diff --git a/build.sh b/build.sh index 9783829..3672890 100755 --- a/build.sh +++ b/build.sh @@ -66,9 +66,10 @@ SIGNED_SHIM='/usr/lib/shim/shimx64.efi.signed' # variables ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ MEMDISK_ROOT="${ESP_ROOT}/memdisk" -MEMDISK_DIRECTORY="${MEMDISK_ROOT}/boot/grub" +MEMDISK_DIRECTORY="${MEMDISK_ROOT}/grub" MEMDISK_FILE="${MEMDISK_DIRECTORY}/grub.cfg" -MEMDISK_ARCHIVE="${MEMDISK_ROOT}/boot.tar" +MEMDISK_FONTS="${MEMDISK_DIRECTORY}/fonts" +MEMDISK_ARCHIVE="${MEMDISK_ROOT}/grub.tar" UEFI_ROOT="${ESP_ROOT}/efi" UEFI_DIRECTORY="${UEFI_ROOT}/boot" @@ -111,14 +112,14 @@ rm --force --recursive \ # memdisk ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ echo -n " -→ ${MEMDISK_DIRECTORY} +→ ${MEMDISK_FONTS} " -mkdir --parents "${MEMDISK_DIRECTORY}" +mkdir --parents "${MEMDISK_FONTS}" echo -n " → ${MEMDISK_FILE} " -echo -n "\ +echo "\ echo \"prefix | \${prefix}\" search --no-floppy --set root --fs-uuid '${ESP}' prefix=\"(\${root})/boot/grub\" @@ -131,12 +132,12 @@ echo -n " cat "${GRUB_SHIGNED}" >> "${MEMDISK_FILE}" echo -n " -↙ ${MEMDISK_ROOT} +↙ ${MEMDISK_DIRECTORY} ↘ ${MEMDISK_ARCHIVE} " -cd "${MEMDISK_ROOT}" +cd "${MEMDISK_DIRECTORY}" tar --create --auto-compress \ ---file "${MEMDISK_ARCHIVE}" 'boot' +--file "${MEMDISK_ARCHIVE}" 'grub.cfg' cd - # uefi ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ @@ -155,6 +156,7 @@ grub-mkimage \ --memdisk "${MEMDISK_ARCHIVE}" \ --format 'x86_64-efi' \ --output "${UEFI_FILE}" \ +--prefix '(memdisk)/' \ "${MODULES[@]}" if [ -f "${SIGNED_SHIM}" ] ; then echo -n " @@ -203,6 +205,7 @@ grub-mkimage \ --memdisk "${MEMDISK_ARCHIVE}" \ --format 'i386-pc' \ --output "${BIOS_FILE}" \ +--prefix '(memdisk)/' \ "${MODULES[@]}" "${MODULES_BIOS[@]}" echo -n " diff --git a/live/main.sh b/live/main.sh index a03a63c..2785aed 100644 --- a/live/main.sh +++ b/live/main.sh @@ -8,9 +8,10 @@ menuentry '↑ env →' { menu 'env' } menuentry '↑ set →' { menu 'set' } menuentry '↑ cmd →' { menu 'cmd' } menu_split +menuentry 'check_squashfs = enforce' { check_squashfs='enforce' } +menuentry 'check_squashfs = no' { check_squashfs='no' } +menu_split menuentry 'bash / stable / tui' { debsquash '/boot/bash/stable/tui' } menuentry 'bash / stable / gui' { debsquash '/boot/bash/stable/gui' } menuentry 'bash / latest / tui' { debsquash '/boot/bash/latest/tui' } -menuentry 'check_signatures = enforce' { check_signatures='enforce' } -menuentry 'check_signatures = no' { check_signatures='no' } menuentry 'bash / latest / gui' { debsquash '/boot/bash/latest/gui' } diff --git a/live/menu/set.sh b/live/menu/set.sh index b1fcb10..0fc6696 100644 --- a/live/menu/set.sh +++ b/live/menu/set.sh @@ -11,3 +11,5 @@ menu_split 'split' menuentry "esp: ${esp} → data: ${data}" { nop } menuentry "env: ${env} → env_mod: ${env_mod}" { nop } menuentry "live: ${live}" { nop } +menu_split +menuentry "check_squashfs: ${check_squashfs}" { nop } diff --git a/live/source/boot.sh b/live/source/boot.sh index 49ca5df..0a78ded 100644 --- a/live/source/boot.sh +++ b/live/source/boot.sh @@ -1,24 +1,29 @@ function debsquash { lmp="${1}" sfs="filesystem.squashfs" - chk="(${data})${lmp}/${sfs}" # - echo 'verify_detached' - echo "${chk}" - if verify_detached "${chk}" "${chk}.sig" ; then - if [ -f "(${data})${lmp}/vmlinuz" ]; then - linux_path="(${data})${lmp}/vmlinuz" - initrd_path="(${data})${lmp}/initrd.img" - else - linux_path="(squash)/vmlinuz" - initrd_path="(squash)/initrd.img" - loopback "squash" "${lmp}/${sfs}" + if [ "${check_squashfs}" == 'enforce' ] ; then + chk="(${data})${lmp}/${sfs}" + echo 'verify_detached' + echo "${chk}" + if ! verify_detached "${chk}" "${chk}.sig" ; then + grub_pause + return 1 fi - # - echo - echo 'linux' - echo "${linux_path}" - linux \ + fi + if [ -f "(${data})${lmp}/vmlinuz" ] ; then + linux_path="(${data})${lmp}/vmlinuz" + initrd_path="(${data})${lmp}/initrd.img" + else + linux_path="(squash)/vmlinuz" + initrd_path="(squash)/initrd.img" + loopback "squash" "${lmp}/${sfs}" + fi + # + echo + echo 'linux' + echo "${linux_path}" + linux \ "${linux_path}" \ boot="live" \ elevator="deadline" \ @@ -26,10 +31,9 @@ ip="frommedia" \ live-media-path="${lmp}" \ live-media-uuid="${data_uuid}" \ toram="${sfs}" - # - echo - echo 'initrd' - echo "${initrd_path}" - initrd "${initrd_path}" - fi + # + echo + echo 'initrd' + echo "${initrd_path}" + initrd "${initrd_path}" } diff --git a/live/source/env.sh b/live/source/env.sh index 5e776c4..edc7e01 100644 --- a/live/source/env.sh +++ b/live/source/env.sh @@ -1,7 +1,7 @@ function env { action="${1}" setparams \ - 'time_out' + 'check_squashfs' 'time_out' if [ "${action}" == 'load' ] ; then load_env \ --skip-sig \ @@ -48,5 +48,6 @@ function env_mod { } function env_set { + check_squashfs='enforce' time_out=10 } diff --git a/readme.md b/readme.md index fa3bc48..0ca2f40 100644 --- a/readme.md +++ b/readme.md @@ -58,22 +58,82 @@ Build an ESP File System including: ## Tasks -* bash - * mimic grubx64.efi.signed - * efi - * bios - * auto setup bios device - * --prefix '(memdisk)' -* live - * check squashfs option -* python +- [x] comply with secure boot +- [x] choose to check squashfs or not + +- [ ] bash + - [ ] mimic grubx64.efi.signed ← + - [ ] efi + - [ ] include fonts/unicode + - [ ] bios + - [ ] find & setup bios device + +- [ ] rewrite in python ![Graph](todo.svg) ### Later -* arm -* keyboard layouts -* custom fonts -* live-media - * -mount-opts +- [ ] target arm +- [ ] make keyboard layouts +- [ ] make custom fonts +- [ ] target specific live-media + - [ ] -mount-opts? + +``` +/esp +├── bios +│ ├── boot.img +│ ├── core.img +│ └── setup.sh +├── boot +│ ├── grub +│ │ ├── fonts +│ │ │ └── *.pf2 +│ │ ├── grub.cfg +│ │ ├── grub.pgp +│ │ ├── grubenv +│ │ ├── i386-pc +│ │ │ ├── *.lst +│ │ │ └── *.mod +│ │ ├── locale +│ │ │ └── *.mo +│ │ ├── themes +│ │ │ ├── breeze +│ │ │ │ ├── theme.txt +│ │ │ │ ├── *.pf2 +│ │ │ │ ├── *.pf2.license +│ │ │ │ ├── *.png +│ │ │ │ └── *.png.license +│ │ │ └── starfield +│ │ │ ├── README +│ │ │ ├── theme.txt +│ │ │ ├── *.pf2 +│ │ │ ├── *.pf2.license +│ │ │ ├── *.png +│ │ │ └── *.png.license +│ │ └── x86_64-efi +│ │ ├── *.lst +│ │ └── *.mod +│ └── lsgm +│ ├── main.sh +│ ├── menu +│ │ ├── cmd.sh +│ │ ├── env.sh +│ │ ├── gfx.sh +│ │ ├── scan.sh +│ │ └── set.sh +│ └── source +│ ├── boot.sh +│ ├── env.sh +│ ├── menu.sh +│ ├── probe.sh +│ ├── scan.sh +│ └── util.sh +├── efi +│ └── boot +│ ├── bootx64.efi +│ ├── core.efi +│ └── grubx64.efi +└── grub.env +```