From FedoraProject

< User:Pjones
Revision as of 15:45, 9 October 2012 by Pjones (Talk | contribs)

Jump to: navigation, search

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

  • Install the following packages:
    • pesign
    • pcsc-lite-ccid
    • pcsc-tools
    • pcsc-lite
    • opensc
  • Use pesign-keygen (tbd) to generate two keys:
    • CA Key
    • Signing Key (This is signed with the CA key)
  • Initialize two smart cards
    • Make sure pcscd is running
# CDW Part #1537376.
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key $P12FILE --format pkcs12 --auth-id 01 --pin $PIN

# List the contents.
pkcs11-tool --module -l --pin $PIN -O