feat: implement uki signing

This commit is contained in:
Adrian Wannenmacher 2021-02-12 17:45:15 +01:00
parent 473c2e9a61
commit 6b1db28923
Signed by: tfld
GPG Key ID: 19D986ECB1E492D5

View File

@ -9,6 +9,8 @@ function check_deps -d "checks if all dependencies are available"
set -l dependencies \ set -l dependencies \
"efibootmgr" \ "efibootmgr" \
"jq" \ "jq" \
"rg" \
"sbsign" \
"sed" \ "sed" \
"snapper" \ "snapper" \
@ -31,6 +33,9 @@ function config -d "sets some configuration variables"
set -g CFG_SNAPSHOT_PATH "/.snapshots" set -g CFG_SNAPSHOT_PATH "/.snapshots"
set -g CFG_SNAPSHOT_SUBVOL "@snapshots" set -g CFG_SNAPSHOT_SUBVOL "@snapshots"
set -g CFG_UKI_DIR "/efi/EFI/Linux" set -g CFG_UKI_DIR "/efi/EFI/Linux"
set -g CFG_SECUREBOOT "yes"
set -g CFG_SECUREBOOT_KEY "/etc/secureboot/keys/db/db.key"
set -g CFG_SECUREBOOT_CERT "/etc/secureboot/keys/db/db.crt"
end end
function find_tasks -d "finds out what the program needs to do" function find_tasks -d "finds out what the program needs to do"
@ -70,7 +75,17 @@ function create_uki -d "creates a new uki" -a variant id
--add-section .splash="$prefix/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \ --add-section .splash="$prefix/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
--add-section .linux="$prefix/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \ --add-section .linux="$prefix/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \
--add-section .initrd="$prefix/boot/initramfs-linux$fallback.img" --change-section-vma .initrd=0x3000000 \ --add-section .initrd="$prefix/boot/initramfs-linux$fallback.img" --change-section-vma .initrd=0x3000000 \
"$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi" "$prefix/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "$bd/arch-linux$fallback$snid.efi.unsigned"
# sign
if test "$CFG_SECUREBOOT" = "yes"
sbsign --key $CFG_SECUREBOOT_KEY \
--cert $CFG_SECUREBOOT_CERT \
--output "$bd/arch-linux$fallback$snid.efi" \
"$bd/arch-linux$fallback$snid.efi.unsigned"
else # otherwise move unsigned efi to location
mv "$bd/arch-linux$fallback$snid.efi.unsigned" "$bd/arch-linux$fallback$snid.efi"
end
end end
function create_snapshot_uki -d "creates an uki for a snapshot" -a id function create_snapshot_uki -d "creates an uki for a snapshot" -a id