Sign all modules during secure-boot
This commit is contained in:
parent
2920b5335b
commit
9d331249b9
4 changed files with 58 additions and 1 deletions
3
.vscode/settings.json
vendored
3
.vscode/settings.json
vendored
|
|
@ -1,5 +1,6 @@
|
||||||
{
|
{
|
||||||
"files.associations": {
|
"files.associations": {
|
||||||
"*.service": "ini"
|
"*.service": "ini",
|
||||||
|
"*.cnf": "ini"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,8 +1,11 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
scriptRoot=$(realpath "${BASH_SOURCE%/*}")
|
||||||
|
|
||||||
# Elevate script
|
# Elevate script
|
||||||
if [ ! "$UID" -eq 0 ]
|
if [ ! "$UID" -eq 0 ]
|
||||||
then
|
then
|
||||||
sudo bash "$BASH_SOURCE"
|
sudo bash "$BASH_SOURCE"
|
||||||
|
bash "$scriptRoot/sign-modules.sh"
|
||||||
else
|
else
|
||||||
# Create context directory
|
# Create context directory
|
||||||
workingDirectory="$(pwd)"
|
workingDirectory="$(pwd)"
|
||||||
|
|
@ -30,6 +33,7 @@ else
|
||||||
systemdFile=$systemdFullName/systemd-bootx64.efi
|
systemdFile=$systemdFullName/systemd-bootx64.efi
|
||||||
|
|
||||||
# Set up files
|
# Set up files
|
||||||
|
cp $systemdFile $defaultBootDir/BOOTx64.efi
|
||||||
mv $defaultBootDir/BOOTx64.efi $defaultBootDir/grubx64.efi
|
mv $defaultBootDir/BOOTx64.efi $defaultBootDir/grubx64.efi
|
||||||
cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
|
cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
|
||||||
cp "$src/mmx64.efi" $defaultBootDir
|
cp "$src/mmx64.efi" $defaultBootDir
|
||||||
|
|
@ -50,6 +54,19 @@ else
|
||||||
# Install surface MOK
|
# Install surface MOK
|
||||||
apt install -y linux-surface-secureboot-mok
|
apt install -y linux-surface-secureboot-mok
|
||||||
|
|
||||||
|
# Install MOK Key
|
||||||
|
keyDir="/var/lib/shim-signed/mok"
|
||||||
|
mkdir -p "$keyDir"
|
||||||
|
cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf"
|
||||||
|
|
||||||
|
openssl req -config "$keyDir/openssl.cnf" \
|
||||||
|
-new -x509 -newkey rsa:2048 \
|
||||||
|
-nodes -days 36500 -outform DER \
|
||||||
|
-keyout "$keyDir/MOK.priv" \
|
||||||
|
-out "$keyDir/MOK.der"
|
||||||
|
|
||||||
|
mokutil --import "$keyDir/MOK.der"
|
||||||
|
|
||||||
# Remove context directory
|
# Remove context directory
|
||||||
cd $workingDirectory
|
cd $workingDirectory
|
||||||
rm -rf $contextRoot
|
rm -rf $contextRoot
|
||||||
|
|
|
||||||
24
scripts/PopOS/secure-boot/openssl.cnf
Normal file
24
scripts/PopOS/secure-boot/openssl.cnf
Normal file
|
|
@ -0,0 +1,24 @@
|
||||||
|
# This definition stops the following lines choking if HOME isn't
|
||||||
|
# defined.
|
||||||
|
HOME = .
|
||||||
|
RANDFILE = $ENV::HOME/.rnd
|
||||||
|
[ req ]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
x509_extensions = v3
|
||||||
|
string_mask = utf8only
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[ req_distinguished_name ]
|
||||||
|
countryName = CH
|
||||||
|
stateOrProvinceName = Zurich
|
||||||
|
localityName = Winterthur
|
||||||
|
0.organizationName = lordgizmo
|
||||||
|
commonName = Secure Boot Signing
|
||||||
|
emailAddress = m@nuth.ch
|
||||||
|
|
||||||
|
[ v3 ]
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid:always,issuer
|
||||||
|
basicConstraints = critical,CA:FALSE
|
||||||
|
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2
|
||||||
|
nsComment = "Secure Boot Signing"
|
||||||
15
scripts/PopOS/secure-boot/sign-modules.sh
Executable file
15
scripts/PopOS/secure-boot/sign-modules.sh
Executable file
|
|
@ -0,0 +1,15 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# Elevate script
|
||||||
|
if [ ! "$UID" -eq 0 ]
|
||||||
|
then
|
||||||
|
sudo bash "$BASH_SOURCE"
|
||||||
|
else
|
||||||
|
keyDir="/var/lib/shim-signed/mok"
|
||||||
|
keyFile="$keyDir/MOK.priv"
|
||||||
|
pubFile="$keyDir/MOK.der"
|
||||||
|
|
||||||
|
for file in $(find /lib/modules /var/lib/dkms -name *.ko);
|
||||||
|
do
|
||||||
|
kmodsign sha512 $keyFile $pubFile $file
|
||||||
|
done
|
||||||
|
fi
|
||||||
Loading…
Reference in a new issue