Add complete guide and all config variants

hackintosh-guide/Utilities/ShimUtils/shim-to-cert.tool

@@ -0,0 +1,93 @@
+#!/bin/bash
+
+# shim-to-cert.tool - Extract OEM signing certificate public key (and full db, dbx if present) from GRUB shim file.
+#
+# Copyright (c) 2021-2023, Michael Beaton. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+LIGHT_GREEN='\033[1;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Note: binutils can be placed last on path in macOS, to provide objcopy but avoid overwriting native tools.
+command -v "${BINUTILS_PREFIX}"objcopy >/dev/null 2>&1 || { echo >&2 "objcopy not found - please install binutils package or set BINUTILS_PREFIX environment variable."; exit 1; }
+command -v openssl >/dev/null 2>&1 || { echo >&2 "openssl not found - please install openssl package."; exit 1; }
+
+if [ -z "$1" ]; then
+    echo "Usage: $(basename "$0") <shimfile>"
+    exit 1
+fi
+
+sectfile=$(mktemp) || exit 1
+
+# make certain we have output file name, as objcopy will trash input file without it
+if [ "x$sectfile" = "x" ]; then
+    echo >&2 "Error creating tempfile!"
+    exit 1
+fi
+
+# extract .vendor_cert section
+"${BINUTILS_PREFIX}"objcopy -O binary -j .vendor_cert "$1" "$sectfile" || exit 1
+
+if [ ! -s "$sectfile" ] ; then
+    echo >&2 "No .vendor_cert section in $1."
+    rm "$sectfile"
+    exit 1
+fi
+
+# xargs trims white space
+vendor_authorized_size=$(dd if="$sectfile" ibs=1 skip=0 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+vendor_deauthorized_size=$(dd if="$sectfile" ibs=1 skip=4 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+vendor_authorized_offset=$(dd if="$sectfile" ibs=1 skip=8 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+vendor_deauthorized_offset=$(dd if="$sectfile" ibs=1 skip=12 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+
+# extract cert or db
+certfile=$(mktemp) || { rm "$sectfile"; exit 1; }
+
+# extract db
+if [ "$vendor_authorized_size" -ne "0" ]; then
+    dd if="$sectfile" ibs=1 skip="$vendor_authorized_offset" count="$vendor_authorized_size" 2>/dev/null > "$certfile" || { rm "$sectfile"; rm "$certfile"; exit 1; }
+fi
+
+# extract dbx
+if [ "$vendor_deauthorized_size" -ne "0" ]; then
+    dd if="$sectfile" ibs=1 skip="$vendor_deauthorized_offset" count="$vendor_deauthorized_size" 2>/dev/null > "vendor.dbx" || { rm "$sectfile"; rm "$certfile"; exit 1; }
+    echo -e " - Secure Boot revocation list saved as ${LIGHT_GREEN}vendor.dbx${NC}"
+else
+    echo " - No secure Boot revocation list"
+fi
+
+rm "$sectfile"
+
+if [ "$vendor_authorized_size" -eq "0" ]; then
+    echo "!!! Empty vendor_authorized section (no secure boot signing certificates present)."
+    rm "$certfile"
+    exit 1
+fi
+
+# valid as single cert?
+openssl x509 -noout -inform der -in "$certfile" 2>/dev/null
+
+if [ $? -ne 0 ]; then
+    cp "$certfile" vendor.db
+    echo -e " - Secure Boot signing list saved as ${LIGHT_GREEN}vendor.db${NC}"
+else
+    # outfile name from cert CN
+    certname=$(openssl x509 -noout -subject -inform der -in "$certfile" | sed 's/^subject=.*CN *=[ \"]*//' | sed 's/[,\/].*//' | sed 's/ *//g') || { rm "$certfile"; exit 1; }
+    outfile="${certname}.der"
+
+    cp "$certfile" "$outfile" || { rm "$certfile"; exit 1; }
+
+    echo -e " - Secure Boot certificate saved as ${LIGHT_GREEN}${outfile}${NC}"
+
+    if ! command -v cert-to-efi-sig-list >/dev/null ; then
+        echo -e "   o To convert certificate to vendor.db use:"
+        echo -e "    ${YELLOW}" 'cert-to-efi-sig-list <(openssl x509 -in' "'${outfile}'" '-outform PEM) vendor.db' "${NC}"
+    else
+        cert-to-efi-sig-list <(openssl x509 -in "${outfile}" -outform PEM) vendor.db || { rm "$certfile"; exit 1; }
+        echo -e "   o Certificate has also been saved as single cert signing list ${LIGHT_GREEN}vendor.db${NC}"
+    fi
+fi
+
+rm "$certfile"