add some informations and small correction on output
Signed-off-by: Kabbone <tobias@opel-online.de>
This commit is contained in:
parent
e1160d7cdb
commit
9fa8d772f3
14
README.md
14
README.md
|
@ -1,2 +1,16 @@
|
||||||
# securebootsign
|
# securebootsign
|
||||||
|
|
||||||
|
# Create new keys for secureboot
|
||||||
|
https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/Secure_Boot#Creating_keys
|
||||||
|
|
||||||
|
# Create new combined signed EFI image
|
||||||
|
./signkernels.sh
|
||||||
|
|
||||||
|
# Remount efivars writable
|
||||||
|
moutn -o remount,rw /sys/firmware/efi/efivars
|
||||||
|
|
||||||
|
# Create boot entry
|
||||||
|
efibootmgr --create /dev/sda --part 1 --label ArchLinux_combined --loader EFILinuxvmlinuz-linux.efi --verbose
|
||||||
|
|
||||||
|
# sign automatically after updates
|
||||||
|
cp 96-signkernels.hook /etc/pacman.d/hooks/
|
||||||
|
|
|
@ -20,9 +20,8 @@ MICROCODE="${BOOT}/intel-ucode.img"
|
||||||
ACPI_OVERRIDE="${BOOT}/acpi_override"
|
ACPI_OVERRIDE="${BOOT}/acpi_override"
|
||||||
INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
|
INITRAMFS="${MICROCODE} ${ACPI_OVERRIDE} ${BOOT}/initramfs-linux.img"
|
||||||
SIGNED="${OUT}/vmlinuz-linux.efi"
|
SIGNED="${OUT}/vmlinuz-linux.efi"
|
||||||
CMDLINE="/proc/cmdline"
|
#CMDLINE="/proc/cmdline"
|
||||||
#CMDLINE="cryptdevice=/dev/disk/by-uuid/85dd7503-920c-44dc-a1a9-d0062752f7b5:main:allow-discards root=/dev/mapper/main-root resume=/dev/mapper/main-swap pcie_aspm=force pcie_aspm.policy=powersave rw audit=0 quiet"
|
CMDLINE="${PKI}/cmdline.txt"
|
||||||
|
|
||||||
OSREL="/etc/os-release"
|
OSREL="/etc/os-release"
|
||||||
|
|
||||||
# dynamic osrelease info
|
# dynamic osrelease info
|
||||||
|
@ -33,15 +32,16 @@ KERNELVER="$(strings ${KERNEL} | sed -n '/gcc version/s/^\([^ ]\+\).*/\1/p')"
|
||||||
cd ${BOOT}/EFI/Linux
|
cd ${BOOT}/EFI/Linux
|
||||||
objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
|
objcopy "${EFISTUB}" "vmlinuz-linux.efi.new" \
|
||||||
--add-section .osrel=${OSREL} \
|
--add-section .osrel=${OSREL} \
|
||||||
--change-section-vma .osrel=0x0020000 \
|
--change-section-vma .osrel=0x20000 \
|
||||||
--add-section .cmdline=${CMDLINE} \
|
--add-section .cmdline=${CMDLINE} \
|
||||||
--change-section-vma .cmdline=0x0030000 \
|
--change-section-vma .cmdline=0x30000 \
|
||||||
--add-section .linux="${KERNEL}" \
|
--add-section .linux="${KERNEL}" \
|
||||||
--change-section-vma .linux=0x2000000 \
|
--change-section-vma .linux=0x40000 \
|
||||||
--add-section .initrd=<(cat ${INITRAMFS}) \
|
--add-section .initrd=<(cat ${INITRAMFS}) \
|
||||||
--change-section-vma .initrd=0x3000000
|
--change-section-vma .initrd=0x3000000
|
||||||
sbsign --key "${KEY}" --cert "${CERT}" \
|
sbsign --key "${KEY}" --cert "${CERT}" \
|
||||||
--output "vmlinuz-linux.efi.new" "vmlinuz-linux.efi.new"
|
--output "vmlinuz-linux.efi.new-signed" "vmlinuz-linux.efi.new"
|
||||||
mv -b "vmlinuz-linux.efi.new" "vmlinuz-linux.efi"
|
mv -b "vmlinuz-linux.efi.new-signed" "${SIGNED}"
|
||||||
|
|
||||||
sbverify --cert "${CERT}" "${SIGNED}"
|
sbverify --cert "${CERT}" "${SIGNED}"
|
||||||
|
rm "vmlinuz-linux.efi.new"
|
||||||
|
|
Loading…
Reference in New Issue