platforms/livecd: implemented Secure Boot support via shim

This commit is contained in:
Silvan Calarco 2024-11-02 10:55:52 +01:00
parent 1c44ea001e
commit ce4025f7cf
3 changed files with 34 additions and 19 deletions

View File

@ -13,7 +13,7 @@ $(MAKEDIST_TARGET)-livecd-root: \
NetworkManager ModemManager \ NetworkManager ModemManager \
firefox livecd-tools \ firefox livecd-tools \
parted samba-server sddm \ parted samba-server sddm \
mambatray dnf \ mambatray dnf sbsigntools shim-signed \
$(MAKEDIST_TARGET)-livecd-kde $(MAKEDIST_TARGET)-livecd-kde
$(MAKEDIST_TARGET)-livecd-root-x86_64: VirtualBox-guest $(MAKEDIST_TARGET)-livecd-root-x86_64: VirtualBox-guest

View File

@ -1,4 +1,5 @@
$(MAKEDIST_TARGET)-livecd: openmamba-release breeze-grub-theme memtest86+ memtest86+-efi dracut grub-efi-x86_64 $(MAKEDIST_TARGET)-livecd: openmamba-release breeze-grub-theme memtest86+ \
memtest86+-efi dracut grub-efi-x86_64 shim-signed sbsigntools
# Localized targets # Localized targets
$(MAKEDIST_TARGET)-livecd-en: $(MAKEDIST_TARGET)-livecd-en:
$(MAKEDIST_TARGET)-livecd-it: $(MAKEDIST_TARGET)-livecd-it:

View File

@ -155,29 +155,43 @@ fi
# #
# create EFI grub 32 and 64 bit images # create EFI grub 32 and 64 bit images
mkdir -p $MOUNTDIR2/EFI/BOOT/ mkdir -p $MOUNTDIR/boot/efi/EFI/openmamba/
grub-mkimage -o $MOUNTDIR2/EFI/BOOT/bootx64.efi -O x86_64-efi -p /EFI/BOOT \ chroot $MOUNTDIR grub-mkimage -o /boot/efi/EFI/openmamba/grubx64.efi -O x86_64-efi \
part_gpt part_msdos ntfs ntfscomp hfsplus fat ext2 normal chain boot linux echo \ -p /boot/grub --sbat /usr/share/grub/sbat.csv \
help gfxterm gettext png efi_gop efi_uga search search_label search_fs_uuid \ all_video bli boot chain configfile cpuid echo efifwsetup efi_gop efi_uga efinet ext2 \
iso9660 configfile || { fat font gettext gfxmenu gfxterm gfxterm gfxterm_background gzio halt help hfsplus \
errorAndExit $"Error: unable to create GRUB x86_64-efi image" iso9660 jpeg keystatus linux loadenv loopback ls lsefi lsefimmap lsefisystab lssal \
memdisk minicmd normal ntfs ntfscomp part_apple part_gpt part_msdos password_pbkdf2 \
play png probe reboot regexp search search_fs_file search_fs_uuid search_label sleep \
smbios squash4 test tpm true video video_bochs video_cirrus xfs zfs zfscrypt zfsinfo || {
echo $"Error: unable to create GRUB x86_64-efi image"
exit 1
} }
# Sign EFI image for secure boot
chroot $MOUNTDIR openssl req -newkey rsa:2048 -nodes -keyout /root/MOK.key -new -x509 -sha256 -days 3650 -subj "/CN=openmamba Machine Owner Key/" -out /root/MOK.crt
chroot $MOUNTDIR openssl x509 -outform DER -in /root/MOK.crt -out /root/MOK.cer
chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/efi/EFI/openmamba/grubx64.efi /boot/efi/EFI/openmamba/grubx64.efi
ISOID=
for K in $KERNEL_EXTRAVER $KERNEL_MORE_EXTRAVER; do
chroot $MOUNTDIR sbsign --key /root/MOK.key --cert /root/MOK.crt --output /boot/vmlinuz-${KERNEL_MAJVER}${K} /boot/vmlinuz-${KERNEL_MAJVER}${K}
cp $MOUNTDIR/boot/vmlinuz-${KERNEL_MAJVER}${K} \
$MOUNTDIR2/boot/vmlinuz${ISOID}
ISOID=$(($ISOID + 1))
done
mkdir -p $MOUNTDIR2/EFI/BOOT/
cp $MOUNTDIR/root/MOK.cer $MOUNTDIR2/EFI/
cp $MOUNTDIR/boot/efi/EFI/openmamba/grubx64.efi $MOUNTDIR2/EFI/BOOT/grubx64.efi
# Install shim-signed
cp $MOUNTDIR/usr/share/shim-signed/shimx64.efi $MOUNTDIR2/EFI/BOOT/bootx64.efi
cp $MOUNTDIR/usr/share/shim-signed/mmx64.efi $MOUNTDIR2/EFI/BOOT/
# #
# EFI support section END # EFI support section END
# #
#echo "Adding binary packages from pkggroups.db..."
#. $LOCALSTATEDIR/.${MEDIA_NAMES[0]}.distinfo
#LANG=${LANGUAGE:0:2} . $MOUNTDIR/usr/share/openmamba/pkggroups.db
#
#add_binary_packages_to_repository $MOUNTDIR2/openmamba "$ALL_PKGS $EXTRA_PKGS" "$INSTALLED"
#echo "Generating APT database..."
#ln -s RPMS/$arch $MOUNTDIR2/openmamba/RPMS.$arch
#genbasedir $MOUNTDIR2/openmamba
#mkdir $MOUNTDIR2/.disk
#cat $MOUNTDIR/etc/openmamba-release > $MOUNTDIR2/.disk/info
# Finally produce the medium # Finally produce the medium
MOUNTDIR=$MOUNTDIR2 produce_media $MEDIA_NAME MOUNTDIR=$MOUNTDIR2 produce_media $MEDIA_NAME