2020-05-01 16:22:20 +02:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
# make settings
|
|
|
|
|
|
|
|
# required stub file
|
|
|
|
EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
|
|
|
|
|
|
|
|
# signing keys
|
|
|
|
PKI="/root/secureboot"
|
|
|
|
KEY="${PKI}/db.key"
|
|
|
|
CERT="${PKI}/db.crt"
|
|
|
|
|
|
|
|
# directories
|
|
|
|
BOOT="/boot"
|
|
|
|
ESP="${BOOT}/EFI"
|
|
|
|
OUT="${ESP}/Linux"
|
|
|
|
|
|
|
|
# what's needed for a single kernel
|
|
|
|
MICROCODE="${BOOT}/intel-ucode.img"
|
|
|
|
ACPI_OVERRIDE="${BOOT}/acpi_override"
|
|
|
|
INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
|
|
|
|
SIGNED="${OUT}/vmlinuz-linux.efi"
|
2021-02-02 21:58:16 +01:00
|
|
|
#CMDLINE="/proc/cmdline"
|
|
|
|
CMDLINE="${PKI}/cmdline.txt"
|
2020-05-01 16:22:20 +02:00
|
|
|
OSREL="/etc/os-release"
|
|
|
|
|
|
|
|
# dynamic osrelease info
|
|
|
|
KERNEL="${BOOT}/vmlinuz-linux"
|
|
|
|
KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')"
|
|
|
|
|
|
|
|
# bundle and sign a kernel binary
|
|
|
|
cd ${BOOT}/EFI/Linux
|
|
|
|
objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
|
|
|
|
--add-section .osrel=${OSREL} \
|
2021-02-02 21:58:16 +01:00
|
|
|
--change-section-vma .osrel=0x20000 \
|
2020-05-01 16:22:20 +02:00
|
|
|
--add-section .cmdline=${CMDLINE} \
|
2021-02-02 21:58:16 +01:00
|
|
|
--change-section-vma .cmdline=0x30000 \
|
2020-05-01 16:22:20 +02:00
|
|
|
--add-section .linux="${KERNEL}" \
|
2021-02-02 21:58:16 +01:00
|
|
|
--change-section-vma .linux=0x40000 \
|
2020-05-01 16:22:20 +02:00
|
|
|
--add-section .initrd=<(cat ${INITRAMFS}) \
|
|
|
|
--change-section-vma .initrd=0x3000000
|
|
|
|
sbsign --key "${KEY}" --cert "${CERT}" \
|
2021-02-02 21:58:16 +01:00
|
|
|
--output "vmlinuz-linux.efi.new-signed" "vmlinuz-linux.efi.new"
|
|
|
|
mv -b "vmlinuz-linux.efi.new-signed" "${SIGNED}"
|
2020-05-01 16:22:20 +02:00
|
|
|
|
|
|
|
sbverify --cert "${CERT}" "${SIGNED}"
|
2021-02-02 21:58:16 +01:00
|
|
|
rm "vmlinuz-linux.efi.new"
|