Sign all modules during secure-boot

This commit is contained in:
Manuel Thalmann 2022-11-18 11:41:12 +01:00
parent 2920b5335b
commit 9d331249b9
4 changed files with 58 additions and 1 deletions

View file

@ -1,5 +1,6 @@
{ {
"files.associations": { "files.associations": {
"*.service": "ini" "*.service": "ini",
"*.cnf": "ini"
} }
} }

View file

@ -1,8 +1,11 @@
#!/bin/bash #!/bin/bash
scriptRoot=$(realpath "${BASH_SOURCE%/*}")
# Elevate script # Elevate script
if [ ! "$UID" -eq 0 ] if [ ! "$UID" -eq 0 ]
then then
sudo bash "$BASH_SOURCE" sudo bash "$BASH_SOURCE"
bash "$scriptRoot/sign-modules.sh"
else else
# Create context directory # Create context directory
workingDirectory="$(pwd)" workingDirectory="$(pwd)"
@ -30,6 +33,7 @@ else
systemdFile=$systemdFullName/systemd-bootx64.efi systemdFile=$systemdFullName/systemd-bootx64.efi
# Set up files # Set up files
cp $systemdFile $defaultBootDir/BOOTx64.efi
mv $defaultBootDir/BOOTx64.efi $defaultBootDir/grubx64.efi mv $defaultBootDir/BOOTx64.efi $defaultBootDir/grubx64.efi
cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
cp "$src/mmx64.efi" $defaultBootDir cp "$src/mmx64.efi" $defaultBootDir
@ -50,6 +54,19 @@ else
# Install surface MOK # Install surface MOK
apt install -y linux-surface-secureboot-mok apt install -y linux-surface-secureboot-mok
# Install MOK Key
keyDir="/var/lib/shim-signed/mok"
mkdir -p "$keyDir"
cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf"
openssl req -config "$keyDir/openssl.cnf" \
-new -x509 -newkey rsa:2048 \
-nodes -days 36500 -outform DER \
-keyout "$keyDir/MOK.priv" \
-out "$keyDir/MOK.der"
mokutil --import "$keyDir/MOK.der"
# Remove context directory # Remove context directory
cd $workingDirectory cd $workingDirectory
rm -rf $contextRoot rm -rf $contextRoot

View file

@ -0,0 +1,24 @@
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = CH
stateOrProvinceName = Zurich
localityName = Winterthur
0.organizationName = lordgizmo
commonName = Secure Boot Signing
emailAddress = m@nuth.ch
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2
nsComment = "Secure Boot Signing"

View file

@ -0,0 +1,15 @@
#!/bin/bash
# Elevate script
if [ ! "$UID" -eq 0 ]
then
sudo bash "$BASH_SOURCE"
else
keyDir="/var/lib/shim-signed/mok"
keyFile="$keyDir/MOK.priv"
pubFile="$keyDir/MOK.der"
for file in $(find /lib/modules /var/lib/dkms -name *.ko);
do
kmodsign sha512 $keyFile $pubFile $file
done
fi