93 lines
2.9 KiB
Bash
Executable file
93 lines
2.9 KiB
Bash
Executable file
#!/bin/bash
|
|
scriptRoot="$(realpath "${BASH_SOURCE%/*}")";
|
|
|
|
# Elevate script
|
|
if [ ! "$UID" -eq 0 ]
|
|
then
|
|
sudo bash "$BASH_SOURCE";
|
|
bash "$scriptRoot/sign-modules.sh";
|
|
else
|
|
# Create context directory
|
|
contextRoot="$(mktemp -d)";
|
|
packageName="shim.rpm";
|
|
pushd "$contextRoot";
|
|
|
|
# Install Prerequisites
|
|
apt install -y wget rpm2cpio efitools;
|
|
|
|
# Download and Extract Package
|
|
wget https://kojipkgs.fedoraproject.org/packages/shim/15.6/2/x86_64/shim-x64-15.6-2.x86_64.rpm -O "$packageName";
|
|
rpm2archive "$packageName";
|
|
tar -xvzf "$packageName.tgz";
|
|
rm -f "$packageName" "$packageName.tgz";
|
|
|
|
# Initialize variables
|
|
src="./boot/efi/EFI/fedora";
|
|
esp=/boot/efi;
|
|
defaultBootDir="$esp/EFI/BOOT";
|
|
microsoftBootDir="$esp/EFI/Microsoft/Boot";
|
|
|
|
systemdDirName=/EFI/systemd;
|
|
systemdFullName="$esp$systemdDirName";
|
|
systemdFile="$systemdFullName/systemd-bootx64.efi";
|
|
bootFile="$defaultBootDir/grubx64.efi";
|
|
|
|
# Set up files
|
|
cp "$systemdFile" "$bootFile";
|
|
cp "$src/shimx64.efi" "$defaultBootDir/BOOTx64.efi";
|
|
cp "$src/mmx64.efi" "$defaultBootDir";
|
|
cp /usr/lib/efitools/x86_64-linux-gnu/KeyTool.efi /boot/efi/EFI/systemd/;
|
|
wget https://github.com/tianocore/edk2-archive/raw/master/ShellBinPkg/UefiShell/X64/Shell.efi -O "$systemdFullName/Shell.efi";
|
|
|
|
{
|
|
echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md";
|
|
echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io";
|
|
} > sbat.csv;
|
|
|
|
# No idea where the `10000000` comes from...
|
|
# Taken from https://github.com/rhboot/shim/issues/376#issuecomment-964137621
|
|
objcopy --set-section-alignment '.sbat=512' --add-section .sbat=sbat.csv --change-section-address .sbat+10000000 "$bootFile";
|
|
|
|
# Add boot entries
|
|
efibootmgr --unicode --disk /dev/nvme0n1 --part 0 --create --label "Shim" --loader /EFI/BOOT/BOOTx64.efi;
|
|
|
|
# Configure systemd-boot
|
|
{
|
|
echo "timeout 4";
|
|
} >> /boot/efi/loader/loader.conf;
|
|
|
|
{
|
|
echo "title MokManager";
|
|
echo "efi /EFI/BOOT/mmx64.efi";
|
|
} > /boot/efi/loader/entries/MokManager.conf;
|
|
|
|
{
|
|
echo "title KeyTool";
|
|
echo "efi /EFI/systemd/KeyTool.efi";
|
|
} > /boot/efi/loader/entries/KeyTool.conf;
|
|
|
|
{
|
|
echo "title UEFI Shell";
|
|
echo "efi /EFI/systemd/Shell.efi";
|
|
} > /boot/efi/loader/entries/Shell.conf:
|
|
|
|
# Install surface MOK
|
|
apt install -y linux-surface-secureboot-mok;
|
|
|
|
# Install MOK Key
|
|
keyDir="/var/lib/shim-signed/mok";
|
|
mkdir -p "$keyDir";
|
|
cp "$scriptRoot/openssl.cnf" "$keyDir/openssl.cnf";
|
|
|
|
openssl req -config "$keyDir/openssl.cnf" \
|
|
-new -x509 -newkey rsa:2048 \
|
|
-nodes -days 36500 -outform DER \
|
|
-keyout "$keyDir/MOK.priv" \
|
|
-out "$keyDir/MOK.der";
|
|
|
|
mokutil --import "$keyDir/MOK.der";
|
|
|
|
# Remove context directory
|
|
popd;
|
|
rm -rf "$contextRoot";
|
|
fi
|