add support for signing kernel, modules, and grubx64.efi for Secure Boot

5 files changed, 90 insertions, 0 deletions

diff --git a/uefi/MOK.der b/uefi/MOK.der
new file mode 100644
index 0000000..34b6861
--- /dev/null
+++ b/uefi/MOK.der
diff --git a/uefi/MOK.pem b/uefi/MOK.pem
new file mode 100644
index 0000000..caee12c
--- /dev/null
+++ b/uefi/MOK.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDBzCCAe+gAwIBAgIUFlByccURbtF7FMXdLeqX4Tm5UmAwDQYJKoZIhvcNAQEL
+BQAwEjEQMA4GA1UEAwwHR0VOVE9PWDAgFw0yMTEyMTcyMjQxNDJaGA8yMTIxMTEy
+MzIyNDE0MlowEjEQMA4GA1UEAwwHR0VOVE9PWDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMq06sWICDaq2ov3qYqTIZaBEGXQLX8CmCPu0mFuAMqAJdzC
+r6oe6BNDBajCXFF10yeEUVURg/hAi5DCXzNHR8nSC7AfLoXtS8Khw0nv9SUPIFmD
+jxV9rllxOTpl2b3+NFXThriGAPfi88kucyq73c2X8dr92Z22QCpJgPeUSx/tq9/m
+lqVp/SBqkXMoWdjdnITXP3fINGnVyJThiSObkgBgeOGSPc7M/HL35LFF1l14Ht6f
+FSKs3CiARBTaU6wAZHdkwmwAduCnCMn2XGMSZq90vKTzWTacaNheW1Sf4v6B7JEP
+Z8+KXqq7mBmw1PskqCedWTJnRF2pslb8mXit26UCAwEAAaNTMFEwHQYDVR0OBBYE
+FBpF9BTtztp0d7TImSCapIns2AZ4MB8GA1UdIwQYMBaAFBpF9BTtztp0d7TImSCa
+pIns2AZ4MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACTLolwa
+lcKa4HUED292PshZZTdSMVDBKx05Hx2dK6U3gJ15e5faDahUqv/V7ieXQcmsiDIN
+YjkdbN5YsFEZvrn3LtbOiuAjTbyl0jDo5MHz0D+lVrGlBfn8Z/euUoFqp5m0IZjb
+oVpTtXhlkSh64qQuTIN30/+Kq6znqBJ5ilLJGYRHML758BqVyMdsM68kYRGjNlIB
+oyzhFj2idDZRCeu6txGBSdbpxq2iP4bDDNF3lCJHavzvLR5ewQ2KbA1mi0iepnWg
+yR5QqUahccJSzKq1ZPXPktzafu7e7gk63Nkl6Kd00iRMwMi2STjea5d4VMyPPPQh
+NOhMLOj17OVOx7w=
+-----END CERTIFICATE-----
diff --git a/uefi/MOK.priv b/uefi/MOK.priv
new file mode 100644
index 0000000..c009d61
--- /dev/null
+++ b/uefi/MOK.priv
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKtOrFiAg2qtqL
+96mKkyGWgRBl0C1/Apgj7tJhbgDKgCXcwq+qHugTQwWowlxRddMnhFFVEYP4QIuQ
+wl8zR0fJ0guwHy6F7UvCocNJ7/UlDyBZg48Vfa5ZcTk6Zdm9/jRV04a4hgD34vPJ
+LnMqu93Nl/Ha/dmdtkAqSYD3lEsf7avf5palaf0gapFzKFnY3ZyE1z93yDRp1ciU
+4Ykjm5IAYHjhkj3OzPxy9+SxRdZdeB7enxUirNwogEQU2lOsAGR3ZMJsAHbgpwjJ
+9lxjEmavdLyk81k2nGjYXltUn+L+geyRD2fPil6qu5gZsNT7JKgnnVkyZ0RdqbJW
+/Jl4rdulAgMBAAECggEBAKuY4dGcKY/VrLKmUnDLwrg8w9vcklcdpBtvFcuCqsrC
+Fss+SCTUixObPhQxjKMtAjZGre88p6IlScCeuqaXJe90j45lpyWazvKRq9dQeg8I
+MhN06lCAF3MCBTcpd11972HkcfyM/A7cohFh7/5yEP71LLl9AZaf7Mufc7yiXcJF
+FxtCng/LrQJkENvikfnAAN9rHDHzxIEFkHD5ibOi9XpwZHXouWsF7yHGSgqeElyK
+W32nl2hkcRnTLSTLegCTyA2y2Gi+HeEiSkcsGGoQzg0ZB1MOUbT7hxQSs0AowQq5
+pM2THZ16vsV3w6LzrXBJR5ZALe6kgTmnVKfPNtWI0kECgYEA830taD+pOmp+EONr
+5MgW7+UvJaiGDG5fKLzUotleRI+XZ6UP3GSrhxnAd3rC8sCksk/rTPkn95n+8saK
+bxdsAb8Ep1gWWbfpvljIfjNVoBMf9kMolIM1nf3GjhgHCutLTxiOVXA5garQdpE1
+ZXIKpTbt6vxr5fGs5W9XaNH3KDUCgYEA1R9Lhi3bGHtmStwbPv9jpuQDim1m4mYS
+vWaqnX9oXPh9XCm1pQCTW8buH67TVy5WG26toXKiYrBdMSJ9w+H+57oVTBt04O5u
+fU8EcS5E3wVlJjsnL5KS61KFa9U2Wq/XB+ZfWDQKbuQQUU+/R19R5FcE3CKLUahk
+OafJqw62s7ECgYBu6pDqskVGpQg0bUTS/Qrl0QL/JpuZwhV7GznJzTcSCE8yGZD2
+Fq3EZ0izpKp1pqffymQntkAsnGv079hT7tl2mitmh8v2pr7FxO/f/UZ+GvguWD1+
+GZ8tD1OJmwxqPvEZYNhFt0+a79LykAdA5QhQZotOxhnor4TRJz0sNKlgGQKBgQDH
+zWQfsmPiauX2rq24fPPu5XtQTsqS3AEboeG4cFbmOmxEeDH8NDLyauiZuWwXIrDF
+XRjY8EC+5vsncl+XwgsZMkJ/LIqByea6Add3SFp2/3bZxcEx/2dPyPiepLAliw68
+MEUYywkw9w05PdtkzT9YJCDBRH16m7UCvIP7o3qzsQKBgFJZ4E8WV4rFzE2NXeSH
+Km30ME7voUgNf7b+wJNiJ3H+R6E4hi3Lmf/2/O47ZwWeoUidyiqu+eCvNhtfzHRB
+UFlvI8il8x3VKjwXU+/NolwM/xvRWIhC601sBV48Z6AZihslx7Z0xKt1owpztsb/
+VM2u0uXGe/HjOzPNcEQgXeLX
+-----END PRIVATE KEY-----
diff --git a/uefi/mod-sign.sh b/uefi/mod-sign.sh
new file mode 100755
index 0000000..f110b95
--- /dev/null
+++ b/uefi/mod-sign.sh
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+MODSECKEY=$1
+MODPUBKEY=$2
+moddir=$3
+
+modules=$(find "$moddir" -type f -name '*.ko')
+
+NPROC=$(nproc)
+[ -z "$NPROC" ] && NPROC=1
+
+echo "$modules" | xargs -r -n16 -P $NPROC sh -c "
+for mod; do
+    ./sign-file sha256 $MODSECKEY $MODPUBKEY \$mod
+    rm -f \$mod.sig \$mod.dig
+done
+" DUMMYARG0   # xargs appends ARG1 ARG2..., which go into $mod in for loop.
+
+exit 0
diff --git a/uefi/setup.sh b/uefi/setup.sh
new file mode 100755
index 0000000..910210e
--- /dev/null
+++ b/uefi/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+kver=$(uname -r)
+esp=$(lsblk -no pkname $(findmnt --noheadings -o source /boot/efi))
+
+cp /usr/share/shim/* /boot/efi/EFI/gentoo/
+mv /boot/efi/EFI/gentoo/BOOTX64.EFI /boot/efi/EFI/gentoo/shimx64.efi
+ln -sf /usr/src/linux/scripts/sign-file /usr/src/uefi/
+openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=GENTOOX/"
+openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
+mokutil --import MOK.der
+
+grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --no-nvram
+sbsign --key MOK.priv --cert MOK.pem /boot/efi/EFI/gentoo/grubx64.efi --output grubx64.efi.signed
+sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-${kver} --output vmlinuz-${kver}.signed
+mv grubx64.efi.signed /boot/efi/EFI/gentoo/grubx64.efi
+mv vmlinuz-${kver}.signed /boot/vmlinuz-${kver}
+cp -r /lib/modules/$kver/kernel/ kernel
+./mod-sign.sh MOK.priv MOK.der ./kernel/
+cp -r ./kernel/ /lib/modules/$kver/
+rm -rf kernel
+
+genkernel --kernel-config=/usr/src/linux/.config --compress-initramfs-type=zstd --microcode --luks --lvm --mdadm --btrfs --zfs initramfs
+efibootmgr -B -b $(efibootmgr | grep gentoo | cut -c 5-8)
+efibootmgr -c -d $esp -p 1 -L "GentooX" -l "\EFI\gentoo\shimx64.efi"