securebootsign/signkernels.sh

48 lines
1.3 KiB
Bash
Raw Permalink Normal View History

2020-05-01 16:22:20 +02:00
#!/bin/bash
# make settings
# required stub file
EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
# signing keys
PKI="/root/secureboot"
KEY="${PKI}/db.key"
CERT="${PKI}/db.crt"
# directories
BOOT="/boot"
ESP="${BOOT}/EFI"
OUT="${ESP}/Linux"
# what's needed for a single kernel
MICROCODE="${BOOT}/intel-ucode.img"
ACPI_OVERRIDE="${BOOT}/acpi_override"
INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
SIGNED="${OUT}/vmlinuz-linux.efi"
#CMDLINE="/proc/cmdline"
CMDLINE="${PKI}/cmdline.txt"
2020-05-01 16:22:20 +02:00
OSREL="/etc/os-release"
# dynamic osrelease info
KERNEL="${BOOT}/vmlinuz-linux"
KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')"
# bundle and sign a kernel binary
cd ${BOOT}/EFI/Linux
objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
--add-section .osrel=${OSREL} \
--change-section-vma .osrel=0x20000 \
2020-05-01 16:22:20 +02:00
--add-section .cmdline=${CMDLINE} \
--change-section-vma .cmdline=0x30000 \
2020-05-01 16:22:20 +02:00
--add-section .linux="${KERNEL}" \
--change-section-vma .linux=0x40000 \
2020-05-01 16:22:20 +02:00
--add-section .initrd=<(cat ${INITRAMFS}) \
--change-section-vma .initrd=0x3000000
sbsign --key "${KEY}" --cert "${CERT}" \
--output "vmlinuz-linux.efi.new-signed" "vmlinuz-linux.efi.new"
mv -b "vmlinuz-linux.efi.new-signed" "${SIGNED}"
2020-05-01 16:22:20 +02:00
sbverify --cert "${CERT}" "${SIGNED}"
rm "vmlinuz-linux.efi.new"