From Fedora Project Wiki

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc

Use openssl to generate a signing key ("fedora.p12" from here on out)

eddie:~$ mkdir db
eddie:~$ cd db
eddie:~/db$ openssl genrsa -out fedora.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................................
..........................................................................+++
...........+++
e is 65537 (0x10001)
eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Cambridge
Organization Name (eg, company) [Default Company Ltd]:Fedora Project
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Fedora Signing Key
Email Address []:pjones@fedoraproject.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:fooo
An optional company name []:   
eddie:~/db$ openssl x509 -req -days 365 -in fedora.csr -signkey fedora.key -out fedora.crt -extensions extendedKeyUsage=1.3.6.1.4.1.311.10.3.1
Signature ok
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org
Getting Private key
eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes
Enter Export Password:
Verifying - Enter Export Password:
eddie:~/db$

Initialize two smart cards

  • Make sure pcscd is running
service pcscd start
  • Insert your Smart Card
  • Initialize each card as a pkcs15 card
# CDW Part #1537376.
PIN=12345678
PUK=43218765
SOPIN=87654321
SOPUK=56781234
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK

# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
  • Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/pkcs11/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signing Card
-----------------------------------------------------------
eddie:~/db$ 
  • Make sure signing works
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signing Card" -c "/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org" --sign -i unsigned.efi -o signed.efi
Enter Password or Pin for "OpenSC Card (Fedora Signing Card":
eddie:~/db$ 
  • For the love of god remove every file that was generated
eddie:~/db$ cd ..
eddie:~$ rm -rf db