feat: ✨ implement uki signing
This commit is contained in:
parent
473c2e9a61
commit
6b1db28923
@ -9,6 +9,8 @@ function check_deps -d "checks if all dependencies are available"
|
|||||||
set -l dependencies \
|
set -l dependencies \
|
||||||
"efibootmgr" \
|
"efibootmgr" \
|
||||||
"jq" \
|
"jq" \
|
||||||
|
"rg" \
|
||||||
|
"sbsign" \
|
||||||
"sed" \
|
"sed" \
|
||||||
"snapper" \
|
"snapper" \
|
||||||
|
|
||||||
@ -31,6 +33,9 @@ function config -d "sets some configuration variables"
|
|||||||
set -g CFG_SNAPSHOT_PATH "/.snapshots"
|
set -g CFG_SNAPSHOT_PATH "/.snapshots"
|
||||||
set -g CFG_SNAPSHOT_SUBVOL "@snapshots"
|
set -g CFG_SNAPSHOT_SUBVOL "@snapshots"
|
||||||
set -g CFG_UKI_DIR "/efi/EFI/Linux"
|
set -g CFG_UKI_DIR "/efi/EFI/Linux"
|
||||||
|
set -g CFG_SECUREBOOT "yes"
|
||||||
|
set -g CFG_SECUREBOOT_KEY "/etc/secureboot/keys/db/db.key"
|
||||||
|
set -g CFG_SECUREBOOT_CERT "/etc/secureboot/keys/db/db.crt"
|
||||||
end
|
end
|
||||||
|
|
||||||
function find_tasks -d "finds out what the program needs to do"
|
function find_tasks -d "finds out what the program needs to do"
|
||||||
@ -70,7 +75,17 @@ function create_uki -d "creates a new uki" -a variant id
|
|||||||
--add-section .splash="$prefix/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
|
--add-section .splash="$prefix/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
|
||||||
--add-section .linux="$prefix/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \
|
--add-section .linux="$prefix/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \
|
||||||
--add-section .initrd="$prefix/boot/initramfs-linux$fallback.img" --change-section-vma .initrd=0x3000000 \
|
--add-section .initrd="$prefix/boot/initramfs-linux$fallback.img" --change-section-vma .initrd=0x3000000 \
|
||||||
"$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi"
|
"$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi.unsigned"
|
||||||
|
|
||||||
|
# sign
|
||||||
|
if test "$CFG_SECUREBOOT" = "yes"
|
||||||
|
sbsign --key $CFG_SECUREBOOT_KEY \
|
||||||
|
--cert $CFG_SECUREBOOT_CERT \
|
||||||
|
--output "$bd/arch-linux$fallback$snid.efi" \
|
||||||
|
"$bd/arch-linux$fallback$snid.efi.unsigned"
|
||||||
|
else # otherwise move unsigned efi to location
|
||||||
|
mv "$bd/arch-linux$fallback$snid.efi.unsigned" "$bd/arch-linux$fallback$snid.efi"
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
function create_snapshot_uki -d "creates an uki for a snapshot" -a id
|
function create_snapshot_uki -d "creates an uki for a snapshot" -a id
|
||||||
|
Loading…
Reference in New Issue
Block a user