From Fedora Project Wiki
So you're stuck with Secure Boot and you want to use Smart Cards
Initial card setup
Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.
Install the following packages:
- pesign
- pcsc-lite-ccid
- pcsc-tools
- pcsc-lite
- opensc
- nss-tools
Create the CA
- Turn off shell history for some commands.
export HISTCONTROL=$HISTCONTROL:ignorespace
- Use certutil from nss-utils and efikeygen from pesign to generate a CA key ("fedora-ca.p12")
eddie:~$ mkdir db eddie:~$ cd db eddie:~/db$ certutil -d $PWD -N Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: <just hit enter here> Re-enter password: <just hit enter here> eddie:~/db$ efikeygen -d $PWD -C -S -n "Fedora CA" -c "CN=Fedora Secure Boot CA" -u "https://fedoraproject.org/w/index.php?title=User:Pjones/SecureBootSmartCardDeployment" eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.''' eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA" Enter password for PKCS12 file: <just hit enter here> Re-enter password: <just hit enter here> pk12util: PKCS12 EXPORT SUCCESSFUL
- List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Fedora CA u,u,cu
- Initialize smart cards
# Make sure pcscd is running service pcscd start
- Insert your Smart Card
- Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
- Initialize each card as a pkcs15 card
# CDW Part #1537376. eddie:~/db$ PIN=12345678 # your numbers here eddie:~/db$ PUK=43218765 eddie:~/db$ SOPIN=87654321 eddie:~/db$ SOPUK=56781234 eddie:~/db$ CARDLABEL="Fedora Signing CA" # Format (wipe) the card. # opensc-tool --list-algorithms eddie:~/db$ cardos-tool -f Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00 card in administrative state, ok # Create the PKCS#15 structures, set the security officer PIN and unlock code. eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00 # Create a user PIN and unlock code. eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL" Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
- Import the CA key to the smart card
# Import a PKCS12 bundle. eddie:~/db$ pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00 Importing 1 certificates: 0: /CN=Fedora Secure Boot CA # List the contents. eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O Using slot 1 with a present token (0x1) Private Key Object; RSA label: Private Key ID: de6dfac87e0315352e7b9a487377ace2f6354d9b Usage: sign Certificate Object, type = X.509 cert label: /CN=Fedora Secure Boot CA ID: de6dfac87e0315352e7b9a487377ace2f6354d9b Public Key Object; RSA 2048 bits label: /CN=Fedora Secure Boot CA ID: de6dfac87e0315352e7b9a487377ace2f6354d9b Usage: encrypt, verify
- Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue: <hit enter here>
Module "opensc-pkcs11" added to database.
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. opensc-pkcs11
library name: /usr/lib64/pkcs11/opensc-pkcs11.so
slots: 2 slots attached
status: loaded
slot: Virtual hotplug slot
token:
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
token: OpenSC Card (Fedora Signing CA)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type PIN here and hit enter>
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA u,u,u
- Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
- Remove stuff we don't want the world to see
eddie:~/db$ rm fedora-ca.p12 eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
- Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
eddie:~/db$
Create the signing cards
- Add the opensc-pkcs11 module to the local database
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "opensc-pkcs11" added to database.
- Turn off shell history for some commands
export HISTCONTROL=$HISTCONTROL:ignorespace
- Create a signing key
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA" A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here> eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora" Enter password for PKCS12 file: <just hit enter here> Re-enter password: <just hit enter here> pk12util: PKCS12 EXPORT SUCCESSFUL
- List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Fedora u,u,u
- Insert your Smart Card
- Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
- Initialize each card as a pkcs15 card
# CDW Part #1537376. eddie:~/db$ PIN=12345678 # your numbers here eddie:~/db$ PUK=43218765 eddie:~/db$ SOPIN=87654321 eddie:~/db$ SOPUK=56781234 eddie:~/db$ CARDLABEL="Fedora Signer" # Format (wipe) the card. # opensc-tool --list-algorithms eddie:~/db$ cardos-tool -f Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00 card in administrative state, ok # Create the PKCS#15 structures, set the security officer PIN and unlock code. eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00 # Create a user PIN and unlock code. eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL" Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
- Import the signing into the smart card
# Import a PKCS12 bundle. eddie:~/db$ pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00 Importing 1 certificates: 0: /CN=Fedora Secure Boot Signer # List the contents. eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O Using slot 1 with a present token (0x1) Private Key Object; RSA label: Private Key ID: 4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2 Usage: sign Certificate Object, type = X.509 cert label: /CN=Fedora Secure Boot Signer ID: 4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2 Public Key Object; RSA 2048 bits label: /CN=Fedora Secure Boot Signer ID: 4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2 Usage: encrypt, verify
- Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. opensc-pkcs11
library name: /usr/lib64/opensc-pkcs11.so
slots: 2 slots attached
status: loaded
slot: Virtual hotplug slot
token:
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
token: OpenSC Card (Fedora Signer)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer u,u,u
- Remove stuff we don't want the world to see
eddie:~/db$ rm fedora.p12 eddie:~/db$ certutil -d $PWD -D -n "Fedora"
- Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
eddie:~/db$
- Make sure signing works
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter> eddie:~/db$
- Repeat for a second card