Add an .sbat section to systemd-boot

2022-11-19 00:59:19 +01:00 · 2022-11-19 00:59:19 +01:00 · 377ef4a83a
commit 377ef4a83a
parent ed75215e93
1 changed files with 11 additions and 1 deletions
--- a/scripts/PopOS/secure-boot/install.sh
+++ b/scripts/PopOS/secure-boot/install.sh
@ -31,14 +31,24 @@ else
    systemdDirName=/EFI/systemd
    systemdFullName=$esp$systemdDirName
    systemdFile=$systemdFullName/systemd-bootx64.efi
+    bootFile=$defaultBootDir/grubx64.efi

    # Set up files
-    cp $systemdFile $defaultBootDir/grubx64.efi
+    cp $systemdFile $bootFile
    cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
    cp "$src/mmx64.efi" $defaultBootDir
    cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /boot/efi/EFI/systemd/
    wget https://github.com/tianocore/edk2-archive/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi -O "$systemdFullName/Shell.efi"

+    {
+        echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"
+        echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io"
+    } > sbat.csv
+
+    # No idea where the `10000000` comes from...
+    # Taken from https://github.com/rhboot/shim/issues/376#issuecomment-964137621
+    objcopy --set-section-alignment '.sbat=512' --add-section .sbat=sbat.csv --change-section-address .sbat+10000000 "$bootFile"
+
    # Add boot entries
    efibootmgr --unicode --disk /dev/nvme0n1 --part 0 --create --label "Shim" --loader /EFI/BOOT/BOOTx64.efi