So you're stuck with Secure Boot and you want to use Smart Cards
Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.
Install the following packages:
Use pesign-keygen (tbd) to generate a signing key:
- Signing Key - signed with the CA key ("fedora.p12" from here on out)
Initialize two smart cards
- Make sure pcscd is running
service pcscd start
- Insert your Smart Card
- Initialize each card as a pkcs15 card
# CDW Part #1537376. PIN=12345678 CARDLABEL="Fedora Signing Card" # Format (wipe) the card. # opensc-tool --list-algorithms cardos-tool -f # Create the PKCS#15 structures, set the security officer PIN and unlock code. pkcs15-init -CT # Create a user PIN and unlock code. pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
- Import the signing key to each of the smart cards
# Import a PKCS12 bundle. pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN # List the contents. pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
- Destroy fedora.p12