meta-secure-core: initial commit

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
author: Lans Zhang <jia.zhang@windriver.com> 2017-06-22 15:22:01 +0800
committer: Lans Zhang <jia.zhang@windriver.com> 2017-06-22 15:24:04 +0800
commit: 1b3e5944491c315ca99b832bc3afdb6a19d81430 (patch)
tree: ffb3469d58e8e203e4bc8a37adc9fe81a48558fb /meta-signing-key/scripts/create-user-key-store.sh
download: meta-secure-core-1b3e5944491c315ca99b832bc3afdb6a19d81430.tar.gz
1 files changed, 144 insertions, 0 deletions
diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh
new file mode 100755
index 0000000..1d0803c
--- /dev/null
+++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -0,0 +1,144 @@
+#!/bin/bash
+KEYS_DIR="`pwd`/user-keys"
+function show_help()
+{
+    cat <<EOF
+$1 - creation tool for user key store
+(C)Copyright 2017, Jia Zhang <lans.zhang2008@gmail.com>
+Usage: $1 options...
+Options:
+ -d <dir>
+    Set the path to save the generated user keys.
+    Default: `pwd`/user-keys
+ -h|--help
+    Show this help information.
+EOF
+}
+while [ $# -gt 0 ]; do
+    opt=$1
+    case $opt in
+        -d)
+            shift && KEYS_DIR="$1"
+            ;;
+        -h|--help)
+            show_help `basename $0`
+            exit 0
+            ;;
+        *)
+            echo "Unsupported option $opt"
+            exit 1
+            ;;
+    esac
+    shift
+done
+echo "KEYS_DIR: $KEYS_DIR"
+UEFI_SB_KEYS_DIR="$KEYS_DIR/uefi_sb_keys"
+MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys"
+SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
+IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
+create_uefi_sb_user_keys() {
+    local key_dir="$UEFI_SB_KEYS_DIR"
+    [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
+    # PK is self-signed.
+    openssl req -new -x509 -newkey rsa:2048 \
+        -sha256 -nodes -days 3650 \
+        -subj "/CN=PK Certificate for $USER@`hostname`/" \
+        -keyout "$key_dir/PK.key" \
+        -out "$key_dir/PK.pem"
+    # KEK is signed by PK. 
+    openssl req -new -newkey rsa:2048 \
+        -sha256 -nodes \
+        -subj "/CN=KEK Certificate for $USER@`hostname`" \
+        -keyout "$key_dir/KEK.key" \
+        -out "$key_dir/KEK.csr"
+    openssl x509 -req -in "$key_dir/KEK.csr" \
+        -CA "$key_dir/PK.pem" -CAkey "$key_dir/PK.key" \
+        -set_serial 1 -days 3650 -out "$key_dir/KEK.pem"
+    rm -f "$key_dir/KEK.csr"
+    # DB is signed by KEK.
+    openssl req -new -newkey rsa:2048 \
+        -sha256 -nodes \
+        -subj "/CN=DB Certificate for $USER@`hostname`" \
+        -keyout "$key_dir/DB.key" \
+        -out "$key_dir/DB.csr"
+    openssl x509 -req -in "key_dir/DB.csr" \
+        -CA "$key_dir/KEK.pem" -CAkey "$key_dir/KEK.key" \
+        -set_serial 1 -days 3650 -out "$key_dir/DB.pem"
+    rm -f "$key_dir/DB.csr"
+}
+create_mok_sb_user_keys() {
+    local key_dir="$MOK_SB_KEYS_DIR"
+    [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
+    openssl req -new -x509 -newkey rsa:2048 \
+        -sha256 -nodes -days 3650 \
+        -subj "/CN=Shim Certificate for $USER@`hostname`/" \
+        -keyout "$key_dir/shim_cert.key" -out "$key_dir/shim_cert.pem"
+    openssl req -new -x509 -newkey rsa:2048 \
+        -sha256 -nodes -days 3650 \
+        -subj "/CN=Vendor Certificate for $USER@`hostname`/" \
+        -keyout "$key_dir/vendor_cert.key" -out "$key_dir/vendor_cert.pem"
+}
+create_system_trusted_keys() {
+    local key_dir="$SYSTEM_KEYS_DIR"
+    [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
+    openssl req -new -x509 -newkey rsa:2048 \
+        -sha256 -nodes -days 3650 \
+        -subj "/CN=System Trusted Certificate/" \
+        -keyout "$key_dir/system_trusted_key.key" \
+        -out "$key_dir/system_trusted_key.pem"
+}
+create_ima_user_keys() {
+    local key_dir="$IMA_KEYS_DIR"
+    [ ! -d "$key_dir" ] && mkdir -p "$key_dir"
+    openssl req -new -x509 -newkey rsa:2048 \
+        -sha256 -nodes -days 3650 \
+        -subj "/CN=IMA Trusted Certificate/" \
+        -keyout "$key_dir/x509_ima.key" \
+        -outform DER -out "$key_dir/x509_ima.der"
+}
+create_user_keys() {
+    echo "Creating the user keys for UEFI Secure Boot"
+    create_uefi_sb_user_keys
+    echo "Creating the user keys for MOK Secure Boot"
+    create_mok_sb_user_keys
+    echo "Creating the system trusted keys"
+    create_system_trusted_keys
+    echo "Creating the user keys for IMA appraisal"
+    create_ima_user_keys
+}
+create_user_keys
author	Lans Zhang <jia.zhang@windriver.com>	2017-06-22 15:22:01 +0800
committer	Lans Zhang <jia.zhang@windriver.com>	2017-06-22 15:24:04 +0800
commit	1b3e5944491c315ca99b832bc3afdb6a19d81430 (patch)
tree	ffb3469d58e8e203e4bc8a37adc9fe81a48558fb /meta-signing-key/scripts/create-user-key-store.sh
download	meta-secure-core-1b3e5944491c315ca99b832bc3afdb6a19d81430.tar.gz

diff --git a/meta-signing-key/scripts/create-user-key-store.sh b/meta-signing-key/scripts/create-user-key-store.sh new file mode 100755 index 0000000..1d0803c --- /dev/null +++ b/meta-signing-key/scripts/create-user-key-store.sh
@@ -0,0 +1,144 @@
	1	#!/bin/bash
	2
	3	KEYS_DIR="`pwd`/user-keys"
	4
	5	function show_help()
	6	{
	7	cat <<EOF
	8	$1 - creation tool for user key store
	9
	10	(C)Copyright 2017, Jia Zhang <lans.zhang2008@gmail.com>
	11
	12	Usage: $1 options...
	13
	14	Options:
	15	-d <dir>
	16	Set the path to save the generated user keys.
	17	Default: `pwd`/user-keys
	18
	19	-h\|--help
	20	Show this help information.
	21
	22	EOF
	23	}
	24
	25	while [ $# -gt 0 ]; do
	26	opt=$1
	27	case $opt in
	28	-d)
	29	shift && KEYS_DIR="$1"
	30	;;
	31	-h\|--help)
	32	show_help `basename $0`
	33	exit 0
	34	;;
	35	*)
	36	echo "Unsupported option $opt"
	37	exit 1
	38	;;
	39	esac
	40	shift
	41	done
	42
	43	echo "KEYS_DIR: $KEYS_DIR"
	44
	45	UEFI_SB_KEYS_DIR="$KEYS_DIR/uefi_sb_keys"
	46	MOK_SB_KEYS_DIR="$KEYS_DIR/mok_sb_keys"
	47	SYSTEM_KEYS_DIR="$KEYS_DIR/system_trusted_keys"
	48	IMA_KEYS_DIR="$KEYS_DIR/ima_keys"
	49
	50	create_uefi_sb_user_keys() {
	51	local key_dir="$UEFI_SB_KEYS_DIR"
	52
	53	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
	54
	55	# PK is self-signed.
	56	openssl req -new -x509 -newkey rsa:2048 \
	57	-sha256 -nodes -days 3650 \
	58	-subj "/CN=PK Certificate for $USER@`hostname`/" \
	59	-keyout "$key_dir/PK.key" \
	60	-out "$key_dir/PK.pem"
	61
	62	# KEK is signed by PK.
	63	openssl req -new -newkey rsa:2048 \
	64	-sha256 -nodes \
	65	-subj "/CN=KEK Certificate for $USER@`hostname`" \
	66	-keyout "$key_dir/KEK.key" \
	67	-out "$key_dir/KEK.csr"
	68
	69	openssl x509 -req -in "$key_dir/KEK.csr" \
	70	-CA "$key_dir/PK.pem" -CAkey "$key_dir/PK.key" \
	71	-set_serial 1 -days 3650 -out "$key_dir/KEK.pem"
	72
	73	rm -f "$key_dir/KEK.csr"
	74
	75	# DB is signed by KEK.
	76	openssl req -new -newkey rsa:2048 \
	77	-sha256 -nodes \
	78	-subj "/CN=DB Certificate for $USER@`hostname`" \
	79	-keyout "$key_dir/DB.key" \
	80	-out "$key_dir/DB.csr"
	81
	82	openssl x509 -req -in "key_dir/DB.csr" \
	83	-CA "$key_dir/KEK.pem" -CAkey "$key_dir/KEK.key" \
	84	-set_serial 1 -days 3650 -out "$key_dir/DB.pem"
	85
	86	rm -f "$key_dir/DB.csr"
	87	}
	88
	89	create_mok_sb_user_keys() {
	90	local key_dir="$MOK_SB_KEYS_DIR"
	91
	92	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
	93
	94	openssl req -new -x509 -newkey rsa:2048 \
	95	-sha256 -nodes -days 3650 \
	96	-subj "/CN=Shim Certificate for $USER@`hostname`/" \
	97	-keyout "$key_dir/shim_cert.key" -out "$key_dir/shim_cert.pem"
	98
	99	openssl req -new -x509 -newkey rsa:2048 \
	100	-sha256 -nodes -days 3650 \
	101	-subj "/CN=Vendor Certificate for $USER@`hostname`/" \
	102	-keyout "$key_dir/vendor_cert.key" -out "$key_dir/vendor_cert.pem"
	103	}
	104
	105	create_system_trusted_keys() {
	106	local key_dir="$SYSTEM_KEYS_DIR"
	107
	108	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
	109
	110	openssl req -new -x509 -newkey rsa:2048 \
	111	-sha256 -nodes -days 3650 \
	112	-subj "/CN=System Trusted Certificate/" \
	113	-keyout "$key_dir/system_trusted_key.key" \
	114	-out "$key_dir/system_trusted_key.pem"
	115	}
	116
	117	create_ima_user_keys() {
	118	local key_dir="$IMA_KEYS_DIR"
	119
	120	[ ! -d "$key_dir" ] && mkdir -p "$key_dir"
	121
	122	openssl req -new -x509 -newkey rsa:2048 \
	123	-sha256 -nodes -days 3650 \
	124	-subj "/CN=IMA Trusted Certificate/" \
	125	-keyout "$key_dir/x509_ima.key" \
	126	-outform DER -out "$key_dir/x509_ima.der"
	127	}
	128
	129	create_user_keys() {
	130	echo "Creating the user keys for UEFI Secure Boot"
	131	create_uefi_sb_user_keys
	132
	133	echo "Creating the user keys for MOK Secure Boot"
	134	create_mok_sb_user_keys
	135
	136	echo "Creating the system trusted keys"
	137	create_system_trusted_keys
	138
	139	echo "Creating the user keys for IMA appraisal"
	140	create_ima_user_keys
	141	}
	142
	143	create_user_keys
	144