update to 1.5.0

with this commit, the program is installed from a github tarball.
author: Дамјан Георгиевски 2020-09-17 00:13:34 +0200
committer: Дамјан Георгиевски 2020-09-17 00:13:34 +0200
commit: 7ae38f9c9d287f0b85bec5a8f6df38454c5172c9 (patch)
tree: 04c6734778b02ecbee9c131670636e5f5010c2fd
parent: e904c3de8c222e48e74d076c621f17391724d883 (diff)
download: aur-secure-boot.tar.gz
7 files changed, 7 insertions, 263 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 5c49bfa75249..f49797e2951b 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = secure-boot
 	pkgdesc = secure-boot tool
-	pkgver = 1.4.1
+	pkgver = 1.5.0
 	pkgrel = 1
 	url = https://github.com/gdamjan/secure-boot
 	arch = any
@@ -12,14 +12,8 @@ pkgbase = secure-boot
 	depends = util-linux
 	depends = binutils
 	depends = systemd
-	source = secure-boot
-	source = secure-boot.hook
-	source = fwupd.hook
-	source = 95-secure-boot.install
-	sha256sums = d1dcbc4fcc42bfe2e506d87ee383174c59b8f5d34786ee90169a7b3e1682cf72
-	sha256sums = dbf3eb8f6424a44022ee5e8962388f6f73db9176ac0857d43ef4c95015c3d88b
-	sha256sums = 70466aa19cb38aedb210fb16a893f317412c9fc6f15169958583709d2954c67b
-	sha256sums = 62da3ec34fa9370d6877fe371e3536bab6255b2fb5353ef6c0e1adf4c555adcf
+	source = https://github.com/gdamjan/secure-boot/archive/v1.5.0.tar.gz
+	sha256sums = 156ca6399263b7df3feae69e90a12c06cb8552d732c43560b23e214a13c0cded
 
 pkgname = secure-boot
 
diff --git a/95-secure-boot.install b/95-secure-boot.install
deleted file mode 100644
index ab921d12c764..000000000000
--- a/95-secure-boot.install
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-# kernel-install hook
-# https://www.freedesktop.org/software/systemd/man/kernel-install.html
-
-# note: this hook must run after 50-mkinitcpio.install because it creates "$3"/initrd
-
-case "$1" in
-    add)
-        secure-boot KERNEL="$2" INITRAMFS="$3"/initrd install
-        ;;
-    remove)
-        # this is not implemented yet
-        # secure-boot KERNEL="$2" INITRAMFS="$3"/initrd remove
-        ;;
-esac
-
-
-# vim: set ft=sh ts=4 sw=4 et:
diff --git a/PKGBUILD b/PKGBUILD
index 8887229c6cb8..6742d3edccf6 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Damjan Georgievski <gdamjan@gmail.com>
 pkgname=secure-boot
-pkgver=1.4.1
+pkgver=1.5.0
 pkgrel=1
 epoch=
 pkgdesc="secure-boot tool"
@@ -19,11 +19,11 @@ backup=()
 options=()
 install=
 changelog=
-source=("secure-boot" "secure-boot.hook" "fwupd.hook" "95-secure-boot.install" )
+source=("${url}/archive/v${pkgver}.tar.gz")
 noextract=()
 
 package() {
-    cd "${srcdir}"
+    cd ${pkgname}-${pkgver}
     install -dm700 "${pkgdir}"/etc/secure-boot
     install -Dm755 secure-boot "${pkgdir}"/usr/bin/secure-boot
     install -Dm644 secure-boot.hook "${pkgdir}"/usr/share/libalpm/hooks/99-secure-boot.hook
@@ -31,7 +31,4 @@ package() {
     install -Dm644 95-secure-boot.install "${pkgdir}"/usr/lib/kernel/install.d/95-secure-boot.install
 }
 
-sha256sums=('d1dcbc4fcc42bfe2e506d87ee383174c59b8f5d34786ee90169a7b3e1682cf72'
-            'dbf3eb8f6424a44022ee5e8962388f6f73db9176ac0857d43ef4c95015c3d88b'
-            '70466aa19cb38aedb210fb16a893f317412c9fc6f15169958583709d2954c67b'
-            '62da3ec34fa9370d6877fe371e3536bab6255b2fb5353ef6c0e1adf4c555adcf')
+sha256sums=('156ca6399263b7df3feae69e90a12c06cb8552d732c43560b23e214a13c0cded')
diff --git a/README.md b/README.md
deleted file mode 100644
index 7e5e938b4705..000000000000
--- a/README.md
+++ /dev/null
@@ -1,89 +0,0 @@
-# UEFI SecureBoot on ArchLinux
-
-
-## Rationale
-
-I want full control at what boots the computer to avoid the so called [_evil maid attack_](https://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html). That requires setting SecureBoot with only my own keys. SecureBoot protects the computer from tampering with the installed OS and boot files, while it's left powered off outside our view. It's not a substitute for disk encryption though, it's an addition to it.
-
-
-## Quick Start
-
-* `secure-boot keys` will create the keys in `/etc/secure-boot/` - make sure no-one can access them!
-
-The `*.auth` files **must be enrolled** in the UEFI firmware the first time. Unfortunately this procedure
-depends on the hardware i.e. the BIOS/UEFI (see below for a Thinkpad).
-
-* `secure-boot update` will update the EFI executable in `/boot/Efi/Secure/combined-boot-signed.efi`
-* `secure-boot install` will run update and add an entry to the EFI boot list for the newly created image
-
-`secure-boot.hook` is installed as a pacman hook that runs `secure-boot update` when `linux` package is updated. You can
-use that file as a template for other kernels too (this procedure should converge to systemds kernel-install).
-
-
-## Configuration
-
-Options can be put in `/etc/secure-boot/config.mk` (in makefile format). See the top lines of [secure-boot](secure-boot) for the
-possible options. You can also specify them on the command line:
-
-* `secure-boot KERNEL=linux-lts update` will sign and setup the -lts kernel (also linux-git, linux-zen, etc) - but make sure to setup
-  the pacman hook for those too.
-* by default the script expects a cpu microcode archive exists at `/boot/intel-ucode.img`, and packs it to the common initramfs.
-  Use `secure-boot UCODE= update` to disable it.
-
-
-## Intro
-
-To simplify, I boot Linux directly from UEFI (no intermediate bootloaders).
-
-UEFI can only boot a single efi executable, but to boot Linux you also need one or more initramfs (including intel micro-code) and a command line[1].
-So all of these things have to be combined with `objcopy`. The combined file is then signed.
-
-Alternatively I'd need to use grub2 or some other bootloader that knows about SecureBoot - that kind of scares me since it increases the attack surface.
-
-[1] command line: the boot command line maybe could be avoided with [auto-discovery](http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/).
-AFAIK Arch is not fully ready for that yet.
-
-Three keys/certificates are needed for UEFI SecureBoot (PK, KEK, DB). They are created with openssl.
-
-MAKE SURE YOU KEEP your keys **SECURE**! Also put a BIOS password!
-
-**ASSUMPTIONS:** `/boot/` is the ESP (EFI System Partition)
-
-**Required packages**: efibootmgr and from AUR: sbsigntools and efitools. pesign was recommended in some docs, didn't work at all for me when signing files.
-
-
-## Thinkpad
-
-Thinkpads (T450s, X1 Carbon) don't have key management in the firmware (the _bios_), so a third-party one needs to be used.
-`efitools` has `KeyTool.efi`, so I copied it and the `*.auth` files in `/boot/keys` and set it up to boot on next-boot with efibootmgr.
-
-Make sure to clear the built-in keys first, otherwise you can't setup your own. In some firmwares there's a separate option for that,
-or it does it when you select *Enter Setup mode* option. Save and reset, and now KeyTool.efi will be able to *replace* the PK, KEK and db
-certificates. I didn't just *add* the certificate because I wanted only my own keys there. If that is ok, reboot and **enable SecureBoot**.
-
-On the next reboot KeyTool.efi can't run since it's not signed, so the boot will continue to my own combined and signed Linux image.
-
-Don't forget to upgrade the firmware before starting. Bugs are often fixed and not even documented.
-
-
-## Testing in KVM
-
-You need an OVMF (the opensource UEFI firmware) binary. Since the one in Arch repos **doesn't** support SecureBoot, and the one in AUR doesn't compile (yet), I took a prebuilt one from a [Fedora repository](https://www.kraxel.org/repos/jenkins/edk2/), and unpacked it with bsdtar. Download the edk2.git-ovmf-x64*rpm file and get the `OVMF-pure-efi.fd` file from it (or alternatively OVMF_CODE-pure-efi.fd and OVMF_VARS-pure-efi.fd).
-
-To run QEMU/KVM with the OVMF firmware, run it as:
-
-```
-qemu-system-x86_64 -enable-kvm -bios OVMF-pure-efi.fd -hda vfat:/usr/share/efitools/efi/
-```
-
-or just install some Linux from .iso. Don't forget, UEFI requires GPT.
-
-
-### References
-
-* http://tomsblog.gschwinds.net/2014/08/uefi-secure-boot-hands-on-experience/
-* https://fedoraproject.org/wiki/Using_UEFI_with_QEMU
-* https://wiki.ubuntu.com/SecurityTeam/SecureBoot
-* http://en.altlinux.org/UEFI_SecureBoot_mini-HOWTO
-* https://www.suse.com/communities/conversations/uefi-secure-boot-details/
-* http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
diff --git a/fwupd.hook b/fwupd.hook
deleted file mode 100644
index 800f8a548f6e..000000000000
--- a/fwupd.hook
+++ /dev/null
@@ -1,11 +0,0 @@
-[Trigger]
-Operation = Install
-Operation = Upgrade
-Type = File
-Target = usr/lib/fwupd/efi/fwupdx64.efi
-
-[Action]
-When = PostTransaction
-Exec = /usr/bin/sbsign --key /etc/secure-boot/db.key --cert /etc/secure-boot/db.crt -o /usr/lib/fwupd/efi/fwupdx64.efi.signed /usr/lib/fwupd/efi/fwupdx64.efi
-Depends = sbsigntools
-Depends = make
diff --git a/secure-boot b/secure-boot
deleted file mode 100644
index 91bd9ad00c58..000000000000
--- a/secure-boot
+++ /dev/null
@@ -1,115 +0,0 @@
-#! /usr/bin/make -f
-
-# configuration:
-
-ESP       := /boot
-EFIDIR    := /EFI/Secure
-EFIBOOTDEVICE :=
-
-# deprecated, use KERNEL. for backward compatibility til 2.0
-SUFFIX    := linux
-
-SIGNER    := ArchSecureBoot
-KERNEL    := ${SUFFIX}
-VMLINUZ   := /boot/vmlinuz-${KERNEL}
-INITRAMFS := /boot/initramfs-${KERNEL}.img
-EFISTUB   := /usr/lib/systemd/boot/efi/linuxx64.efi.stub
-UCODE     := /boot/intel-ucode.img
-CMDLINE   := /etc/kernel/cmdline
-DESTFILE  := secure-boot-${KERNEL}.efi
-EFIBOOTMGR := efibootmgr
-
--include /etc/secure-boot/config.mk
-
-KEYSDIR   := /etc/secure-boot
-BOOTDIR   := $(ESP)$(EFIDIR)
-EFIDIRFAT := $(subst /,\,$(EFIDIR))
-BUILDDIR  := $(shell mktemp -d /tmp/secure-boot.XXXXXX)
-
-ifdef EFIBOOTDEVICE
-EFIBOOTMGR += -d $(EFIBOOTDEVICE)
-endif
-
-.PHONY: default clean update install
-
-default:
-	@echo Make targets: install, update, gen-keys, enroll
-
-clean:
-	rm -rf $(BUILDDIR)
-
-update:  $(BOOTDIR)/${DESTFILE}
-install: update
-	$(EFIBOOTMGR) -c -l '${EFIDIRFAT}\${DESTFILE}' -L 'SecureBoot ${KERNEL}'
-
-$(BOOTDIR)/${DESTFILE}: $(BUILDDIR)/combined-boot-signed.efi
-	@mkdir -p $(BOOTDIR)
-	cp $< $@
-
-
-$(BUILDDIR)/cmdline.txt:
-	@mkdir -p $(BUILDDIR)
-	[ -f ${CMDLINE} ] && \
-	    tr '\n' ' ' < ${CMDLINE} > $@ || \
-	    echo -n `</proc/cmdline` > $@
-
-$(BUILDDIR)/initramfs.img: $(UCODE) $(INITRAMFS)
-	@mkdir -p $(BUILDDIR)
-	cat $^ > $@
-
-$(BUILDDIR)/combined-boot.efi: $(BUILDDIR)/cmdline.txt $(BUILDDIR)/initramfs.img $(EFISTUB) /etc/os-release
-	objcopy \
-	        --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
-	        --add-section .cmdline=$(BUILDDIR)/cmdline.txt --change-section-vma .cmdline=0x30000 \
-	        --add-section .linux=$(VMLINUZ) --change-section-vma .linux=0x40000 \
-	        --add-section .initrd=$(BUILDDIR)/initramfs.img --change-section-vma .initrd=0x3000000 \
-	        $(EFISTUB) $@
-
-$(BUILDDIR)/combined-boot-signed.efi: $(BUILDDIR)/combined-boot.efi $(KEYSDIR)/db.key
-	sbsign --key $(KEYSDIR)/db.key --cert $(KEYSDIR)/db.crt --output $@ $<
-
-
-.PHONY: build sign enroll gen-keys
-
-build:   $(BUILDDIR)/combined-boot.efi
-sign:    $(BUILDDIR)/combined-boot-signed.efi
-
-enroll: gen-keys
-	efi-updatevar -e -f $(KEYSDIR)/KEK.esl KEK
-	efi-updatevar -e -f $(KEYSDIR)/db.esl db
-	efi-updatevar -f $(KEYSDIR)/PK.auth PK
-
-gen-keys: $(KEYSDIR)/PK.auth $(KEYSDIR)/KEK.auth $(KEYSDIR)/db.auth
-
-
-
-####
-#### key building - typically only once in a lifetime
-####
-
-$(KEYSDIR)/%.crt: $(KEYSDIR)/%.key;
-$(KEYSDIR)/%.key: COMMONNAME = $(SIGNER) $(basename $(notdir $@))
-$(KEYSDIR)/%.key:
-	@mkdir -p $(KEYSDIR)
-	openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(COMMONNAME)/" \
-	    -keyout $@ -out $(@:.key=.crt) -days 3650 -nodes -sha256
-
-$(KEYSDIR)/uuid:
-	uuidgen -r > $@
-
-$(KEYSDIR)/%.esl: $(KEYSDIR)/%.key $(KEYSDIR)/uuid
-	cert-to-efi-sig-list -g `cat $(KEYSDIR)/uuid` $(@:.esl=.crt) $@
-
-
-$(KEYSDIR)/PK.auth: $(KEYSDIR)/PK.crt $(KEYSDIR)/PK.esl
-	sign-efi-sig-list -k $(KEYSDIR)/PK.key -c $(KEYSDIR)/PK.crt PK $(KEYSDIR)/PK.esl $@
-
-$(KEYSDIR)/KEK.auth: $(KEYSDIR)/PK.crt $(KEYSDIR)/KEK.esl
-	sign-efi-sig-list -c $(KEYSDIR)/PK.crt -k $(KEYSDIR)/PK.key KEK $(KEYSDIR)/KEK.esl $@
-
-$(KEYSDIR)/db.auth: $(KEYSDIR)/KEK.crt $(KEYSDIR)/db.esl
-	sign-efi-sig-list -c $(KEYSDIR)/KEK.crt -k $(KEYSDIR)/KEK.key db $(KEYSDIR)/db.esl $@
-
-
-.PRECIOUS: $(KEYSDIR)/%.key $(KEYSDIR)/%.crt $(KEYSDIR)/%.esl
-.DEFAULT: default
diff --git a/secure-boot.hook b/secure-boot.hook
deleted file mode 100644
index fb215e62694d..000000000000
--- a/secure-boot.hook
+++ /dev/null
@@ -1,14 +0,0 @@
-[Trigger]
-Operation = Install
-Operation = Upgrade
-Type = Package
-Target = linux
-Target = usr/lib/initcpio/*
-Target = boot/intel-ucode.img
-Target = boot/amd-ucode.img
-
-[Action]
-When = PostTransaction
-Exec = /usr/bin/secure-boot update
-Depends = sbsigntools
-Depends = make
author	Дамјан Георгиевски	2020-09-17 00:13:34 +0200
committer	Дамјан Георгиевски	2020-09-17 00:13:34 +0200
commit	7ae38f9c9d287f0b85bec5a8f6df38454c5172c9 (patch)
tree	04c6734778b02ecbee9c131670636e5f5010c2fd
parent	e904c3de8c222e48e74d076c621f17391724d883 (diff)
download	aur-secure-boot.tar.gz