initial commit
This commit is contained in:
		
							parent
							
								
									4038873690
								
							
						
					
					
						commit
						06f4fd7a9d
					
				
							
								
								
									
										15
									
								
								96-mksignkernels.hook
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								96-mksignkernels.hook
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,15 @@ | ||||
| [Trigger] | ||||
| Operation = Install | ||||
| Operation = Upgrade | ||||
| Operation = Remove | ||||
| Type = File | ||||
| Target = boot/intel-ucode.img | ||||
| Target = usr/lib/initcpio/* | ||||
| Target = usr/lib/modules/*/vmlinuz | ||||
| Target = usr/lib/systemd/boot/efi/linux*.efi.stub | ||||
| 
 | ||||
| [Action] | ||||
| Description = Updating signed kernel images ... | ||||
| When = PostTransaction | ||||
| Exec = /root/secureboot/signkernels.sh | ||||
| NeedsTargets | ||||
							
								
								
									
										47
									
								
								signkernels.sh
									
									
									
									
									
										Executable file
									
								
							
							
						
						
									
										47
									
								
								signkernels.sh
									
									
									
									
									
										Executable file
									
								
							| @ -0,0 +1,47 @@ | ||||
| #!/bin/bash | ||||
| 
 | ||||
| # make settings | ||||
| 
 | ||||
| # required stub file | ||||
| EFISTUB="/usr/lib/systemd/boot/efi/linuxx64.efi.stub" | ||||
| 
 | ||||
| # signing keys | ||||
| PKI="/root/secureboot" | ||||
| KEY="${PKI}/db.key" | ||||
| CERT="${PKI}/db.crt" | ||||
| 
 | ||||
| # directories | ||||
| BOOT="/boot" | ||||
| ESP="${BOOT}/EFI" | ||||
| OUT="${ESP}/Linux" | ||||
| 
 | ||||
| # what's needed for a single kernel | ||||
| MICROCODE="${BOOT}/intel-ucode.img" | ||||
| ACPI_OVERRIDE="${BOOT}/acpi_override" | ||||
| INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img" | ||||
| SIGNED="${OUT}/vmlinuz-linux.efi" | ||||
| CMDLINE="/proc/cmdline" | ||||
| #CMDLINE="cryptdevice=/dev/disk/by-uuid/85dd7503-920c-44dc-a1a9-d0062752f7b5:main:allow-discards root=/dev/mapper/main-root resume=/dev/mapper/main-swap pcie_aspm=force pcie_aspm.policy=powersave rw audit=0 quiet" | ||||
| 
 | ||||
| OSREL="/etc/os-release" | ||||
| 
 | ||||
| # dynamic osrelease info | ||||
| KERNEL="${BOOT}/vmlinuz-linux" | ||||
| KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')" | ||||
| 
 | ||||
| # bundle and sign a kernel binary | ||||
| cd ${BOOT}/EFI/Linux | ||||
| 	objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \ | ||||
| 	  --add-section        .osrel=${OSREL} \ | ||||
| 	  --change-section-vma .osrel=0x0020000 \ | ||||
| 	  --add-section        .cmdline=${CMDLINE} \ | ||||
| 	  --change-section-vma .cmdline=0x0030000 \ | ||||
| 	  --add-section        .linux="${KERNEL}" \ | ||||
| 	  --change-section-vma .linux=0x2000000 \ | ||||
| 	  --add-section        .initrd=<(cat ${INITRAMFS}) \ | ||||
| 	  --change-section-vma .initrd=0x3000000 | ||||
| 	sbsign --key "${KEY}" --cert "${CERT}" \ | ||||
| 		--output "vmlinuz-linux.efi.new" "vmlinuz-linux.efi.new" | ||||
| 	mv -b "vmlinuz-linux.efi.new" "vmlinuz-linux.efi" | ||||
| 
 | ||||
| sbverify --cert "${CERT}" "${SIGNED}" | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user