Sign all modules during secure-boot

2022-11-18 11:41:12 +01:00 · 2022-11-18 11:41:12 +01:00 · 9d331249b9
commit 9d331249b9
parent 2920b5335b
4 changed files with 58 additions and 1 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -1,5 +1,6 @@
 {
    "files.associations": {
-        "*.service": "ini"
+        "*.service": "ini",
+        "*.cnf": "ini"
    }
 }
--- a/scripts/PopOS/secure-boot/install.sh.sh
+++ b/scripts/PopOS/secure-boot/install.sh.sh
@ -1,8 +1,11 @@
 #!/bin/bash
+scriptRoot=$(realpath "${BASH_SOURCE%/*}")
+
 # Elevate script
 if [ ! "$UID" -eq 0 ]
 then
    sudo bash "$BASH_SOURCE"
+    bash "$scriptRoot/sign-modules.sh"
 else
    # Create context directory
    workingDirectory="$(pwd)"
@ -30,6 +33,7 @@ else
    systemdFile=$systemdFullName/systemd-bootx64.efi

    # Set up files
+    cp $systemdFile $defaultBootDir/BOOTx64.efi
    mv $defaultBootDir/BOOTx64.efi $defaultBootDir/grubx64.efi
    cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
    cp "$src/mmx64.efi" $defaultBootDir
@ -50,6 +54,19 @@ else
    # Install surface MOK
    apt install -y linux-surface-secureboot-mok

+    # Install MOK Key
+    keyDir="/var/lib/shim-signed/mok"
+    mkdir -p "$keyDir"
+    cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf"
+
+    openssl req -config "$keyDir/openssl.cnf" \
+        -new -x509 -newkey rsa:2048 \
+        -nodes -days 36500 -outform DER \
+        -keyout "$keyDir/MOK.priv" \
+        -out "$keyDir/MOK.der"
+
+    mokutil --import "$keyDir/MOK.der"
+
    # Remove context directory
    cd $workingDirectory
    rm -rf $contextRoot
--- a/scripts/PopOS/secure-boot/openssl.cnf
+++ b/scripts/PopOS/secure-boot/openssl.cnf
@ -0,0 +1,24 @@
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+[ req ]
+distinguished_name      = req_distinguished_name
+x509_extensions         = v3
+string_mask             = utf8only
+prompt                  = no
+
+[ req_distinguished_name ]
+countryName             = CH
+stateOrProvinceName     = Zurich
+localityName            = Winterthur
+0.organizationName      = lordgizmo
+commonName              = Secure Boot Signing
+emailAddress            = m@nuth.ch
+
+[ v3 ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer
+basicConstraints        = critical,CA:FALSE
+extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2
+nsComment               = "Secure Boot Signing"
--- a/scripts/PopOS/secure-boot/sign-modules.sh
+++ b/scripts/PopOS/secure-boot/sign-modules.sh
@ -0,0 +1,15 @@
+#!/bin/bash
+# Elevate script
+if [ ! "$UID" -eq 0 ]
+then
+    sudo bash "$BASH_SOURCE"
+else
+    keyDir="/var/lib/shim-signed/mok"
+    keyFile="$keyDir/MOK.priv"
+    pubFile="$keyDir/MOK.der"
+
+    for file in $(find /lib/modules /var/lib/dkms -name *.ko);
+    do
+        kmodsign sha512 $keyFile $pubFile $file
+    done
+fi