diff options
| -rw-r--r-- | uefi/MOK.der | bin | 0 -> 779 bytes | |||
| -rw-r--r-- | uefi/MOK.pem | 19 | ||||
| -rw-r--r-- | uefi/MOK.priv | 28 | ||||
| -rwxr-xr-x | uefi/mod-sign.sh | 19 | ||||
| -rwxr-xr-x | uefi/setup.sh | 24 |
5 files changed, 90 insertions, 0 deletions
diff --git a/uefi/MOK.der b/uefi/MOK.der Binary files differnew file mode 100644 index 0000000..34b6861 --- /dev/null +++ b/uefi/MOK.der diff --git a/uefi/MOK.pem b/uefi/MOK.pem new file mode 100644 index 0000000..caee12c --- /dev/null +++ b/uefi/MOK.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBzCCAe+gAwIBAgIUFlByccURbtF7FMXdLeqX4Tm5UmAwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHR0VOVE9PWDAgFw0yMTEyMTcyMjQxNDJaGA8yMTIxMTEy +MzIyNDE0MlowEjEQMA4GA1UEAwwHR0VOVE9PWDCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAMq06sWICDaq2ov3qYqTIZaBEGXQLX8CmCPu0mFuAMqAJdzC +r6oe6BNDBajCXFF10yeEUVURg/hAi5DCXzNHR8nSC7AfLoXtS8Khw0nv9SUPIFmD +jxV9rllxOTpl2b3+NFXThriGAPfi88kucyq73c2X8dr92Z22QCpJgPeUSx/tq9/m +lqVp/SBqkXMoWdjdnITXP3fINGnVyJThiSObkgBgeOGSPc7M/HL35LFF1l14Ht6f +FSKs3CiARBTaU6wAZHdkwmwAduCnCMn2XGMSZq90vKTzWTacaNheW1Sf4v6B7JEP +Z8+KXqq7mBmw1PskqCedWTJnRF2pslb8mXit26UCAwEAAaNTMFEwHQYDVR0OBBYE +FBpF9BTtztp0d7TImSCapIns2AZ4MB8GA1UdIwQYMBaAFBpF9BTtztp0d7TImSCa +pIns2AZ4MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACTLolwa +lcKa4HUED292PshZZTdSMVDBKx05Hx2dK6U3gJ15e5faDahUqv/V7ieXQcmsiDIN +YjkdbN5YsFEZvrn3LtbOiuAjTbyl0jDo5MHz0D+lVrGlBfn8Z/euUoFqp5m0IZjb +oVpTtXhlkSh64qQuTIN30/+Kq6znqBJ5ilLJGYRHML758BqVyMdsM68kYRGjNlIB +oyzhFj2idDZRCeu6txGBSdbpxq2iP4bDDNF3lCJHavzvLR5ewQ2KbA1mi0iepnWg +yR5QqUahccJSzKq1ZPXPktzafu7e7gk63Nkl6Kd00iRMwMi2STjea5d4VMyPPPQh +NOhMLOj17OVOx7w= +-----END CERTIFICATE----- diff --git a/uefi/MOK.priv b/uefi/MOK.priv new file mode 100644 index 0000000..c009d61 --- /dev/null +++ b/uefi/MOK.priv @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKtOrFiAg2qtqL +96mKkyGWgRBl0C1/Apgj7tJhbgDKgCXcwq+qHugTQwWowlxRddMnhFFVEYP4QIuQ +wl8zR0fJ0guwHy6F7UvCocNJ7/UlDyBZg48Vfa5ZcTk6Zdm9/jRV04a4hgD34vPJ +LnMqu93Nl/Ha/dmdtkAqSYD3lEsf7avf5palaf0gapFzKFnY3ZyE1z93yDRp1ciU +4Ykjm5IAYHjhkj3OzPxy9+SxRdZdeB7enxUirNwogEQU2lOsAGR3ZMJsAHbgpwjJ +9lxjEmavdLyk81k2nGjYXltUn+L+geyRD2fPil6qu5gZsNT7JKgnnVkyZ0RdqbJW +/Jl4rdulAgMBAAECggEBAKuY4dGcKY/VrLKmUnDLwrg8w9vcklcdpBtvFcuCqsrC +Fss+SCTUixObPhQxjKMtAjZGre88p6IlScCeuqaXJe90j45lpyWazvKRq9dQeg8I +MhN06lCAF3MCBTcpd11972HkcfyM/A7cohFh7/5yEP71LLl9AZaf7Mufc7yiXcJF +FxtCng/LrQJkENvikfnAAN9rHDHzxIEFkHD5ibOi9XpwZHXouWsF7yHGSgqeElyK +W32nl2hkcRnTLSTLegCTyA2y2Gi+HeEiSkcsGGoQzg0ZB1MOUbT7hxQSs0AowQq5 +pM2THZ16vsV3w6LzrXBJR5ZALe6kgTmnVKfPNtWI0kECgYEA830taD+pOmp+EONr +5MgW7+UvJaiGDG5fKLzUotleRI+XZ6UP3GSrhxnAd3rC8sCksk/rTPkn95n+8saK +bxdsAb8Ep1gWWbfpvljIfjNVoBMf9kMolIM1nf3GjhgHCutLTxiOVXA5garQdpE1 +ZXIKpTbt6vxr5fGs5W9XaNH3KDUCgYEA1R9Lhi3bGHtmStwbPv9jpuQDim1m4mYS +vWaqnX9oXPh9XCm1pQCTW8buH67TVy5WG26toXKiYrBdMSJ9w+H+57oVTBt04O5u +fU8EcS5E3wVlJjsnL5KS61KFa9U2Wq/XB+ZfWDQKbuQQUU+/R19R5FcE3CKLUahk +OafJqw62s7ECgYBu6pDqskVGpQg0bUTS/Qrl0QL/JpuZwhV7GznJzTcSCE8yGZD2 +Fq3EZ0izpKp1pqffymQntkAsnGv079hT7tl2mitmh8v2pr7FxO/f/UZ+GvguWD1+ +GZ8tD1OJmwxqPvEZYNhFt0+a79LykAdA5QhQZotOxhnor4TRJz0sNKlgGQKBgQDH +zWQfsmPiauX2rq24fPPu5XtQTsqS3AEboeG4cFbmOmxEeDH8NDLyauiZuWwXIrDF +XRjY8EC+5vsncl+XwgsZMkJ/LIqByea6Add3SFp2/3bZxcEx/2dPyPiepLAliw68 +MEUYywkw9w05PdtkzT9YJCDBRH16m7UCvIP7o3qzsQKBgFJZ4E8WV4rFzE2NXeSH +Km30ME7voUgNf7b+wJNiJ3H+R6E4hi3Lmf/2/O47ZwWeoUidyiqu+eCvNhtfzHRB +UFlvI8il8x3VKjwXU+/NolwM/xvRWIhC601sBV48Z6AZihslx7Z0xKt1owpztsb/ +VM2u0uXGe/HjOzPNcEQgXeLX +-----END PRIVATE KEY----- diff --git a/uefi/mod-sign.sh b/uefi/mod-sign.sh new file mode 100755 index 0000000..f110b95 --- /dev/null +++ b/uefi/mod-sign.sh @@ -0,0 +1,19 @@ +#! /bin/sh + +MODSECKEY=$1 +MODPUBKEY=$2 +moddir=$3 + +modules=$(find "$moddir" -type f -name '*.ko') + +NPROC=$(nproc) +[ -z "$NPROC" ] && NPROC=1 + +echo "$modules" | xargs -r -n16 -P $NPROC sh -c " +for mod; do + ./sign-file sha256 $MODSECKEY $MODPUBKEY \$mod + rm -f \$mod.sig \$mod.dig +done +" DUMMYARG0 # xargs appends ARG1 ARG2..., which go into $mod in for loop. + +exit 0 diff --git a/uefi/setup.sh b/uefi/setup.sh new file mode 100755 index 0000000..910210e --- /dev/null +++ b/uefi/setup.sh @@ -0,0 +1,24 @@ +#!/bin/sh +kver=$(uname -r) +esp=$(lsblk -no pkname $(findmnt --noheadings -o source /boot/efi)) + +cp /usr/share/shim/* /boot/efi/EFI/gentoo/ +mv /boot/efi/EFI/gentoo/BOOTX64.EFI /boot/efi/EFI/gentoo/shimx64.efi +ln -sf /usr/src/linux/scripts/sign-file /usr/src/uefi/ +openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=GENTOOX/" +openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem +mokutil --import MOK.der + +grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --no-nvram +sbsign --key MOK.priv --cert MOK.pem /boot/efi/EFI/gentoo/grubx64.efi --output grubx64.efi.signed +sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-${kver} --output vmlinuz-${kver}.signed +mv grubx64.efi.signed /boot/efi/EFI/gentoo/grubx64.efi +mv vmlinuz-${kver}.signed /boot/vmlinuz-${kver} +cp -r /lib/modules/$kver/kernel/ kernel +./mod-sign.sh MOK.priv MOK.der ./kernel/ +cp -r ./kernel/ /lib/modules/$kver/ +rm -rf kernel + +genkernel --kernel-config=/usr/src/linux/.config --compress-initramfs-type=zstd --microcode --luks --lvm --mdadm --btrfs --zfs initramfs +efibootmgr -B -b $(efibootmgr | grep gentoo | cut -c 5-8) +efibootmgr -c -d $esp -p 1 -L "GentooX" -l "\EFI\gentoo\shimx64.efi" |