From 9fa8d772f34c66524310b201c61a3dbf146c1f71 Mon Sep 17 00:00:00 2001 From: Kabbone Date: Tue, 2 Feb 2021 21:58:16 +0100 Subject: [PATCH] add some informations and small correction on output Signed-off-by: Kabbone --- README.md | 14 ++++++++++++++ signkernels.sh | 16 ++++++++-------- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index a248737..4218872 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,16 @@ # securebootsign +# Create new keys for secureboot +https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Creating_keys + +# Create new combined signed EFI image +./signkernels.sh + +# Remount efivars writable +moutn -o remount,rw /sys/firmware/efi/efivars + +# Create boot entry +efibootmgr --create /dev/sda --part 1 --label ArchLinux_combined --loader EFILinuxvmlinuz-linux.efi --verbose + +# sign automatically after updates +cp 96-signkernels.hook /etc/pacman.d/hooks/ diff --git a/signkernels.sh b/signkernels.sh index 53ea413..c4dc45b 100755 --- a/signkernels.sh +++ b/signkernels.sh @@ -20,9 +20,8 @@ MICROCODE="${BOOT}/intel-ucode.img" ACPI_OVERRIDE="${BOOT}/acpi_override" INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img" SIGNED="${OUT}/vmlinuz-linux.efi" -CMDLINE="/proc/cmdline" -#CMDLINE="cryptdevice=/dev/disk/by-uuid/85dd7503-920c-44dc-a1a9-d0062752f7b5:main:allow-discards root=/dev/mapper/main-root resume=/dev/mapper/main-swap pcie_aspm=force pcie_aspm.policy=powersave rw audit=0 quiet" - +#CMDLINE="/proc/cmdline" +CMDLINE="${PKI}/cmdline.txt" OSREL="/etc/os-release" # dynamic osrelease info @@ -33,15 +32,16 @@ KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')" cd ${BOOT}/EFI/Linux objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \ --add-section .osrel=${OSREL} \ - --change-section-vma .osrel=0x0020000 \ + --change-section-vma .osrel=0x20000 \ --add-section .cmdline=${CMDLINE} \ - --change-section-vma .cmdline=0x0030000 \ + --change-section-vma .cmdline=0x30000 \ --add-section .linux="${KERNEL}" \ - --change-section-vma .linux=0x2000000 \ + --change-section-vma .linux=0x40000 \ --add-section .initrd=<(cat ${INITRAMFS}) \ --change-section-vma .initrd=0x3000000 sbsign --key "${KEY}" --cert "${CERT}" \ - --output "vmlinuz-linux.efi.new" "vmlinuz-linux.efi.new" - mv -b "vmlinuz-linux.efi.new" "vmlinuz-linux.efi" + --output "vmlinuz-linux.efi.new-signed" "vmlinuz-linux.efi.new" + mv -b "vmlinuz-linux.efi.new-signed" "${SIGNED}" sbverify --cert "${CERT}" "${SIGNED}" +rm "vmlinuz-linux.efi.new"