From Fedora Project Wiki

< User:Pjones

Revision as of 18:22, 9 October 2012 by Pjones (talk | contribs)

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc

Use openssl to generate a signing key ("fedora.p12" from here on out) 

eddie:~$ mkdir db
eddie:~$ cd db
eddie:~/db$ openssl genrsa -out fedora.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................................
..........................................................................+++
...........+++
e is 65537 (0x10001)
eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Cambridge
Organization Name (eg, company) [Default Company Ltd]:Fedora Project
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Fedora Signing Key
Email Address []:pjones@fedoraproject.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:fooo
An optional company name []:   
eddie:~/db$ openssl x509 -req -days 365 -in fedora.csr -signkey fedora.key -out fedora.crt
Signature ok
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org
Getting Private key
eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes
Enter Export Password:
Verifying - Enter Export Password:
eddie:~/db$

Initialize two smart cards

  • Make sure pcscd is running
service pcscd start
  • Insert your Smart Card
  • Initialize each card as a pkcs15 card
# CDW Part #1537376.
PIN=12345678
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN

# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
  • For the love of god remove every file that was generated
eddie:~/db$ cd ..
eddie:~$ rm -rf db
Retrieved from "https://fedoraproject.org/w/index.php?title=User:Pjones/SecureBootSmartCardDeployment&oldid=306147"