From Fedora Project Wiki

So you're stuck with Secure Boot and you want to use Smart Cards

Initial card setup

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc
  • nss-tools

Create the CA

  1. Turn off shell history for some commands.
export HISTCONTROL=$HISTCONTROL:ignorespace
  1. Use nss-tools' certutil to generate a CA key ("fedora-ca.p12")
eddie:~$ mkdir db
eddie:~$ cd db
eddie:~/db$ certutil -d $PWD -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: <just hit enter here>
Re-enter password: <just hit enter here>
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot CA" -n Fedora\ CA -x --keyUsage certSigning,crlSigning --nsCertType objectSigningCA -t ,,c -k rsa -g 2048

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|type a bunch of crap until OMG IT'S FULL OF STARS|

Finished.  Press enter to continue: <just hit enter here>


Generating key.  This may take a few moments...

eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.'''
eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer
eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora CA                                                    u,u,cu
  1. Initialize smart cards
# Make sure pcscd is running
service pcscd start
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$  PIN=12345678 # your numbers here 
eddie:~/db$  PUK=43218765 
eddie:~/db$  SOPIN=87654321
eddie:~/db$  SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signing CA"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$  pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$  pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the CA key to the smart card
# Import a PKCS12 bundle.
eddie:~/db$  pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot CA

# List the contents.
eddie:~/db$  pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      encrypt, verify

  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: <hit enter here>

Module "opensc-pkcs11" added to database.
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/pkcs11/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signing CA)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type PIN here and hit enter>
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA    u,u,u

  1. Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora-ca.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 

Create the signing cards

  1. Add the opensc-pkcs11 module to the local database
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "opensc-pkcs11" added to database.
  1. Create a signing key
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA"
 
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here>
eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora                                                       u,u,u
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$ PIN=12345678 # your numbers here 
eddie:~/db$ PUK=43218765 
eddie:~/db$ SOPIN=87654321
eddie:~/db$ SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signer"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the CA key to the smart card
# Import a PKCS12 bundle.
eddie:~/db$ pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot Signer

# List the contents.
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      encrypt, verify
  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signer)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer    u,u,u
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 
  1. Make sure signing works
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force
Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter>
eddie:~/db$ 
  1. Repeat for a second card