sb-setup: add script for secure boot setup
This commit is contained in:
parent
f708397560
commit
d57c8817b1
6
Makefile
6
Makefile
@ -1,5 +1,5 @@
|
||||
# Makefile for desktop-base-openmamba package
|
||||
# Copyright (C) 2004-2022 by Silvan Calarco <silvan.calarco@mambasoft.it>
|
||||
# Copyright (C) 2004-2024 by Silvan Calarco <silvan.calarco@mambasoft.it>
|
||||
# Copyright (C) 2005-2007 by Davide Madrisan <davide.madrisan@gmail.com>
|
||||
|
||||
include VERSION
|
||||
@ -119,6 +119,9 @@ install-kde-distro-addons: dist-update
|
||||
install-os-makereport:
|
||||
$(INSTALL_SCRIPT) os-makereport/os-makereport $(DESTDIR)$(bindir)
|
||||
|
||||
install-sb-setup:
|
||||
$(INSTALL_SCRIPT) sb-setup/sb-setup $(DESTDIR)$(bindir)
|
||||
|
||||
install-desktop:
|
||||
@$(INSTALL_DIR) $(DESTDIR)$(distrodesktopdir)
|
||||
$(INSTALL_DATA) $(pck_desktop) $(DESTDIR)$(distrodesktopdir)
|
||||
@ -133,6 +136,7 @@ install: $(pck_infiles:.in=) \
|
||||
install-desktop \
|
||||
install-openmamba-update \
|
||||
install-os-makereport \
|
||||
install-sb-setup \
|
||||
install-locales
|
||||
|
||||
dist: clean
|
||||
|
||||
81
sb-setup/sb-setup
Executable file
81
sb-setup/sb-setup
Executable file
@ -0,0 +1,81 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# openmamba secure boot setup script
|
||||
#
|
||||
# Copyright (c) 2024 by Silvan Calarco <silvan.calarco@mambasoft.it>
|
||||
# Released under the terms of the GNU GPL License v3
|
||||
|
||||
# Requires: sbsigntools shim-signed efibootmgr
|
||||
|
||||
# Sample chroot mount:
|
||||
# sudo mount -o bind /dev /mnt/sda2/dev
|
||||
# sudo mount -o bind /sys /mnt/sda2/sys
|
||||
# sudo mount -o bind /proc /mnt/sda2/proc
|
||||
# sudo mount -o bind /run /mnt/sda2/run
|
||||
# sudo mount -o bind /mnt/sda1 /mnt/sda2/boot/efi
|
||||
# sudo mount -o bind /sys/firmware/efi/efivars /mnt/sda2/sys/firmware/efi/efivars/
|
||||
|
||||
SECUREBOOT_ENABLED=`xxd -p -l4 -s1 /sys/firmware/efi/efivars/SecureBoot-* 2>/dev/null`
|
||||
|
||||
QUIET=
|
||||
|
||||
[ "$1" = "-q" ] && QUIET=1
|
||||
|
||||
[ "$QUIET" ] || echo "Secure boot setup script for openmamba"
|
||||
|
||||
[ "$SECUREBOOT_ENABLED" == "00000001" ] || {
|
||||
[ "$QUIET" ] || echo "Secure Boot is not enabled; exiting."
|
||||
exit 0
|
||||
}
|
||||
|
||||
EFIDIR=/boot/efi/
|
||||
EFILABEL="openmamba"
|
||||
CERTDIR="/var/lib/sb-setup/mok"
|
||||
BOOTDEV=`findmnt -fno SOURCE /boot/efi`
|
||||
|
||||
# Setup MAchine Owner Key folder
|
||||
[ -e ${CERTDIR} ] || mkdir -p ${CERTDIR}
|
||||
|
||||
# Sign EFI image for secure boot
|
||||
[ -e ${CERTDIR}/MOK.cer ] || {
|
||||
[ "$QUIET" ] || echo "Creating Machine Owner Key and certificates"
|
||||
openssl req -newkey rsa:2048 -nodes -keyout ${CERTDIR}/MOK.key -new -x509 -sha256 \
|
||||
-days 3650 -subj "/CN=${EFILABEL} Machine Owner Key/" -out ${CERTDIR}/MOK.crt
|
||||
openssl x509 -outform DER -in ${CERTDIR}/MOK.crt -out ${CERTDIR}/MOK.cer
|
||||
}
|
||||
|
||||
#grub-mkimage -o ${EFIDIR}/grubx64.efi -O x86_64-efi -p /boot/grub \
|
||||
|
||||
[ "$QUIET" ] || echo "Create EFI grub image"
|
||||
grub-install --target=x86_64-efi --efi-directory=${EFIDIR} --bootloader-id="${EFILABEL}" \
|
||||
--sbat /usr/share/grub/sbat.csv --recheck \
|
||||
--modules="all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \
|
||||
fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \
|
||||
iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \
|
||||
memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \
|
||||
play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \
|
||||
smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo"
|
||||
|
||||
[ "$QUIET" ] || echo "Signing EFI grub image for Secure Boot"
|
||||
sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${EFIDIR}/EFI/${EFILABEL}/grubx64.efi ${EFIDIR}//EFI/${EFILABEL}/grubx64.efi
|
||||
|
||||
for k in /boot/vmlinuz-*; do
|
||||
echo "Signing $k for Secure Boot"
|
||||
# Remove a previous signature if present
|
||||
sbattach --remove ${k} 2>/dev/null
|
||||
sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${k} ${k}
|
||||
done
|
||||
|
||||
[ "$QUIET" ] || echo "Copying MOK.cer into ${EFIDIR}/EFI/${EFILABEL}/"
|
||||
cp ${CERTDIR}/MOK.cer ${EFIDIR}/EFI/${EFILABEL}/
|
||||
|
||||
# Install shim-signed
|
||||
[ "$QUIET" ] || echo "Installing shim images on ${EFIDIR}/EFI/${EFILABEL}"
|
||||
cp /usr/share/shim-signed/shimx64.efi ${EFIDIR}/EFI/${EFILABEL}/
|
||||
cp /usr/share/shim-signed/mmx64.efi ${EFIDIR}/EFI/${EFILABEL}/
|
||||
|
||||
# Create EFI bootmanager entry for shimx64
|
||||
[ "$QUIET" ] || echo "Configuring /EFI/${EFILABEL}/shimx64.efi for boot"
|
||||
efibootmgr -q -c -d ${BOOTDEV} -L "${EFILABEL}" -l "/EFI/${EFILABEL}/shimx64.efi"
|
||||
|
||||
[ "$QUIET" ] || echo "Done."
|
||||
Loading…
Reference in New Issue
Block a user