From d57c8817b1158842f21de3f0a4c17e5cc9e265ec Mon Sep 17 00:00:00 2001 From: Silvan Calarco Date: Fri, 1 Nov 2024 20:22:28 +0100 Subject: [PATCH] sb-setup: add script for secure boot setup --- Makefile | 6 +++- sb-setup/sb-setup | 81 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100755 sb-setup/sb-setup diff --git a/Makefile b/Makefile index e75b823..3788263 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ # Makefile for desktop-base-openmamba package -# Copyright (C) 2004-2022 by Silvan Calarco +# Copyright (C) 2004-2024 by Silvan Calarco # Copyright (C) 2005-2007 by Davide Madrisan include VERSION @@ -119,6 +119,9 @@ install-kde-distro-addons: dist-update install-os-makereport: $(INSTALL_SCRIPT) os-makereport/os-makereport $(DESTDIR)$(bindir) +install-sb-setup: + $(INSTALL_SCRIPT) sb-setup/sb-setup $(DESTDIR)$(bindir) + install-desktop: @$(INSTALL_DIR) $(DESTDIR)$(distrodesktopdir) $(INSTALL_DATA) $(pck_desktop) $(DESTDIR)$(distrodesktopdir) @@ -133,6 +136,7 @@ install: $(pck_infiles:.in=) \ install-desktop \ install-openmamba-update \ install-os-makereport \ + install-sb-setup \ install-locales dist: clean diff --git a/sb-setup/sb-setup b/sb-setup/sb-setup new file mode 100755 index 0000000..10b748a --- /dev/null +++ b/sb-setup/sb-setup @@ -0,0 +1,81 @@ +#!/bin/bash +# +# openmamba secure boot setup script +# +# Copyright (c) 2024 by Silvan Calarco +# Released under the terms of the GNU GPL License v3 + +# Requires: sbsigntools shim-signed efibootmgr + +# Sample chroot mount: +# sudo mount -o bind /dev /mnt/sda2/dev +# sudo mount -o bind /sys /mnt/sda2/sys +# sudo mount -o bind /proc /mnt/sda2/proc +# sudo mount -o bind /run /mnt/sda2/run +# sudo mount -o bind /mnt/sda1 /mnt/sda2/boot/efi +# sudo mount -o bind /sys/firmware/efi/efivars /mnt/sda2/sys/firmware/efi/efivars/ + +SECUREBOOT_ENABLED=`xxd -p -l4 -s1 /sys/firmware/efi/efivars/SecureBoot-* 2>/dev/null` + +QUIET= + +[ "$1" = "-q" ] && QUIET=1 + +[ "$QUIET" ] || echo "Secure boot setup script for openmamba" + +[ "$SECUREBOOT_ENABLED" == "00000001" ] || { + [ "$QUIET" ] || echo "Secure Boot is not enabled; exiting." + exit 0 +} + +EFIDIR=/boot/efi/ +EFILABEL="openmamba" +CERTDIR="/var/lib/sb-setup/mok" +BOOTDEV=`findmnt -fno SOURCE /boot/efi` + +# Setup MAchine Owner Key folder +[ -e ${CERTDIR} ] || mkdir -p ${CERTDIR} + +# Sign EFI image for secure boot +[ -e ${CERTDIR}/MOK.cer ] || { + [ "$QUIET" ] || echo "Creating Machine Owner Key and certificates" + openssl req -newkey rsa:2048 -nodes -keyout ${CERTDIR}/MOK.key -new -x509 -sha256 \ + -days 3650 -subj "/CN=${EFILABEL} Machine Owner Key/" -out ${CERTDIR}/MOK.crt + openssl x509 -outform DER -in ${CERTDIR}/MOK.crt -out ${CERTDIR}/MOK.cer +} + +#grub-mkimage -o ${EFIDIR}/grubx64.efi -O x86_64-efi -p /boot/grub \ + +[ "$QUIET" ] || echo "Create EFI grub image" +grub-install --target=x86_64-efi --efi-directory=${EFIDIR} --bootloader-id="${EFILABEL}" \ + --sbat /usr/share/grub/sbat.csv --recheck \ + --modules="all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \ + fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \ + iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \ + memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \ + play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \ + smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo" + +[ "$QUIET" ] || echo "Signing EFI grub image for Secure Boot" +sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${EFIDIR}/EFI/${EFILABEL}/grubx64.efi ${EFIDIR}//EFI/${EFILABEL}/grubx64.efi + +for k in /boot/vmlinuz-*; do + echo "Signing $k for Secure Boot" + # Remove a previous signature if present + sbattach --remove ${k} 2>/dev/null + sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${k} ${k} +done + +[ "$QUIET" ] || echo "Copying MOK.cer into ${EFIDIR}/EFI/${EFILABEL}/" +cp ${CERTDIR}/MOK.cer ${EFIDIR}/EFI/${EFILABEL}/ + +# Install shim-signed +[ "$QUIET" ] || echo "Installing shim images on ${EFIDIR}/EFI/${EFILABEL}" +cp /usr/share/shim-signed/shimx64.efi ${EFIDIR}/EFI/${EFILABEL}/ +cp /usr/share/shim-signed/mmx64.efi ${EFIDIR}/EFI/${EFILABEL}/ + +# Create EFI bootmanager entry for shimx64 +[ "$QUIET" ] || echo "Configuring /EFI/${EFILABEL}/shimx64.efi for boot" +efibootmgr -q -c -d ${BOOTDEV} -L "${EFILABEL}" -l "/EFI/${EFILABEL}/shimx64.efi" + +[ "$QUIET" ] || echo "Done."