PortValhalla/scripts/PopOS/secure-boot/install.sh

94 lines
2.9 KiB
Bash
Executable file

#!/bin/bash
scriptRoot=$(realpath "${BASH_SOURCE%/*}")
# Elevate script
if [ ! "$UID" -eq 0 ]
then
sudo bash "$BASH_SOURCE"
bash "$scriptRoot/sign-modules.sh"
else
# Create context directory
workingDirectory="$(pwd)"
contextRoot="$(mktemp -d)"
packageName="shim.rpm"
cd "$contextRoot"
# Install Prerequisites
apt install -y wget rpm2cpio efitools
# Download and Extract Package
wget https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm -O "$packageName"
rpm2archive "$packageName"
tar -xvzf "$packageName.tgz"
rm -f "$packageName" "$packageName.tgz"
# Initialize variables
src="./boot/efi/EFI/fedora"
esp=/boot/efi
defaultBootDir=$esp/EFI/BOOT
microsoftBootDir=$esp/EFI/Microsoft/Boot
systemdDirName=/EFI/systemd
systemdFullName=$esp$systemdDirName
systemdFile=$systemdFullName/systemd-bootx64.efi
bootFile=$defaultBootDir/grubx64.efi
# Set up files
cp $systemdFile $bootFile
cp "$src/shimx64.efi" $defaultBootDir/BOOTx64.efi
cp "$src/mmx64.efi" $defaultBootDir
cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /boot/efi/EFI/systemd/
wget https://github.com/tianocore/edk2-archive/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi -O "$systemdFullName/Shell.efi"
{
echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"
echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io"
} > sbat.csv
# No idea where the `10000000` comes from...
# Taken from https://github.com/rhboot/shim/issues/376#issuecomment-964137621
objcopy --set-section-alignment '.sbat=512' --add-section .sbat=sbat.csv --change-section-address .sbat+10000000 "$bootFile"
# Add boot entries
efibootmgr --unicode --disk /dev/nvme0n1 --part 0 --create --label "Shim" --loader /EFI/BOOT/BOOTx64.efi
# Configure systemd-boot
{
echo "timeout 4"
} >> /boot/efi/loader/loader.conf
{
echo "title MokManager"
echo "efi /EFI/BOOT/mmx64.efi"
} > /boot/efi/loader/entries/MokManager.conf
{
echo "title KeyTool"
echo "efi /EFI/systemd/KeyTool.efi"
} > /boot/efi/loader/entries/KeyTool.conf
{
echo "title UEFI Shell"
echo "efi /EFI/systemd/Shell.efi"
} > /boot/efi/loader/entries/Shell.conf
# Install surface MOK
apt install -y linux-surface-secureboot-mok
# Install MOK Key
keyDir="/var/lib/shim-signed/mok"
mkdir -p "$keyDir"
cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf"
openssl req -config "$keyDir/openssl.cnf" \
-new -x509 -newkey rsa:2048 \
-nodes -days 36500 -outform DER \
-keyout "$keyDir/MOK.priv" \
-out "$keyDir/MOK.der"
mokutil --import "$keyDir/MOK.der"
# Remove context directory
cd $workingDirectory
rm -rf $contextRoot
fi