diff options
| author | tleydxdy | 2021-08-19 15:37:04 -0400 |
|---|---|---|
| committer | tleydxdy | 2021-08-19 15:37:04 -0400 |
| commit | 5bba56f143242d02a2c8134c243c475bd386b277 (patch) | |
| tree | 06c858301c5396e152b40deb632e7ff886a83c83 | |
| download | aur-5bba56f143242d02a2c8134c243c475bd386b277.tar.gz | |
first commit
| -rw-r--r-- | .SRCINFO | 30 | ||||
| -rw-r--r-- | .gitignore | 5 | ||||
| -rw-r--r-- | 55-efi-key.hook | 12 | ||||
| -rw-r--r-- | 60-dracut-remove.hook | 10 | ||||
| -rw-r--r-- | 90-dracut-install.hook | 12 | ||||
| -rw-r--r-- | 99-secureboot.conf | 2 | ||||
| -rw-r--r-- | PKGBUILD | 43 | ||||
| -rwxr-xr-x | dracut-install | 51 | ||||
| -rwxr-xr-x | dracut-remove | 8 | ||||
| -rwxr-xr-x | efi-key | 8 | ||||
| -rw-r--r-- | efi-key.conf | 6 | ||||
| -rwxr-xr-x | linuxx64.efi.stub | bin | 0 -> 57218 bytes |
12 files changed, 187 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..40b7dbfd2520 --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,30 @@ +pkgbase = dracut-sb + pkgdesc = dracut secure boot setup using efistub + pkgver = 1.0.0 + pkgrel = 1 + arch = any + depends = dracut + depends = efitools + depends = efibootmgr + depends = sbsigntools + backup = etc/pacman.d/hooks/efi-key.conf + source = 55-efi-key.hook + source = 60-dracut-remove.hook + source = 90-dracut-install.hook + source = 99-secureboot.conf + source = dracut-install + source = dracut-remove + source = efi-key + source = efi-key.conf + source = linuxx64.efi.stub + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + sha256sums = SKIP + +pkgname = dracut-sb diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..1df499f4267a --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +*.tar.zst +*.tar.xz +*.tar.gz +/pkg +/src diff --git a/55-efi-key.hook b/55-efi-key.hook new file mode 100644 index 000000000000..1670bbdddeb2 --- /dev/null +++ b/55-efi-key.hook @@ -0,0 +1,12 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Target = usr/lib/modules/*/pkgbase +Target = usr/lib/dracut/* + +[Action] +Description = Waiting for EFI signing key... +When = PreTransaction +Exec = /usr/local/share/libalpm/scripts/efi-key +NeedsTargets diff --git a/60-dracut-remove.hook b/60-dracut-remove.hook new file mode 100644 index 000000000000..f88ee0cae581 --- /dev/null +++ b/60-dracut-remove.hook @@ -0,0 +1,10 @@ +[Trigger] +Type = Path +Operation = Remove +Target = usr/lib/modules/*/pkgbase + +[Action] +Description = Removing dracut modules... +When = PreTransaction +Exec = /usr/local/share/libalpm/scripts/dracut-remove +NeedsTargets diff --git a/90-dracut-install.hook b/90-dracut-install.hook new file mode 100644 index 000000000000..46daea1d7c47 --- /dev/null +++ b/90-dracut-install.hook @@ -0,0 +1,12 @@ +[Trigger] +Type = Path +Operation = Install +Operation = Upgrade +Target = usr/lib/modules/*/pkgbase +Target = usr/lib/dracut/* + +[Action] +Description = Updating dracut modules... +When = PostTransaction +Exec = /usr/local/share/libalpm/scripts/dracut-install +NeedsTargets diff --git a/99-secureboot.conf b/99-secureboot.conf new file mode 100644 index 000000000000..a94be6b9ff14 --- /dev/null +++ b/99-secureboot.conf @@ -0,0 +1,2 @@ +uefi_secureboot_cert="/dev/shm/efikeys/db.crt" +uefi_secureboot_key="/dev/shm/efikeys/db.key" diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..c9b53979574f --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,43 @@ +# Maintainer: tleydxdy <shironeko(at)waifu(dot)club> + +pkgname=dracut-sb +pkgver=1.0.0 +pkgrel=1 +pkgdesc='dracut secure boot setup using efistub' +arch=('any') +depends=('dracut' 'efitools' 'efibootmgr' 'sbsigntools') +backup=('etc/pacman.d/hooks/efi-key.conf') +source=('55-efi-key.hook' +'60-dracut-remove.hook' +'90-dracut-install.hook' +'99-secureboot.conf' +'dracut-install' +'dracut-remove' +'efi-key' +'efi-key.conf' +'linuxx64.efi.stub') +sha256sums=('SKIP' +'SKIP' +'SKIP' +'SKIP' +'SKIP' +'SKIP' +'SKIP' +'SKIP' +'SKIP') + +package() { + install -Dm644 "${srcdir}"/55-efi-key.hook "${pkgdir}"/etc/pacman.d/hooks/55-efi-key.hook + install -Dm644 "${srcdir}"/60-dracut-remove.hook "${pkgdir}"/etc/pacman.d/hooks/60-dracut-remove.hook + install -Dm644 "${srcdir}"/90-dracut-install.hook "${pkgdir}"/etc/pacman.d/hooks/90-dracut-install.hook + + install -Dm644 "${srcdir}"/99-secureboot.conf "${pkgdir}"/etc/dracut.conf.d/99-secureboot.conf + + install -Dm755 "${srcdir}"/dracut-install "${pkgdir}"/usr/local/share/libalpm/scripts/dracut-install + install -Dm755 "${srcdir}"/dracut-remove "${pkgdir}"/usr/local/share/libalpm/scripts/dracut-remove + + install -Dm755 "${srcdir}"/efi-key "${pkgdir}"/usr/local/share/libalpm/scripts/efi-key + install -Dm644 "${srcdir}"/efi-key.conf "${pkgdir}"/etc/pacman.d/hooks/efi-key.conf + + install -Dm755 "${srcdir}"/linuxx64.efi.stub "${pkgdir}"/usr/bin/gummiboot/linuxx64.efi.stub +} diff --git a/dracut-install b/dracut-install new file mode 100755 index 000000000000..6ac373480300 --- /dev/null +++ b/dracut-install @@ -0,0 +1,51 @@ +#!/bin/bash -e + +. /etc/pacman.d/hooks/efi-key.conf + +kernels=() +dracut_update=0 + +while read -r line; do + if [[ $line != 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then + dracut_update=1 # Dracut files have been updated + continue + fi + + read -r pkgbase < "/${line}" + kernels+=("${pkgbase}") +done + +if (( dracut_update )); then + kernels=() + for file in /lib/modules/*/pkgbase; do + if read -r pkgbase &> /dev/null < "$file"; then + kernels+=("${pkgbase}") + fi + done +fi + +if [ -b "${efikey}" ]; then + mount ${efikey_opt} "${efikey}" "${efikey_dir}" +fi + +for kernel in "${kernels[@]}"; do + path="$(grep -lE "^${kernel}\$" /usr/lib/modules/*/pkgbase)" + version=$(basename "${path%/pkgbase}") + read -r pkgbase < "$path" + + echo ":: Building initramfs for $kernel-$version" + dracut -fMqH --uefi "/boot/${kernel}.efi" "${version}" + echo ":: Building fallback initramfs for $kernel-$version" + dracut -fMq --uefi "/boot/${kernel}-fallback.efi" "${version}" + if [ ! -b "${efikey}" ]; then + echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' + echo '!!!! WE DID NOT SIGN THE KERNEL !!!!' + echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!' + echo 'sign manually with:' + echo "sbsign --key \"${efikey_dir}/db.key\" --cert \"${efikey_dir}/db.crt\" --output \"${args[2]}\" \"${args[2]}\"" + fi +done + +if [ -b "${efikey}" ]; then + umount "${efikey_dir}" +fi diff --git a/dracut-remove b/dracut-remove new file mode 100755 index 000000000000..106987b3f490 --- /dev/null +++ b/dracut-remove @@ -0,0 +1,8 @@ +#!/bin/bash -e + +while read -r line; do + if [[ "$line" == 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then + read -r pkgbase < "/${line}" + rm -f "/boot/vmlinuz-${pkgbase}" "/boot/${pkgbase}.efi" "/boot/${pkgbase}-fallback.efi" + fi +done diff --git a/efi-key b/efi-key new file mode 100755 index 000000000000..3a19e025b8cf --- /dev/null +++ b/efi-key @@ -0,0 +1,8 @@ +#!/bin/bash -e + +. /etc/pacman.d/hooks/efi-key.conf + +mkdir -p "${efikey_dir}" +echo "To skip signing run \"touch ${skip_file}\"" +while [ ! -b "${efikey}" -a ! -e "${skip_file}" ]; do sleep 5; done +if [ -e "${skip_file}" ]; then rm "${skip_file}"; fi diff --git a/efi-key.conf b/efi-key.conf new file mode 100644 index 000000000000..2ba488b16af5 --- /dev/null +++ b/efi-key.conf @@ -0,0 +1,6 @@ +#efikey=/dev/disk/by-uuid/11111111-2222-3333-4444-555555555555 +if [ -z "${efikey}" ]; do + echo "please configure the efikey in $( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd)" && exit 1 +efikey_opt="-o subvol=dickeys" +efikey_dir=/dev/shm/efikeys +skip_file=${efikey_dir}/skip-boot-signing diff --git a/linuxx64.efi.stub b/linuxx64.efi.stub Binary files differnew file mode 100755 index 000000000000..e911f624f27b --- /dev/null +++ b/linuxx64.efi.stub |