So you're stuck with Secure Boot and you want to use Smart Cards
- Install the following packages:
- Use pesign-keygen (tbd) to generate two keys:
- CA Key
- Signing Key (This is signed with the CA key)
- Initialize two smart cards
- Make sure pcscd is running
# CDW Part #1537376.
CARDLABEL="Fedora Signing Card"
# Format (wipe) the card.
# opensc-tool --list-algorithms
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
- Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN
# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O