add support for signing kernel, modules, and grubx64.efi for Secure Boot

1 files changed, 24 insertions, 0 deletions

diff --git a/uefi/setup.sh b/uefi/setup.sh
new file mode 100755
index 0000000..910210e
--- /dev/null
+++ b/uefi/setup.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+kver=$(uname -r)
+esp=$(lsblk -no pkname $(findmnt --noheadings -o source /boot/efi))
+
+cp /usr/share/shim/* /boot/efi/EFI/gentoo/
+mv /boot/efi/EFI/gentoo/BOOTX64.EFI /boot/efi/EFI/gentoo/shimx64.efi
+ln -sf /usr/src/linux/scripts/sign-file /usr/src/uefi/
+openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=GENTOOX/"
+openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
+mokutil --import MOK.der
+
+grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --no-nvram
+sbsign --key MOK.priv --cert MOK.pem /boot/efi/EFI/gentoo/grubx64.efi --output grubx64.efi.signed
+sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-${kver} --output vmlinuz-${kver}.signed
+mv grubx64.efi.signed /boot/efi/EFI/gentoo/grubx64.efi
+mv vmlinuz-${kver}.signed /boot/vmlinuz-${kver}
+cp -r /lib/modules/$kver/kernel/ kernel
+./mod-sign.sh MOK.priv MOK.der ./kernel/
+cp -r ./kernel/ /lib/modules/$kver/
+rm -rf kernel
+
+genkernel --kernel-config=/usr/src/linux/.config --compress-initramfs-type=zstd --microcode --luks --lvm --mdadm --btrfs --zfs initramfs
+efibootmgr -B -b $(efibootmgr | grep gentoo | cut -c 5-8)
+efibootmgr -c -d $esp -p 1 -L "GentooX" -l "\EFI\gentoo\shimx64.efi"