PortValhalla/scripts/Devices/SurfaceBook2/SecureBoot/install.sh

110 lines
3.4 KiB
Bash
Raw Normal View History

#!/bin/bash
2023-01-23 15:11:51 +00:00
scriptRoot="$(realpath "${BASH_SOURCE%/*}")";
2022-11-18 10:41:12 +00:00
# Elevate script
if [ ! "$UID" -eq 0 ]
then
sudo bash "$BASH_SOURCE";
bash "$scriptRoot/sign-modules.sh";
2022-11-13 00:11:32 +00:00
else
# Create context directory
contextRoot="$(mktemp -d)";
packageName="shim.rpm";
pushd "$contextRoot";
2022-11-17 21:30:03 +00:00
# Install Prerequisites
apt install -y wget rpm2cpio efitools;
2022-11-17 21:30:03 +00:00
# Download and Extract Package
wget https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm -O "$packageName";
rpm2archive "$packageName";
tar -xvzf "$packageName.tgz";
rm -f "$packageName" "$packageName.tgz";
2022-11-13 00:11:32 +00:00
# Initialize variables
src="./boot/efi/EFI/fedora";
2023-01-23 15:53:28 +00:00
efiDirName="/EFI";
bootDirName="$efiDirName/BOOT";
microsoftDirName="$efiDirName/Microsoft/Boot";
systemdDirName="$efiDirName/systemd";
shimBaseName="shimx64.efi";
mokManagerBaseName="mmx64.efi";
keyToolBaseName="KeyTool.efi";
shellBaseName="Shell.efi";
defaultFileName="$bootDirName/BOOTx64.efi";
systemdFileName="$systemdDirName/systemd-bootx64.efi";
grubFileName="$bootDirName/grubx64.efi";
mokManagerFileName="$bootDirName/$mokManagerBaseName";
keyToolFileName="$systemdDirName/$keyToolBaseName";
shellFileName="$systemdDirName/$shellBaseName";
espPath=/boot/efi;
bootPath="$espPath$bootDirName";
defaultPath="$esp$defaultFileName";
microsoftPath="$espPath$microsoftDirName";
systemdPath="$espPath$systemdDirName/systemd-bootx64.efi";
shellPath="$espPath$shellFileName";
grubPath="$espPath$grubFileName";
2022-11-13 00:11:32 +00:00
2022-11-17 21:30:03 +00:00
# Set up files
2023-01-23 15:53:28 +00:00
cp "$systemdPath" "$grubPath";
cp "$src/$shimBaseName" "$defaultPath";
cp "$src/$mokManagerBaseName" "$bootPath";
cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /boot/efi/EFI/systemd/;
2023-01-23 15:53:28 +00:00
wget https://github.com/tianocore/edk2-archive/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi -O "$shellPath";
2022-11-13 00:11:32 +00:00
{
echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md";
echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io";
} > sbat.csv;
# No idea where the `10000000` comes from...
# Taken from https://github.com/rhboot/shim/issues/376#issuecomment-964137621
2023-01-23 15:53:28 +00:00
objcopy --set-section-alignment '.sbat=512' --add-section .sbat=sbat.csv --change-section-address .sbat+10000000 "$grubPath";
2022-11-17 21:30:03 +00:00
# Add boot entries
2023-01-23 15:53:28 +00:00
efibootmgr --unicode --disk /dev/nvme0n1 --part 0 --create --label "Shim" --loader "$defaultFileName";
2022-11-13 00:11:32 +00:00
2022-11-17 21:30:03 +00:00
# Configure systemd-boot
{
echo "timeout 4";
} >> /boot/efi/loader/loader.conf;
2022-11-13 00:11:32 +00:00
2022-11-17 21:30:03 +00:00
{
echo "title MokManager";
2023-01-23 15:53:28 +00:00
echo "efi $mokManagerFileName";
} > /boot/efi/loader/entries/MokManager.conf;
2022-11-13 00:11:32 +00:00
{
echo "title KeyTool";
2023-01-23 15:53:28 +00:00
echo "efi $keyToolFileName";
} > /boot/efi/loader/entries/KeyTool.conf;
{
echo "title UEFI Shell";
2023-01-23 15:53:28 +00:00
echo "efi $shellFileName";
} > /boot/efi/loader/entries/Shell.conf:
2022-11-17 21:30:03 +00:00
# Install surface MOK
apt install -y linux-surface-secureboot-mok;
2022-11-13 00:11:32 +00:00
2022-11-18 10:41:12 +00:00
# Install MOK Key
keyDir="/var/lib/shim-signed/mok";
mkdir -p "$keyDir";
cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf";
2022-11-18 10:41:12 +00:00
openssl req -config "$keyDir/openssl.cnf" \
-new -x509 -newkey rsa:2048 \
-nodes -days 36500 -outform DER \
-keyout "$keyDir/MOK.priv" \
-out "$keyDir/MOK.der";
2022-11-18 10:41:12 +00:00
mokutil --import "$keyDir/MOK.der";
2022-11-18 10:41:12 +00:00
2022-11-13 00:11:32 +00:00
# Remove context directory
popd;
2023-01-23 15:11:51 +00:00
rm -rf "$contextRoot";
fi