82 lines
3.2 KiB
Bash
Executable File
82 lines
3.2 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# openmamba secure boot setup script
|
|
#
|
|
# Copyright (c) 2024 by Silvan Calarco <silvan.calarco@mambasoft.it>
|
|
# Released under the terms of the GNU GPL License v3
|
|
|
|
# Requires: sbsigntools shim-signed efibootmgr
|
|
|
|
# Sample chroot mount:
|
|
# sudo mount -o bind /dev /mnt/sda2/dev
|
|
# sudo mount -o bind /sys /mnt/sda2/sys
|
|
# sudo mount -o bind /proc /mnt/sda2/proc
|
|
# sudo mount -o bind /run /mnt/sda2/run
|
|
# sudo mount -o bind /mnt/sda1 /mnt/sda2/boot/efi
|
|
# sudo mount -o bind /sys/firmware/efi/efivars /mnt/sda2/sys/firmware/efi/efivars/
|
|
|
|
SECUREBOOT_ENABLED=`xxd -p -l4 -s1 /sys/firmware/efi/efivars/SecureBoot-* 2>/dev/null`
|
|
|
|
QUIET=
|
|
|
|
[ "$1" = "-q" ] && QUIET=1
|
|
|
|
[ "$QUIET" ] || echo "Secure boot setup script for openmamba"
|
|
|
|
[ "$SECUREBOOT_ENABLED" == "00000001" ] || {
|
|
[ "$QUIET" ] || echo "Secure Boot is not enabled; exiting."
|
|
exit 0
|
|
}
|
|
|
|
EFIDIR=/boot/efi/
|
|
EFILABEL="openmamba"
|
|
CERTDIR="/var/lib/sb-setup/mok"
|
|
BOOTDEV=`findmnt -fno SOURCE /boot/efi`
|
|
|
|
# Setup MAchine Owner Key folder
|
|
[ -e ${CERTDIR} ] || mkdir -p ${CERTDIR}
|
|
|
|
# Sign EFI image for secure boot
|
|
[ -e ${CERTDIR}/MOK.cer ] || {
|
|
[ "$QUIET" ] || echo "Creating Machine Owner Key and certificates"
|
|
openssl req -newkey rsa:2048 -nodes -keyout ${CERTDIR}/MOK.key -new -x509 -sha256 \
|
|
-days 3650 -subj "/CN=${EFILABEL} Machine Owner Key/" -out ${CERTDIR}/MOK.crt
|
|
openssl x509 -outform DER -in ${CERTDIR}/MOK.crt -out ${CERTDIR}/MOK.cer
|
|
}
|
|
|
|
#grub-mkimage -o ${EFIDIR}/grubx64.efi -O x86_64-efi -p /boot/grub \
|
|
|
|
[ "$QUIET" ] || echo "Create EFI grub image"
|
|
grub-install --target=x86_64-efi --efi-directory=${EFIDIR} --bootloader-id="${EFILABEL}" \
|
|
--sbat /usr/share/grub/sbat.csv --recheck \
|
|
--modules="all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \
|
|
fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \
|
|
iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \
|
|
memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \
|
|
play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \
|
|
smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo"
|
|
|
|
[ "$QUIET" ] || echo "Signing EFI grub image for Secure Boot"
|
|
sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${EFIDIR}/EFI/${EFILABEL}/grubx64.efi ${EFIDIR}//EFI/${EFILABEL}/grubx64.efi
|
|
|
|
for k in /boot/vmlinuz-*; do
|
|
echo "Signing $k for Secure Boot"
|
|
# Remove a previous signature if present
|
|
sbattach --remove ${k} 2>/dev/null
|
|
sbsign --key ${CERTDIR}/MOK.key --cert ${CERTDIR}/MOK.crt --output ${k} ${k}
|
|
done
|
|
|
|
[ "$QUIET" ] || echo "Copying MOK.cer into ${EFIDIR}/EFI/${EFILABEL}/"
|
|
cp ${CERTDIR}/MOK.cer ${EFIDIR}/EFI/${EFILABEL}/
|
|
|
|
# Install shim-signed
|
|
[ "$QUIET" ] || echo "Installing shim images on ${EFIDIR}/EFI/${EFILABEL}"
|
|
cp /usr/share/shim-signed/shimx64.efi ${EFIDIR}/EFI/${EFILABEL}/
|
|
cp /usr/share/shim-signed/mmx64.efi ${EFIDIR}/EFI/${EFILABEL}/
|
|
|
|
# Create EFI bootmanager entry for shimx64
|
|
[ "$QUIET" ] || echo "Configuring /EFI/${EFILABEL}/shimx64.efi for boot"
|
|
efibootmgr -q -c -d ${BOOTDEV} -L "${EFILABEL}" -l "/EFI/${EFILABEL}/shimx64.efi"
|
|
|
|
[ "$QUIET" ] || echo "Done."
|