initial commit

2020-05-01 16:22:20 +02:00 · 2020-05-01 16:22:20 +02:00 · 06f4fd7a9d
parent 4038873690
commit 06f4fd7a9d
2 changed files with 62 additions and 0 deletions
--- a/96-mksignkernels.hook
+++ b/96-mksignkernels.hook
@ -0,0 +1,15 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Operation = Remove
+Type = File
+Target = boot/intel-ucode.img
+Target = usr/lib/initcpio/*
+Target = usr/lib/modules/*/vmlinuz
+Target = usr/lib/systemd/boot/efi/linux*.efi.stub
+
+[Action]
+Description = Updating signed kernel images ...
+When = PostTransaction
+Exec = /root/secureboot/signkernels.sh
+NeedsTargets
--- a/signkernels.sh
+++ b/signkernels.sh
@ -0,0 +1,47 @@
+#!/bin/bash
+
+# make settings
+
+# required stub file
+EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub"
+
+# signing keys
+PKI="/root/secureboot"
+KEY="${PKI}/db.key"
+CERT="${PKI}/db.crt"
+
+# directories
+BOOT="/boot"
+ESP="${BOOT}/EFI"
+OUT="${ESP}/Linux"
+
+# what's needed for a single kernel
+MICROCODE="${BOOT}/intel-ucode.img"
+ACPI_OVERRIDE="${BOOT}/acpi_override"
+INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
+SIGNED="${OUT}/vmlinuz-linux.efi"
+CMDLINE="/proc/cmdline"
+#CMDLINE="cryptdevice=/dev/disk/by-uuid/85dd7503-920c-44dc-a1a9-d0062752f7b5:main:allow-discards root=/dev/mapper/main-root resume=/dev/mapper/main-swap pcie_aspm=force pcie_aspm.policy=powersave rw audit=0 quiet"
+
+OSREL="/etc/os-release"
+
+# dynamic osrelease info
+KERNEL="${BOOT}/vmlinuz-linux"
+KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')"
+
+# bundle and sign a kernel binary
+cd ${BOOT}/EFI/Linux
+	objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
+	  --add-section        .osrel=${OSREL} \
+	  --change-section-vma .osrel=0x0020000 \
+	  --add-section        .cmdline=${CMDLINE} \
+	  --change-section-vma .cmdline=0x0030000 \
+	  --add-section        .linux="${KERNEL}" \
+	  --change-section-vma .linux=0x2000000 \
+	  --add-section        .initrd=<(cat ${INITRAMFS}) \
+	  --change-section-vma .initrd=0x3000000
+	sbsign --key "${KEY}" --cert "${CERT}" \
+		--output "vmlinuz-linux.efi.new" "vmlinuz-linux.efi.new"
+	mv -b "vmlinuz-linux.efi.new" "vmlinuz-linux.efi"
+
+sbverify --cert "${CERT}" "${SIGNED}"