diff options
| author | Kyle K <kylek389@gmail.com> | 2021-12-25 07:54:02 -0600 |
|---|---|---|
| committer | Kyle K <kylek389@gmail.com> | 2021-12-25 07:54:02 -0600 |
| commit | 4b08419de4d6a16fb74cafd381b496375076fa3c (patch) | |
| tree | edc61bd150f0c78de125bee14746f0959c844904 | |
| parent | 96dabba866508a3c87dd45b0857ddafc4a2b4c30 (diff) | |
| download | gentoox-4b08419de4d6a16fb74cafd381b496375076fa3c.tar.gz gentoox-4b08419de4d6a16fb74cafd381b496375076fa3c.tar.bz2 gentoox-4b08419de4d6a16fb74cafd381b496375076fa3c.zip | |
add support for signing kernel and shimx64.efi
| -rwxr-xr-x | gentoox_build.sh | 24 | ||||
| -rwxr-xr-x | install.sh | 14 | ||||
| -rwxr-xr-x | sign-extra-modules.sh | 4 |
3 files changed, 40 insertions, 2 deletions
diff --git a/gentoox_build.sh b/gentoox_build.sh index 3e0745d..19c7419 100755 --- a/gentoox_build.sh +++ b/gentoox_build.sh @@ -374,6 +374,17 @@ dd if=/dev/urandom of=/dev/stdout bs=1 count=4 > /etc/hostid genkernel --kernel-config=/usr/src/linux/.config --compress-initramfs-type=zstd --microcode --luks --lvm --mdadm --btrfs --zfs initramfs tar --zstd -cf /usr/src/kernel-gentoox.tar.zst /boot/*\${KERNELVERSION}* -C /lib/modules/ . +kver=\$(uname -r) +cd /usr/src/uefi/ +sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-\$kver --output vmlinuz-\$kver.signed +mv vmlinuz-\$kver.signed /boot/vmlinuz-\$kver +cp -r /lib/modules/\$kver/{kernel,extra,misc}/ . +./mod-sign.sh MOK.priv MOK.der ./kernel/ +./mod-sign.sh MOK.priv MOK.der ./extra/ +./mod-sign.sh MOK.priv MOK.der ./misc/ +cp -r ./kernel/ ./extra/ ./misc/ /lib/modules/\$kver/ +rm -rf kernel extra misc + sed -i "s/#GRUB_CMDLINE_LINUX_DEFAULT=\"\"/GRUB_CMDLINE_LINUX_DEFAULT=\"zswap.enabled=1 zswap.compressor=lz4 zswap.max_pool_percent=20 zswap.zpool=z3fold dobtrfs\"/" /etc/default/grub sed -i "s/#GRUB_GFXMODE=640x480/GRUB_GFXMODE=auto/" /etc/default/grub sed -i "s/#GRUB_GFXPAYLOAD_LINUX=/GRUB_GFXPAYLOAD_LINUX=keep/" /etc/default/grub @@ -413,7 +424,7 @@ FEATURES="-userpriv" emerge dev-lang/yasm # yasm fails to build otherwise #sys-boot/plymouth gdm' > /etc/portage/package.use/gentoox emerge -v --autounmask=y --autounmask-write=y --keep-going=y --deep --newuse xorg-server nvidia-firmware arandr elogind sudo vim weston wpa_supplicant ntp bind-tools telnet-bsd snapper \ -nfs-utils cifs-utils samba dhcpcd nss-mdns zsh zsh-completions powertop cpupower lm-sensors screenfetch gparted gdb strace atop dos2unix app-misc/screen app-text/tree openbsd-netcat laptop-mode-tools hdparm alsa-utils vulkan-tools mesa-progs tcpdump #plymouth-openrc-plugin +nfs-utils cifs-utils samba dhcpcd nss-mdns zsh zsh-completions powertop cpupower lm-sensors screenfetch gparted gdb strace atop dos2unix app-misc/screen app-text/tree openbsd-netcat laptop-mode-tools hdparm alsa-utils vulkan-tools mesa-progs tcpdump shim mokutil #plymouth-openrc-plugin #emerge -avuDN --with-bdeps=y @world #emerge -v --depclean groupadd weston-launch @@ -895,6 +906,17 @@ tar -xOf kernel-gentoox.tar.zst --wildcards \*initramfs-\* | unzstd -d | gzip > tar -xOf kernel-gentoox.tar.zst --wildcards \*System.map-\* > iso/boot/System-gentoo.map sed -i "s@dokeymap@aufs scandelay=3@g" iso/isolinux/isolinux.cfg sed -i "s@dokeymap@aufs scandelay=3@g" iso/grub/grub.cfg +cd iso +cp cp boot/EFI/BOOT/grubx64.efi . +sbsign --key EFI/MOK.priv --cert EFI/MOK.pem grubx64.efi +mv grubx64.efi.signed grubx64.efi +cp grubx64.efi boot/EFI/BOOT/grubx64.efi +cp grubx64.efi EFI/BOOT/grubx64.efi +mkdir tmp && mount -o rw gentoo.efimg ./tmp +cp grubx64.efi /mnt/EFI/BOOT/grubx64.efi +umount ./tmp +rm -f grubx64.efi && rm -rf ./tmp +cd .. xorriso -as mkisofs -iso-level 3 -r -J \ -joliet-long -l -cache-inodes \ -isohybrid-mbr /usr/share/syslinux/isohdpfx.bin \ @@ -216,7 +216,19 @@ fi yes $userpassword | passwd $username if [[ ! -z "$UEFI_MODE" ]]; then - grub-install --target=x86_64-efi + if [[ \$(mokutil --sb-state) == "SecureBoot enabled" ]]; then + esp=\$(lsblk -no pkname \$(findmnt --noheadings -o source /boot/efi)) + esp_with_partum=\$(basename \$(findmnt --noheadings -o source /boot/efi)) + esp_partnum=\$(echo \${esp_with_partum#\$esp} | tr -d 'p') + grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --no-nvram + sbsign --key /usr/src/uefi/MOK.priv --cert /usr/src/uefi/MOK.pem /boot/efi/EFI/gentoo/grubx64.efi --output grubx64.efi.signed + mv grubx64.efi.signed /boot/efi/EFI/gentoo/grubx64.efi + cp /usr/share/shim/* /boot/efi/EFI/gentoo/ + mv /boot/efi/EFI/gentoo/BOOTX64.EFI /boot/efi/EFI/gentoo/shimx64.efi + efibootmgr -c -d \$esp -p \$esp_partnum -L "GentooX" -l "\EFI\gentoo\shimx64.efi" + else + grub-install --target=x86_64-efi + fi else grub-install --target=i386-pc $drive fi diff --git a/sign-extra-modules.sh b/sign-extra-modules.sh new file mode 100755 index 0000000..066a79a --- /dev/null +++ b/sign-extra-modules.sh @@ -0,0 +1,4 @@ +#!/bin/sh + +find /lib/modules/$(uname -r)/{extra,misc}/ -name "*.ko" -exec /usr/src/linux/scripts/sign-file sha256 /usr/src/uefi/MOK.priv /usr/src/uefi/MOK.pem {} \; +exit 0 |