diff options
| author | Дамјан Георгиевски | 2019-06-12 21:44:30 +0200 |
|---|---|---|
| committer | Дамјан Георгиевски | 2019-06-12 21:44:30 +0200 |
| commit | e6c13601b372114a7c08b2e7698ec67e1ae0aadd (patch) | |
| tree | 362dd99a2754f0f13243f5128c54fd773a445c3a | |
| parent | 461ee8bb0233870867d2b88817f8cb43660c7f12 (diff) | |
| download | aur-e6c13601b372114a7c08b2e7698ec67e1ae0aadd.tar.gz | |
bump to 1.3.1
| -rw-r--r-- | .SRCINFO | 12 | ||||
| -rw-r--r-- | 95-secure-boot.install | 18 | ||||
| -rw-r--r-- | PKGBUILD | 20 | ||||
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | fwupd.hook | 11 | ||||
| -rw-r--r-- | secure-boot | 36 | ||||
| -rw-r--r-- | secure-boot.hook | 2 |
7 files changed, 76 insertions, 25 deletions
@@ -1,7 +1,7 @@ pkgbase = secure-boot pkgdesc = secure-boot tool - pkgver = 1.1 - pkgrel = 2 + pkgver = 1.3.1 + pkgrel = 1 url = https://github.com/gdamjan/secure-boot arch = any license = GPL @@ -14,8 +14,12 @@ pkgbase = secure-boot depends = systemd source = secure-boot source = secure-boot.hook - md5sums = 97e13f4798bed1d4bd3d7f409198e570 - md5sums = 1313074db7ddeac0c115e44c7b16f218 + source = fwupd.hook + source = 95-secure-boot.install + sha256sums = 8140d52cce7ca1424dcfdf57e5bf5e162671710764ddb66d3112f40236c39f0f + sha256sums = 9252561fd43bc707e062ce266f7e55ceff9cd56ad00bde003ba93a61aaf27922 + sha256sums = 70466aa19cb38aedb210fb16a893f317412c9fc6f15169958583709d2954c67b + sha256sums = 62da3ec34fa9370d6877fe371e3536bab6255b2fb5353ef6c0e1adf4c555adcf pkgname = secure-boot diff --git a/95-secure-boot.install b/95-secure-boot.install new file mode 100644 index 000000000000..ab921d12c764 --- /dev/null +++ b/95-secure-boot.install @@ -0,0 +1,18 @@ +#!/bin/sh +# kernel-install hook +# https://www.freedesktop.org/software/systemd/man/kernel-install.html + +# note: this hook must run after 50-mkinitcpio.install because it creates "$3"/initrd + +case "$1" in + add) + secure-boot KERNEL="$2" INITRAMFS="$3"/initrd install + ;; + remove) + # this is not implemented yet + # secure-boot KERNEL="$2" INITRAMFS="$3"/initrd remove + ;; +esac + + +# vim: set ft=sh ts=4 sw=4 et: @@ -1,7 +1,7 @@ # Maintainer: Damjan Georgievski <gdamjan@gmail.com> pkgname=secure-boot -pkgver=1.1 -pkgrel=2 +pkgver=1.3.1 +pkgrel=1 epoch= pkgdesc="secure-boot tool" arch=(any) @@ -19,15 +19,19 @@ backup=() options=() install= changelog= -source=(secure-boot secure-boot.hook) +source=("secure-boot" "secure-boot.hook" "fwupd.hook" "95-secure-boot.install" ) noextract=() package() { cd "${srcdir}" - install -dm700 ${pkgdir}/etc/secure-boot - install -Dm755 secure-boot ${pkgdir}/usr/bin/secure-boot - install -Dm644 secure-boot.hook ${pkgdir}/etc/pacman.d/hooks/secure-boot.hook + install -dm700 "${pkgdir}"/etc/secure-boot + install -Dm755 secure-boot "${pkgdir}"/usr/bin/secure-boot + install -Dm644 secure-boot.hook "${pkgdir}"/usr/share/libalpm/hooks/99-secure-boot.hook + install -Dm644 fwupd.hook "${pkgdir}"/usr/share/libalpm/hooks/fwupd.hook + install -Dm644 95-secure-boot.install "${pkgdir}"/usr/lib/kernel/install.d/95-secure-boot.install } -md5sums=('97e13f4798bed1d4bd3d7f409198e570' - '1313074db7ddeac0c115e44c7b16f218') +sha256sums=('8140d52cce7ca1424dcfdf57e5bf5e162671710764ddb66d3112f40236c39f0f' + '9252561fd43bc707e062ce266f7e55ceff9cd56ad00bde003ba93a61aaf27922' + '70466aa19cb38aedb210fb16a893f317412c9fc6f15169958583709d2954c67b' + '62da3ec34fa9370d6877fe371e3536bab6255b2fb5353ef6c0e1adf4c555adcf') diff --git a/README.md b/README.md index b2ca9b4864a3..7e5e938b4705 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ use that file as a template for other kernels too (this procedure should converg Options can be put in `/etc/secure-boot/config.mk` (in makefile format). See the top lines of [secure-boot](secure-boot) for the possible options. You can also specify them on the command line: -* `secure-boot SUFFIX=linux-lts update` will sign and setup the -lts kernel (also -git, -zen, etc) - but make sure to setup +* `secure-boot KERNEL=linux-lts update` will sign and setup the -lts kernel (also linux-git, linux-zen, etc) - but make sure to setup the pacman hook for those too. * by default the script expects a cpu microcode archive exists at `/boot/intel-ucode.img`, and packs it to the common initramfs. Use `secure-boot UCODE= update` to disable it. diff --git a/fwupd.hook b/fwupd.hook new file mode 100644 index 000000000000..800f8a548f6e --- /dev/null +++ b/fwupd.hook @@ -0,0 +1,11 @@ +[Trigger] +Operation = Install +Operation = Upgrade +Type = File +Target = usr/lib/fwupd/efi/fwupdx64.efi + +[Action] +When = PostTransaction +Exec = /usr/bin/sbsign --key /etc/secure-boot/db.key --cert /etc/secure-boot/db.crt -o /usr/lib/fwupd/efi/fwupdx64.efi.signed /usr/lib/fwupd/efi/fwupdx64.efi +Depends = sbsigntools +Depends = make diff --git a/secure-boot b/secure-boot index eda18bde0a6d..84d993339696 100644 --- a/secure-boot +++ b/secure-boot @@ -6,14 +6,17 @@ ESP := /boot EFIDIR := /EFI/Secure EFIBOOTDEVICE := -SIGNER := ArchSecureBoot +# deprecated, use KERNEL. for backward compatibility til 2.0 SUFFIX := linux -KERNEL := /boot/vmlinuz-${SUFFIX} -INITRAMFS := /boot/initramfs-${SUFFIX}.img + +SIGNER := ArchSecureBoot +KERNEL := ${SUFFIX} +VMLINUZ := /boot/vmlinuz-${KERNEL} +INITRAMFS := /boot/initramfs-${KERNEL}.img EFISTUB := /usr/lib/systemd/boot/efi/linuxx64.efi.stub UCODE := /boot/intel-ucode.img CMDLINE := /etc/kernel/cmdline -DESTFILE := secure-boot-${SUFFIX}.efi +DESTFILE := secure-boot-${KERNEL}.efi EFIBOOTMGR := efibootmgr -include /etc/secure-boot/config.mk @@ -27,15 +30,17 @@ ifdef EFIBOOTDEVICE EFIBOOTMGR += -d $(EFIBOOTDEVICE) endif +.PHONY: default clean update install + default: - @echo Make targets: keys, install, update + @echo Make targets: install, update, gen-keys, enroll clean: rm -rf $(BUILDDIR) update: $(BOOTDIR)/${DESTFILE} install: update - $(EFIBOOTMGR) -c -l '${EFIDIRFAT}\${DESTFILE}' -L 'SecureBoot ${SUFFIX}' + $(EFIBOOTMGR) -c -l '${EFIDIRFAT}\${DESTFILE}' -L 'SecureBoot ${KERNEL}' $(BOOTDIR)/${DESTFILE}: $(BUILDDIR)/combined-boot-signed.efi @mkdir -p $(BOOTDIR) @@ -56,7 +61,7 @@ $(BUILDDIR)/combined-boot.efi: $(BUILDDIR)/cmdline.txt $(BUILDDIR)/initramfs.img objcopy \ --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \ --add-section .cmdline=$(BUILDDIR)/cmdline.txt --change-section-vma .cmdline=0x30000 \ - --add-section .linux=$(KERNEL) --change-section-vma .linux=0x40000 \ + --add-section .linux=$(VMLINUZ) --change-section-vma .linux=0x40000 \ --add-section .initrd=$(BUILDDIR)/initramfs.img --change-section-vma .initrd=0x3000000 \ $(EFISTUB) $@ @@ -64,15 +69,23 @@ $(BUILDDIR)/combined-boot-signed.efi: $(BUILDDIR)/combined-boot.efi $(KEYSDIR)/d sbsign --key $(KEYSDIR)/db.key --cert $(KEYSDIR)/db.crt --output $@ $< -# shortcuts +.PHONY: build sign enroll gen-keys + build: $(BUILDDIR)/combined-boot.efi sign: $(BUILDDIR)/combined-boot-signed.efi +enroll: gen-keys + efi-updatevar -e -f $(KEYSDIR)/KEK.esl KEK + efi-updatevar -e -f $(KEYSDIR)/db.esl db + efi-updatevar -f $(KEYSDIR)/PK.auth PK + +gen-keys: $(KEYSDIR)/PK.auth $(KEYSDIR)/KEK.auth $(KEYSDIR)/db.auth + -### setup keys. -### need run only once. -keys: $(KEYSDIR)/PK.auth $(KEYSDIR)/KEK.auth $(KEYSDIR)/db.auth +#### +#### key building - typically only once in a lifetime +#### $(KEYSDIR)/%.crt: $(KEYSDIR)/%.key; $(KEYSDIR)/%.key: COMMONNAME = $(SIGNER) $(basename $(notdir $@)) @@ -99,5 +112,4 @@ $(KEYSDIR)/db.auth: $(KEYSDIR)/KEK.crt $(KEYSDIR)/db.esl .PRECIOUS: $(KEYSDIR)/%.key $(KEYSDIR)/%.crt $(KEYSDIR)/%.esl -.PHONY: default clean install .DEFAULT: default diff --git a/secure-boot.hook b/secure-boot.hook index 6eac36a9fa6c..3957bfd878a9 100644 --- a/secure-boot.hook +++ b/secure-boot.hook @@ -3,6 +3,8 @@ Operation = Install Operation = Upgrade Type = Package Target = linux +Target = usr/lib/initcpio/* +Target = boot/intel-ucode.img [Action] When = PostTransaction |