From 6b80fe6bfcfa046fa55f919bfe32093825f6c452 Mon Sep 17 00:00:00 2001 From: Marc Beninca Date: Sat, 4 Nov 2023 00:30:39 +0100 Subject: [PATCH] secure boot --- build.sh | 73 ++++++++++++++++++++++++++++++++++++- grubx64.sh | 13 +++++++ live/{normal.sh => main.sh} | 0 live/source/boot.sh | 20 ++++------ readme.md | 12 ++++++ 5 files changed, 105 insertions(+), 13 deletions(-) create mode 100644 grubx64.sh rename live/{normal.sh => main.sh} (100%) diff --git a/build.sh b/build.sh index 5258a8c..082a021 100644 --- a/build.sh +++ b/build.sh @@ -42,11 +42,15 @@ MEMDISK_ARCHIVE="${MEMDISK_ROOT}.tar" UEFI_ROOT="${ROOT}/efi" UEFI_DIRECTORY="${UEFI_ROOT}/boot" UEFI_FILE="${UEFI_DIRECTORY}/bootx64.efi" +UEFI_GRUB="${UEFI_DIRECTORY}/grubx64.efi" +SIGNED_GRUB='/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed' +SIGNED_SHIM='/usr/lib/shim/shimx64.efi.signed' BIOS_DIRECTORY="${ROOT}/bios" BIOS_FILE="${BIOS_DIRECTORY}/core.img" BIOS_SETUP="${BIOS_DIRECTORY}/setup.sh" COMPRESSION='xz' -GRUB_ROOT="${ROOT}/grub" +GRUB_ROOT="${ROOT}/boot/grub" +GRUB_CFG="${GRUB_ROOT}/grub.cfg" GRUB_ENV="${ROOT}/grub.env" GRUB_PUB="${GRUB_ROOT}/grub.pub" @@ -112,6 +116,13 @@ grub-mkimage \ --pubkey "${MEMDISK_PUB}" \ "${MODULES[@]}" # gpg --detach-sign "${UEFI_FILE}" +if [ -f "${SIGNED_SHIM}" ] ; then + mv "${UEFI_FILE}" "${UEFI_GRUB}" + cp "${SIGNED_SHIM}" "${UEFI_FILE}" +fi +if [ -f "${SIGNED_GRUB}" ] ; then + cp "${SIGNED_GRUB}" "${UEFI_GRUB}" +fi # bios ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ @@ -144,6 +155,66 @@ DIRECTORY="$(dirname "${FILE}")" rm --force --recursive "${GRUB_ROOT}" mkdir --parents "${GRUB_ROOT}" +# grub / cfg ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ + +echo -n "\ +echo ' +grub.cfg ↓ +' +ls +echo -n \"\\ +cmdpath: \${cmdpath} + root: \${root} +\" +for f in '/.disk/info' '/.disk/mini-info' ; do + if [ -f \"\${f}\" ] ; then + echo \" (\${root})\${f}\" + fi +done +unset f +echo \"\\ + prefix: \${prefix} +\" + +function set_init { + data_uuid='${DATA}' + search --no-floppy --set data \\ + --fs-uuid \"\${data_uuid}\" + # + search --no-floppy --set esp \\ + --fs-uuid '${ESP}' + if [ \"\${esp}\" ] ; then + env=\"(\${esp})/grub.env\" + live=\"(\${esp})/${PROJECT}/live\" + # + for file in \${live}/source/*.sh ; do + source \"\${file}\" + done + unset file + fi +} + +function normal_init { + check_signatures='no' + # + set_init + if [ \"\${esp}\" ] ; then + prefix=\"(\${esp})/boot/grub\" + root=\"\${esp}\" + fi +} + +normal_init + +echo 'main.sh ↓' +source \"\${live}/main.sh\" +echo 'main.sh ↑' + +echo -n ' +grub.cfg ↑ ' +sleep --interruptible --verbose 60 +" > "${GRUB_CFG}" + # grub / env ⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅⋅ echo -n "\ diff --git a/grubx64.sh b/grubx64.sh new file mode 100644 index 0000000..a07587e --- /dev/null +++ b/grubx64.sh @@ -0,0 +1,13 @@ +if [ -z "$prefix" -o ! -e "$prefix" ]; then + if ! search --file --set=root /.disk/info; then + search --file --set=root /.disk/mini-info + fi + set prefix=($root)/boot/grub +fi +if [ -e $prefix/x86_64-efi/grub.cfg ]; then + source $prefix/x86_64-efi/grub.cfg +elif [ -e $prefix/grub.cfg ]; then + source $prefix/grub.cfg +else + source $cmdpath/grub.cfg +fi diff --git a/live/normal.sh b/live/main.sh similarity index 100% rename from live/normal.sh rename to live/main.sh diff --git a/live/source/boot.sh b/live/source/boot.sh index 7a2230d..31ee22c 100644 --- a/live/source/boot.sh +++ b/live/source/boot.sh @@ -1,5 +1,4 @@ function debsquash { - boot_toram='true' lmp="${1}" sfs="filesystem.squashfs" if [ -f "(${data})${lmp}/vmlinuz" ]; then @@ -10,16 +9,13 @@ function debsquash { initrd_path="(squash)/initrd.img" loopback "squash" "${lmp}/${sfs}" fi - boot_linux="linux \ -\"${linux_path}\" \ -boot=\"live\" \ -elevator=\"deadline\" \ -ip=\"frommedia\" \ -live-media-path=\"${lmp}\" \ -toram" - if [ "${boot_toram}" == "true" ]; then - boot_linux="${boot_linux}=\"${sfs}\"" - fi - echo_eval "${boot_linux}" + linux \ +"${linux_path}" \ +boot="live" \ +elevator="deadline" \ +ip="frommedia" \ +live-media-path="${lmp}" \ +live-media-uuid="${data_uuid}" \ +toram="${sfs}" initrd "${initrd_path}" } diff --git a/readme.md b/readme.md index ab168d9..e723276 100644 --- a/readme.md +++ b/readme.md @@ -58,10 +58,22 @@ Build an ESP File System including: ## Tasks +* live-media + * -mount-opts * build * layouts * grub.env * variablize * pgp +* secure boot + * /efi/boot + * bootx64.efi ← /usr/lib/shim/shimx64.efi.signed + * grubx64.efi ← /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed + * root + * /.disk/info + * /.disk/mini-info + * grub.cfg + * prefix → /boot/grub + * cmdpath → /efi/boot ![Graph](todo.svg)