From ce4025f7cf55fe9bccc49f13fe32ef25a1e488b8 Mon Sep 17 00:00:00 2001 From: Silvan Calarco Date: Sat, 2 Nov 2024 10:55:52 +0100 Subject: [PATCH] platforms/livecd: implemented Secure Boot support via shim --- platforms/livecd-root/Makefile | 2 +- platforms/livecd/Makefile | 3 ++- platforms/livecd/post.inc.sh | 48 ++++++++++++++++++++++------------ 3 files changed, 34 insertions(+), 19 deletions(-) diff --git a/platforms/livecd-root/Makefile b/platforms/livecd-root/Makefile index b6bbb78..2871f8f 100644 --- a/platforms/livecd-root/Makefile +++ b/platforms/livecd-root/Makefile @@ -13,7 +13,7 @@ $(MAKEDIST_TARGET)-livecd-root: \ NetworkManager ModemManager \ firefox livecd-tools \ parted samba-server sddm \ - mambatray dnf \ + mambatray dnf sbsigntools shim-signed \ $(MAKEDIST_TARGET)-livecd-kde $(MAKEDIST_TARGET)-livecd-root-x86_64: VirtualBox-guest diff --git a/platforms/livecd/Makefile b/platforms/livecd/Makefile index aaabe05..7c0bc5d 100644 --- a/platforms/livecd/Makefile +++ b/platforms/livecd/Makefile @@ -1,4 +1,5 @@ -$(MAKEDIST_TARGET)-livecd: openmamba-release breeze-grub-theme memtest86+ memtest86+-efi dracut grub-efi-x86_64 +$(MAKEDIST_TARGET)-livecd: openmamba-release breeze-grub-theme memtest86+ \ + memtest86+-efi dracut grub-efi-x86_64 shim-signed sbsigntools # Localized targets $(MAKEDIST_TARGET)-livecd-en: $(MAKEDIST_TARGET)-livecd-it: diff --git a/platforms/livecd/post.inc.sh b/platforms/livecd/post.inc.sh index b4010d4..b888d98 100644 --- a/platforms/livecd/post.inc.sh +++ b/platforms/livecd/post.inc.sh @@ -155,29 +155,43 @@ fi # # create EFI grub 32 and 64 bit images -mkdir -p $MOUNTDIR2/EFI/BOOT/ -grub-mkimage -o $MOUNTDIR2/EFI/BOOT/bootx64.efi -O x86_64-efi -p /EFI/BOOT \ - part_gpt part_msdos ntfs ntfscomp hfsplus fat ext2 normal chain boot linux echo \ - help gfxterm gettext png efi_gop efi_uga search search_label search_fs_uuid \ - iso9660 configfile || { - errorAndExit $"Error: unable to create GRUB x86_64-efi image" +mkdir -p $MOUNTDIR/boot/efi/EFI/openmamba/ +chroot $MOUNTDIR grub-mkimage -o /boot/efi/EFI/openmamba/grubx64.efi -O x86_64-efi \ + -p /boot/grub --sbat /usr/share/grub/sbat.csv \ + all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \ + fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \ + iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \ + memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \ + play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \ + smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo || { + echo $"Error: unable to create GRUB x86_64-efi image" + exit 1 } +# Sign EFI image for secure boot +chroot $MOUNTDIR openssl req -newkey rsa:2048 -nodes -keyout /root/MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=openmamba Machine Owner Key/" -out /root/MOK.crt +chroot $MOUNTDIR openssl x509 -outform DER -in /root/MOK.crt -out /root/MOK.cer +chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/efi/EFI/openmamba/grubx64.efi /boot/efi/EFI/openmamba/grubx64.efi +ISOID= +for K in $KERNEL_EXTRAVER $KERNEL_MORE_EXTRAVER; do + chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/vmlinuz-${KERNEL_MAJVER}${K} /boot/vmlinuz-${KERNEL_MAJVER}${K} + cp $MOUNTDIR/boot/vmlinuz-${KERNEL_MAJVER}${K} \ + $MOUNTDIR2/boot/vmlinuz${ISOID} + ISOID=$(($ISOID + 1)) +done + +mkdir -p $MOUNTDIR2/EFI/BOOT/ +cp $MOUNTDIR/root/MOK.cer $MOUNTDIR2/EFI/ +cp $MOUNTDIR/boot/efi/EFI/openmamba/grubx64.efi $MOUNTDIR2/EFI/BOOT/grubx64.efi + +# Install shim-signed +cp $MOUNTDIR/usr/share/shim-signed/shimx64.efi $MOUNTDIR2/EFI/BOOT/bootx64.efi +cp $MOUNTDIR/usr/share/shim-signed/mmx64.efi $MOUNTDIR2/EFI/BOOT/ + # # EFI support section END # -#echo "Adding binary packages from pkggroups.db..." -#. $LOCALSTATEDIR/.${MEDIA_NAMES[0]}.distinfo -#LANG=${LANGUAGE:0:2} . $MOUNTDIR/usr/share/openmamba/pkggroups.db -# -#add_binary_packages_to_repository $MOUNTDIR2/openmamba "$ALL_PKGS $EXTRA_PKGS" "$INSTALLED" - -#echo "Generating APT database..." -#ln -s RPMS/$arch $MOUNTDIR2/openmamba/RPMS.$arch -#genbasedir $MOUNTDIR2/openmamba -#mkdir $MOUNTDIR2/.disk -#cat $MOUNTDIR/etc/openmamba-release > $MOUNTDIR2/.disk/info # Finally produce the medium MOUNTDIR=$MOUNTDIR2 produce_media $MEDIA_NAME