-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcreate-efi-keys.sh
More file actions
executable file
·42 lines (29 loc) · 1.08 KB
/
create-efi-keys.sh
File metadata and controls
executable file
·42 lines (29 loc) · 1.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/bin/bash
# https://gist.github.com/Garoe/74a0040f50ae7987885a0bebe5eda1aa
# VERY IMPORTANT! After each kernel update or dkms rebuild the modules must be signed again with the script
# ~/.ssl/sign-all-modules.sh
# Place all files in ~/.ssl folder
mkdir ~/.ssl
cd ~/.ssl
# Generate custom keys with openssl
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -subj "/CN=Owner/"
# Set more restrictive permisions as these are private keys
chmod 600 MOK.*
# Add the sign-all-modules script to the .ssl folder
cat <<EOT > sign-all-modules.sh
#!/bin/bash
sudo -v
echo "Signing the following modules"
for filename in /lib/modules/\$(uname -r)/updates/dkms/*.ko; do
sudo /usr/src/linux-headers-\$(uname -r)/scripts/sign-file sha256 ~/.ssl/MOK.priv ~/.ssl/MOK.der \$filename
echo "\$filename"
done
EOT
chmod +x ~/.ssl/sign-all-modules.sh
#Run the script
~/.ssl/sign-all-modules.sh
#Add the key to the trusted keys database
sudo apt-get install mokutil
sudo mokutil --import ~/.ssl/MOK.der
cd ~
#Reboot and in the boot screen select add/import key