Kabbone
/
securebootsign
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add some informations and small correction on output 

Signed-off-by: Kabbone <tobias@opel-online.de>
This commit is contained in:
Kabbone 2021-02-02 21:58:16 +01:00
parent e1160d7cdb
commit 9fa8d772f3
No known key found for this signature in database
GPG Key ID: 7487872DCAE44521
2 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -1,2 +1,16 @@
# securebootsign
# Create new keys for secureboot
https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Creating_keys
# Create new combined signed EFI image
./signkernels.sh
# Remount efivars writable
moutn -o remount,rw /sys/firmware/efi/efivars
# Create boot entry
efibootmgr --create /dev/sda --part 1 --label ArchLinux_combined --loader EFILinuxvmlinuz-linux.efi --verbose
# sign automatically after updates
cp 96-signkernels.hook /etc/pacman.d/hooks/

16
signkernels.sh
View File

@ -20,9 +20,8 @@ MICROCODE="${BOOT}/intel-ucode.img"
ACPI_OVERRIDE="${BOOT}/acpi_override"
INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
SIGNED="${OUT}/vmlinuz-linux.efi"
CMDLINE="/proc/cmdline"
#CMDLINE="cryptdevice=/dev/disk/by-uuid/85dd7503-920c-44dc-a1a9-d0062752f7b5:main:allow-discards root=/dev/mapper/main-root resume=/dev/mapper/main-swap pcie_aspm=force pcie_aspm.policy=powersave rw audit=0 quiet"
#CMDLINE="/proc/cmdline"
CMDLINE="${PKI}/cmdline.txt"
OSREL="/etc/os-release"
# dynamic osrelease info
@ -33,15 +32,16 @@ KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')"
cd ${BOOT}/EFI/Linux
objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
--add-section .osrel=${OSREL} \
--change-section-vma .osrel=0x0020000 \
--change-section-vma .osrel=0x20000 \
--add-section .cmdline=${CMDLINE} \
--change-section-vma .cmdline=0x0030000 \
--change-section-vma .cmdline=0x30000 \
--add-section .linux="${KERNEL}" \
--change-section-vma .linux=0x2000000 \
--change-section-vma .linux=0x40000 \
--add-section .initrd=<(cat ${INITRAMFS}) \
--change-section-vma .initrd=0x3000000
sbsign --key "${KEY}" --cert "${CERT}" \
--output "vmlinuz-linux.efi.new" "vmlinuz-linux.efi.new"
mv -b "vmlinuz-linux.efi.new" "vmlinuz-linux.efi"
--output "vmlinuz-linux.efi.new-signed" "vmlinuz-linux.efi.new"
mv -b "vmlinuz-linux.efi.new-signed" "${SIGNED}"
sbverify --cert "${CERT}" "${SIGNED}"
rm "vmlinuz-linux.efi.new"