User:Pjones/SecureBootSmartCardDeployment

From FedoraProject

< User:Pjones
Revision as of 17:05, 9 October 2012 by Pjones (Talk | contribs)

Jump to: navigation, search

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc

Use pesign-keygen (tbd) to generate a signing key:

  • Signing Key - signed with the CA key ("fedora.p12" from here on out)

Initialize two smart cards

  • Make sure pcscd is running
service pcscd start
  • Insert your Smart Card
  • Initialize each card as a pkcs15 card
# CDW Part #1537376.
PIN=12345678
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN

# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
  • Destroy fedora.p12