzei"
echo "https://github.com/ryanamay/opencore-secureboot-tool"
echo "============================================================="
echo ""
check_and_install() {
local package=$1
local command=$2
if ! command -v $command &>/dev/null; then
echo "INFO: $package not found, installing..."
if command -v apt-get &>/dev/null; then
sudo apt-get install -y $package
elif command -v dnf &>/dev/null; then
sudo dnf install -y $package
elif command -v pacman &>/dev/null; then
sudo pacman -S --noconfirm $package
else
echo "ERROR: Unable to install $package, please install manually!"
exit 1
fi
fi
}
generate_keys() {
echo "Generating new keys..."
rm -rf data/keys
rm -f data/myGUID.txt
mkdir -p data/keys
GUID=$(python3 -c 'import uuid; print(str(uuid.uuid1()))')
echo $GUID >data/myGUID.txt
echo "Using Generated GUID: $GUID"
echo -n "Enter a common name to embed in the keys: "
read NAME
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=$NAME Platform Key" -keyout data/keys/PK.key -out data/keys/PK.pem
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=$NAME Key Exchange Key" -keyout data/keys/KEK.key -out data/keys/KEK.pem
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=$NAME Image Signing Key" -keyout data/keys/ISK.key -out data/keys/ISK.pem
# Convert certificates and keys
cert-to-efi-sig-list -g "$GUID" data/keys/PK.pem data/keys/PK.esl
cert-to-efi-sig-list -g "$GUID" data/keys/KEK.pem data/keys/KEK.esl
cert-to-efi-sig-list -g "$GUID" data/keys/ISK.pem data/keys/ISK.esl
openssl x509 -in data/certs/MicWinProPCA2011_2011-10-19.crt -inform DER -out data/keys/MsWin.pem -outform PEM
openssl x509 -in data/certs/MicCorUEFCA2011_2011-06-27.crt -inform DER -out data/keys/UEFI.pem -outform PEM
cert-to-efi-sig-list -g "$GUID" data/keys/MsWin.pem data/keys/MsWin.esl
cert-to-efi-sig-list -g "$GUID" data/keys/UEFI.pem data/keys/UEFI.esl
cat data/keys/ISK.esl data/keys/MsWin.esl data/keys/UEFI.esl >data/keys/db.esl
# Sign the lists
sign-efi-sig-list -k data/keys/PK.key -c data/keys/PK.pem PK data/keys/PK.esl data/keys/PK.auth
sign-efi-sig-list -k data/keys/PK.key -c data/keys/PK.pem KEK data/keys/KEK.esl data/keys/KEK.auth
sign-efi-sig-list -k data/keys/KEK.key -c data/keys/KEK.pem db data/keys/db.esl data/keys/db.auth
chmod 0600 data/keys/*.key
echo "INFO: Keys generated successfully!"
}
download_if_not_exists() {
local url=$1
local output=$2
if [ ! -f "$output" ]; then
echo "INFO: Missing Certificate! Downloading $1..."
curl -s -o "$output" "$url"
fi
}
sign_efi_files() {
if [ ! -d "EFI" ]; then
echo "WARN: EFI folder not found. Please place your EFI folder in the same directory as this script."
echo "Unable to sign EFI files!"
else
find EFI -name "*.efi" ! -name "._*.efi" -exec sh -c '
for file; do
echo "Signing $file..."
sbsign --key data/keys/ISK.key --cert data/keys/ISK.pem --output "$file" "$file"
done
' sh {} +
echo "EFI files signed successfully!"
fi
}
echo "Checking dependencies..."
if [ "$(uname)" != "Linux" ]; then
echo "ERROR: This script is only supported on Linux."
exit 1
fi
check_and_install efitools sbsign
check_and_install curl curl
check_and_install wget wget
check_and_install openssl openssl
check_and_install unzip unzip
check_and_install python3 python3
mkdir -p data/keys
if [ ! -f "data/keys/ISK.key" ] || [ ! -f "data/keys/ISK.pem" ] || [ ! -f "data/myGUID.txt" ]; then
echo "Checking if certificates are present..."
mkdir -p data/certs
download_if_not_exists "https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt" "data/certs/MicCorUEFCA2011_2011-06-27.crt"
download_if_not_exists "https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt" "data/certs/MicWinProPCA2011_2011-10-19.crt"
fi
if [ ! -d "data/keytool" ]; then
mkdir -p data/keytool
fi
if [ ! -f "data/keytool/EFI/BOOT/bootx64.efi" ]; then
echo "INFO: Missing KeyTool! Downloading https://github.com/profzei/Matebook-X-Pro-2018/raw/master/Wiki/UEFI/KeyTool.zip..."
wget -q https://github.com/profzei/Matebook-X-Pro-2018/raw/master/Wiki/UEFI/KeyTool.zip -O data/keytool/KeyTool.zip
unzip -q -o data/keytool/KeyTool.zip -d data/keytool
rm -f data/keytool/KeyTool.zip
fi
if [ -f "data/keys/ISK.key" ] && [ -f "data/keys/ISK.pem" ] && [ -f "data/myGUID.txt" ] && [ -f "data/keys/db.auth" ] && [ -f "data/keys/KEK.auth" ] && [ -f "data/keys/PK.auth" ]; then
echo ""
echo "Hey! It looks like you have keys ready to use!"
echo "The current keys are located in the 'data/keys' folder."
echo "GUID (Unique Identifier): $(cat data/myGUID.txt)"
echo ""
echo "Warning: Generating new keys will overwrite the existing ones in the 'data/keys' folder."
echo -n "Do you want to use the existing keys? (y/n) [default: y]: "
read generate_new_keys
if [ "$generate_new_keys" == "n" ]; then
generate_keys
else
echo "Keeping existing keys. Skipping key generation."
fi
else
echo "INFO: No existing keys found in data/keys."
generate_keys
fi
echo "Copying keys to keytool..."
cp data/keys/db.auth data/keytool/EFI/db.auth
cp data/keys/KEK.auth data/keytool/EFI/KEK.auth
cp data/keys/PK.auth data/keytool/EFI/PK.auth
echo "Keys copied to keytool successfully!"
sign_efi_files
echo ""
echo "============================================================="
echo "Script completed!"
echo "GUID (Unique Identifier): $(cat data/myGUID.txt)"
echo "============================================================="
echo "KeyTool is ready to use!"
echo "- To use, copy the contents of the 'data/keytool' folder to a usb drive."
echo "- Your keys can be found in something like: PciRoot(0)/Pci(0x14,0x0)/Usb ... (depends on your system)"
echo "- Start with db.auth, then KEK.auth, then PK.auth"
echo "============================================================="
echo "Your keys are located in the 'data/keys' folder."
if [ -d "EFI" ]; then
echo "Your EFI folder has been signed and ready to use."
else
echo "Your EFI folder has not been signed. Please place your EFI folder in the same directory as this script and rerun."
fi
echo "============================================================="