1#!/bin/bash 2# Copyright 2018 The ChromiumOS Authors 3# Use of this source code is governed by a BSD-style license that can be 4# found in the LICENSE file. 5 6. "$(dirname "$0")/common.sh" 7 8set -e 9 10usage() { 11 cat <<EOF 12Usage: $PROG /path/to/esp/dir /path/to/keys/dir 13 14Install UEFI certs in GSetup directory in ESP. 15EOF 16 if [[ $# -gt 0 ]]; then 17 error "$*" 18 exit 1 19 fi 20 exit 0 21} 22 23# Installs the specified UEFI cert in GSetup directory, if the cert exists. 24# Args: KEY_TYPE CERT GSETUP_DIR 25install_gsetup_cert() { 26 local key_type="$1" 27 local cert="$2" 28 local gsetup_dir="$3" 29 if [[ -f "${cert}" ]]; then 30 info "Putting ${key_type} cert: ${cert}" 31 local cert_basename="$(basename "${cert}")" 32 local der_filename="${cert_basename%.*}.der" 33 sudo mkdir -p "${gsetup_dir}/${key_type}" 34 sudo openssl x509 -in "${cert}" -inform PEM \ 35 -out "${gsetup_dir}/${key_type}/${der_filename}" -outform DER 36 else 37 info "No ${key_type} cert: ${cert}" 38 fi 39} 40 41main() { 42 local esp_dir="$1" 43 local key_dir="$2" 44 45 if [[ $# -ne 2 ]]; then 46 usage "command takes exactly 2 args" 47 fi 48 49 local gsetup_dir="${esp_dir}/EFI/Google/GSetup" 50 51 local pk_cert="${key_dir}/pk/pk.pem" 52 if [[ ! -f "${pk_cert}" ]]; then 53 die "No PK cert: ${pk_cert}" 54 fi 55 install_gsetup_cert pk "${pk_cert}" "${gsetup_dir}" 56 57 local db_cert="${key_dir}/db/db.pem" 58 if [[ ! -f "${db_cert}" ]]; then 59 die "No DB cert: ${db_cert}" 60 fi 61 install_gsetup_cert db "${db_cert}" "${gsetup_dir}" 62 63 local kek_cert="${key_dir}/kek/kek.pem" 64 install_gsetup_cert kek "${kek_cert}" "${gsetup_dir}" 65 66 local dbx_cert 67 for dbx_cert in "${key_dir}"/dbx/*.pem; do 68 install_gsetup_cert dbx "${dbx_cert}" "${gsetup_dir}" 69 done 70} 71 72main "$@" 73