Jump to: navigation, search

Linux: Secure Boot

3 bytes added, 07:01, 6 June 2018
/* Secure Boot setup */
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$CN db, O=$O/" -keyout db.key -out db.crt -days 7300 -nodes -sha256
* Convert open part of the keys to the ESL format understood for UEFI
UUID=$(uuidgen --random)
cert-to-efi-sig-list -g $UUID db.crt db.esl
* Sign ESL files
sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth
sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth
* At this stage your are ready to sign GRUB EFI binary and add it to the list of binaries allowed by Secure Boot