secure boot

build.sh

@@ -42,11 +42,15 @@ MEMDISK_ARCHIVE="${MEMDISK_ROOT}.tar"
 UEFI_ROOT="${ROOT}/efi"
 UEFI_DIRECTORY="${UEFI_ROOT}/boot"
 UEFI_FILE="${UEFI_DIRECTORY}/bootx64.efi"
+UEFI_GRUB="${UEFI_DIRECTORY}/grubx64.efi"
+SIGNED_GRUB='/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed'
+SIGNED_SHIM='/usr/lib/shim/shimx64.efi.signed'
 BIOS_DIRECTORY="${ROOT}/bios"
 BIOS_FILE="${BIOS_DIRECTORY}/core.img"
 BIOS_SETUP="${BIOS_DIRECTORY}/setup.sh"
 COMPRESSION='xz'
-GRUB_ROOT="${ROOT}/grub"
+GRUB_ROOT="${ROOT}/boot/grub"
+GRUB_CFG="${GRUB_ROOT}/grub.cfg"
 GRUB_ENV="${ROOT}/grub.env"
 GRUB_PUB="${GRUB_ROOT}/grub.pub"
 
@@ -112,6 +116,13 @@ grub-mkimage \
 --pubkey "${MEMDISK_PUB}" \
 "${MODULES[@]}"
 # gpg --detach-sign "${UEFI_FILE}"
+if [ -f "${SIGNED_SHIM}" ] ; then
+    mv "${UEFI_FILE}" "${UEFI_GRUB}"
+    cp "${SIGNED_SHIM}" "${UEFI_FILE}"
+fi
+if [ -f "${SIGNED_GRUB}" ] ; then
+    cp "${SIGNED_GRUB}" "${UEFI_GRUB}"
+fi
 
 # bios ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
 
@@ -144,6 +155,66 @@ DIRECTORY="$(dirname "${FILE}")"
 rm --force --recursive "${GRUB_ROOT}"
 mkdir --parents "${GRUB_ROOT}"
 
+# grub / cfg ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
+
+echo -n "\
+echo '
+grub.cfg ↓
+'
+ls
+echo -n \"\\
+cmdpath: \${cmdpath}
+   root:  \${root}
+\"
+for f in '/.disk/info' '/.disk/mini-info' ; do
+    if [ -f \"\${f}\" ] ; then
+        echo \"         (\${root})\${f}\"
+    fi
+done
+unset f
+echo \"\\
+ prefix: \${prefix}
+\"
+
+function set_init {
+    data_uuid='${DATA}'
+    search --no-floppy --set data \\
+    --fs-uuid \"\${data_uuid}\"
+    #
+    search --no-floppy --set esp \\
+    --fs-uuid '${ESP}'
+    if [ \"\${esp}\" ] ; then
+        env=\"(\${esp})/grub.env\"
+        live=\"(\${esp})/${PROJECT}/live\"
+        #
+        for file in \${live}/source/*.sh ; do
+            source \"\${file}\"
+        done
+        unset file
+    fi
+}
+
+function normal_init {
+    check_signatures='no'
+    #
+    set_init
+    if [ \"\${esp}\" ] ; then
+        prefix=\"(\${esp})/boot/grub\"
+        root=\"\${esp}\"
+    fi
+}
+
+normal_init
+
+echo 'main.sh ↓'
+source \"\${live}/main.sh\"
+echo 'main.sh ↑'
+
+echo -n '
+grub.cfg ↑ '
+sleep --interruptible --verbose 60
+" > "${GRUB_CFG}"
+
 # grub / env ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅
 
 echo -n "\

grubx64.sh

@@ -0,0 +1,13 @@
+if [ -z "$prefix" -o ! -e "$prefix" ]; then
+	if ! search --file --set=root /.disk/info; then
+		search --file --set=root /.disk/mini-info
+	fi
+	set prefix=($root)/boot/grub
+fi
+if [ -e $prefix/x86_64-efi/grub.cfg ]; then
+	source $prefix/x86_64-efi/grub.cfg
+elif [ -e $prefix/grub.cfg ]; then
+	source $prefix/grub.cfg
+else
+	source $cmdpath/grub.cfg
+fi

live/source/boot.sh

@@ -1,5 +1,4 @@
 function debsquash {
-    boot_toram='true'
     lmp="${1}"
     sfs="filesystem.squashfs"
     if [ -f "(${data})${lmp}/vmlinuz" ]; then
@@ -10,16 +9,13 @@ function debsquash {
         initrd_path="(squash)/initrd.img"
         loopback "squash" "${lmp}/${sfs}"
     fi
-    boot_linux="linux \
-\"${linux_path}\" \
-boot=\"live\" \
-elevator=\"deadline\" \
-ip=\"frommedia\" \
-live-media-path=\"${lmp}\" \
-toram"
-    if [ "${boot_toram}" == "true" ]; then
-        boot_linux="${boot_linux}=\"${sfs}\""
-    fi
-    echo_eval "${boot_linux}"
+    linux \
+"${linux_path}" \
+boot="live" \
+elevator="deadline" \
+ip="frommedia" \
+live-media-path="${lmp}" \
+live-media-uuid="${data_uuid}" \
+toram="${sfs}"
     initrd "${initrd_path}"
 }

readme.md

@@ -58,10 +58,22 @@ Build an ESP File System including:
 
 ## Tasks
 
+* live-media
+  * -mount-opts
 * build
   * layouts
 * grub.env
 * variablize
   * pgp
+* secure boot
+  * /efi/boot
+    * bootx64.efi ← /usr/lib/shim/shimx64.efi.signed
+    * grubx64.efi ← /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed
+  * root
+    * /.disk/info
+    * /.disk/mini-info
+  * grub.cfg
+    * prefix → /boot/grub
+    * cmdpath → /efi/boot
 
 ![Graph](todo.svg)