diff --git a/96-mksignkernels.hook b/96-mksignkernels.hook new file mode 100644 index 0000000..bd1692c --- /dev/null +++ b/96-mksignkernels.hook @@ -0,0 +1,15 @@ +[Trigger] +Operation = Install +Operation = Upgrade +Operation = Remove +Type = File +Target = boot/intel-ucode.img +Target = usr/lib/initcpio/* +Target = usr/lib/modules/*/vmlinuz +Target = usr/lib/systemd/boot/efi/linux*.efi.stub + +[Action] +Description = Updating signed kernel images ... +When = PostTransaction +Exec = /root/secureboot/signkernels.sh +NeedsTargets diff --git a/signkernels.sh b/signkernels.sh new file mode 100755 index 0000000..53ea413 --- /dev/null +++ b/signkernels.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# make settings + +# required stub file +EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub" + +# signing keys +PKI="/root/secureboot" +KEY="${PKI}/db.key" +CERT="${PKI}/db.crt" + +# directories +BOOT="/boot" +ESP="${BOOT}/EFI" +OUT="${ESP}/Linux" + +# what's needed for a single kernel +MICROCODE="${BOOT}/intel-ucode.img" +ACPI_OVERRIDE="${BOOT}/acpi_override" +INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img" +SIGNED="${OUT}/vmlinuz-linux.efi" +CMDLINE="/proc/cmdline" +#CMDLINE="cryptdevice=/dev/disk/by-uuid/85dd7503-920c-44dc-a1a9-d0062752f7b5:main:allow-discards root=/dev/mapper/main-root resume=/dev/mapper/main-swap pcie_aspm=force pcie_aspm.policy=powersave rw audit=0 quiet" + +OSREL="/etc/os-release" + +# dynamic osrelease info +KERNEL="${BOOT}/vmlinuz-linux" +KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')" + +# bundle and sign a kernel binary +cd ${BOOT}/EFI/Linux + objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \ + --add-section .osrel=${OSREL} \ + --change-section-vma .osrel=0x0020000 \ + --add-section .cmdline=${CMDLINE} \ + --change-section-vma .cmdline=0x0030000 \ + --add-section .linux="${KERNEL}" \ + --change-section-vma .linux=0x2000000 \ + --add-section .initrd=<(cat ${INITRAMFS}) \ + --change-section-vma .initrd=0x3000000 + sbsign --key "${KEY}" --cert "${CERT}" \ + --output "vmlinuz-linux.efi.new" "vmlinuz-linux.efi.new" + mv -b "vmlinuz-linux.efi.new" "vmlinuz-linux.efi" + +sbverify --cert "${CERT}" "${SIGNED}"