From 4b08419de4d6a16fb74cafd381b496375076fa3c Mon Sep 17 00:00:00 2001
From: Kyle K <kylek389@gmail.com>
Date: Sat, 25 Dec 2021 07:54:02 -0600
Subject: add support for signing kernel and shimx64.efi

---
 gentoox_build.sh      | 24 +++++++++++++++++++++++-
 install.sh            | 14 +++++++++++++-
 sign-extra-modules.sh |  4 ++++
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100755 sign-extra-modules.sh

diff --git a/gentoox_build.sh b/gentoox_build.sh
index 3e0745d..19c7419 100755
--- a/gentoox_build.sh
+++ b/gentoox_build.sh
@@ -374,6 +374,17 @@ dd if=/dev/urandom of=/dev/stdout bs=1 count=4 > /etc/hostid
 genkernel --kernel-config=/usr/src/linux/.config --compress-initramfs-type=zstd --microcode --luks --lvm --mdadm --btrfs --zfs initramfs
 tar --zstd -cf /usr/src/kernel-gentoox.tar.zst /boot/*\${KERNELVERSION}* -C /lib/modules/ .
 
+kver=\$(uname -r)
+cd /usr/src/uefi/
+sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-\$kver --output vmlinuz-\$kver.signed
+mv vmlinuz-\$kver.signed /boot/vmlinuz-\$kver
+cp -r /lib/modules/\$kver/{kernel,extra,misc}/ .
+./mod-sign.sh MOK.priv MOK.der ./kernel/
+./mod-sign.sh MOK.priv MOK.der ./extra/
+./mod-sign.sh MOK.priv MOK.der ./misc/
+cp -r ./kernel/ ./extra/ ./misc/ /lib/modules/\$kver/
+rm -rf kernel extra misc
+
 sed -i "s/#GRUB_CMDLINE_LINUX_DEFAULT=\"\"/GRUB_CMDLINE_LINUX_DEFAULT=\"zswap.enabled=1 zswap.compressor=lz4 zswap.max_pool_percent=20 zswap.zpool=z3fold dobtrfs\"/" /etc/default/grub
 sed -i "s/#GRUB_GFXMODE=640x480/GRUB_GFXMODE=auto/" /etc/default/grub
 sed -i "s/#GRUB_GFXPAYLOAD_LINUX=/GRUB_GFXPAYLOAD_LINUX=keep/" /etc/default/grub
@@ -413,7 +424,7 @@ FEATURES="-userpriv" emerge dev-lang/yasm  # yasm fails to build otherwise
 #sys-boot/plymouth gdm' > /etc/portage/package.use/gentoox
 
 emerge -v --autounmask=y --autounmask-write=y --keep-going=y --deep --newuse xorg-server nvidia-firmware arandr elogind sudo vim weston wpa_supplicant ntp bind-tools telnet-bsd snapper \
-nfs-utils cifs-utils samba dhcpcd nss-mdns zsh zsh-completions powertop cpupower lm-sensors screenfetch gparted gdb strace atop dos2unix app-misc/screen app-text/tree openbsd-netcat laptop-mode-tools hdparm alsa-utils vulkan-tools mesa-progs tcpdump #plymouth-openrc-plugin
+nfs-utils cifs-utils samba dhcpcd nss-mdns zsh zsh-completions powertop cpupower lm-sensors screenfetch gparted gdb strace atop dos2unix app-misc/screen app-text/tree openbsd-netcat laptop-mode-tools hdparm alsa-utils vulkan-tools mesa-progs tcpdump shim mokutil #plymouth-openrc-plugin
 #emerge -avuDN --with-bdeps=y @world
 #emerge -v --depclean
 groupadd weston-launch
@@ -895,6 +906,17 @@ tar -xOf kernel-gentoox.tar.zst --wildcards \*initramfs-\* | unzstd -d | gzip >
 tar -xOf kernel-gentoox.tar.zst --wildcards \*System.map-\* > iso/boot/System-gentoo.map
 sed -i "s@dokeymap@aufs scandelay=3@g" iso/isolinux/isolinux.cfg
 sed -i "s@dokeymap@aufs scandelay=3@g" iso/grub/grub.cfg
+cd iso
+cp cp boot/EFI/BOOT/grubx64.efi .
+sbsign --key EFI/MOK.priv --cert EFI/MOK.pem grubx64.efi
+mv grubx64.efi.signed grubx64.efi
+cp grubx64.efi boot/EFI/BOOT/grubx64.efi
+cp grubx64.efi EFI/BOOT/grubx64.efi
+mkdir tmp && mount -o rw gentoo.efimg ./tmp
+cp grubx64.efi /mnt/EFI/BOOT/grubx64.efi
+umount ./tmp
+rm -f grubx64.efi && rm -rf ./tmp
+cd ..
 xorriso -as mkisofs -iso-level 3 -r -J \
 	-joliet-long -l -cache-inodes \
 	-isohybrid-mbr /usr/share/syslinux/isohdpfx.bin \
diff --git a/install.sh b/install.sh
index 1f977f7..311d195 100755
--- a/install.sh
+++ b/install.sh
@@ -216,7 +216,19 @@ fi
 yes $userpassword | passwd $username
 
 if [[ ! -z "$UEFI_MODE" ]]; then
-  grub-install --target=x86_64-efi
+  if [[ \$(mokutil --sb-state) == "SecureBoot enabled" ]]; then
+    esp=\$(lsblk -no pkname \$(findmnt --noheadings -o source /boot/efi))
+    esp_with_partum=\$(basename \$(findmnt --noheadings -o source /boot/efi))
+    esp_partnum=\$(echo \${esp_with_partum#\$esp} | tr -d 'p')
+    grub-install --target=x86_64-efi --efi-directory=/boot/efi --modules="tpm" --no-nvram
+    sbsign --key /usr/src/uefi/MOK.priv --cert /usr/src/uefi/MOK.pem /boot/efi/EFI/gentoo/grubx64.efi --output grubx64.efi.signed
+    mv grubx64.efi.signed /boot/efi/EFI/gentoo/grubx64.efi
+    cp /usr/share/shim/* /boot/efi/EFI/gentoo/
+    mv /boot/efi/EFI/gentoo/BOOTX64.EFI /boot/efi/EFI/gentoo/shimx64.efi
+    efibootmgr -c -d \$esp -p \$esp_partnum -L "GentooX" -l "\EFI\gentoo\shimx64.efi"
+  else
+    grub-install --target=x86_64-efi
+  fi
 else
   grub-install --target=i386-pc $drive
 fi
diff --git a/sign-extra-modules.sh b/sign-extra-modules.sh
new file mode 100755
index 0000000..066a79a
--- /dev/null
+++ b/sign-extra-modules.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+find /lib/modules/$(uname -r)/{extra,misc}/ -name "*.ko" -exec /usr/src/linux/scripts/sign-file sha256 /usr/src/uefi/MOK.priv /usr/src/uefi/MOK.pem {} \;
+exit 0
-- 
cgit v1.2.3