Makefile to Create UEFI SecureBoot Keys

If you are unfamilar with signing executables for UEFI SecureBoot see How to Sign UEFI Drivers & Applications from the TianoCore EDK2 website.

Here is a simple Makefile which can be used to create the necessary keys:

# Make all keys for UEFI SecureBoot

TOPDIR := $(shell pwd)/


all: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key

PK.crt KEK.crt DB.crt:
        openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$*/" -keyout $*.key -out $@ -days 3650 -nodes

.KEEP: PK.crt PK.key KEK.crt KEK.key DB.crt DB.key

%.cer: %.crt
        openssl x509 -in $< -out $@ -outform DER

        openssl req -new -newkey rsa:2048 -keyout $*-subkey.key -subj "/CN=Subkey $* of KEK/" -out $@ -nodes

%-subkey.crt: %-subkey.csr KEK.crt
        openssl x509 -req -in $< -CA DB.crt -CAkey DB.key -set_serial 1 -out $@ -days 365

        rm -f PK.* KEK.* DB.*

Naturally, you may have to modify it to suit your own particular setup but the above should give you a good starting point.

Comments are closed.