diff options
author | Brli | 2024-04-14 12:27:55 +0800 |
---|---|---|
committer | Brli | 2024-04-14 12:27:55 +0800 |
commit | c6f80711500a148e30f733195bb85f4691e499b3 (patch) | |
tree | f1430d58e6dc8ee1f5edc8f7c7db0b89101e7d07 | |
parent | e75a80512ad301c066275e5bb3d297ef98dd621d (diff) | |
download | aur-c6f80711500a148e30f733195bb85f4691e499b3.tar.gz |
update to 1.2.0
- add edk2 hook
- add uki efi image hook
-rw-r--r-- | PKGBUILD | 84 | ||||
-rw-r--r-- | edk2-update.hook | 11 | ||||
-rw-r--r-- | secureboot-helper-edk2.hook | 12 | ||||
-rw-r--r-- | secureboot-helper-systemd.hook | 1 | ||||
-rw-r--r-- | uki-sbsign.post | 13 |
5 files changed, 86 insertions, 35 deletions
@@ -3,17 +3,19 @@ # 2. Some UEFI firmware requires the keys to be in FAT filesystem in order they can be imported, consider cp the keys to your ESP before reboot # 3. Read the Secure Boot Archwiki (https://wiki.archlinux.org/index.php/Secure_Boot) _sign_location="etc/secureboot/keys" +_gen_new_key="$GEN_NEW_KEY" # Maintainer: BrLi <brli@chakralinux.org> pkgname=secureboot-helper -pkgver=1.1.3 +pkgver=1.2.0 pkgrel=1 pkgdesc="Kernel signing helper for UEFI secure boot" arch=('any') url="https://wiki.archlinux.org/index.php/Secure_Boot#Signing_kernel_with_pacman_hook" license=('GPL') -depends=(sbsigntools) +depends=(sbsigntools mkinitcpio) makedepends=(efitools) +optdepends=(edk2-shell) conflicts=(sbupdate) backup=($_sign_location/db/db.auth $_sign_location/db/db.cer @@ -35,53 +37,67 @@ backup=($_sign_location/db/db.auth source=(secureboot-helper-kernel.hook secureboot-helper-systemd.hook secureboot-helper-ucode.hook + secureboot-helper-edk2.hook systemd-boot-update.hook - secureboot-helper.sysusers) -sha256sums=('431c8804e41f42ef71e461c322e53908474982f011a19c69dc6776a5fefe2371' - 'fa56188cb7d1175283ad7bbdc06a540ba8c1a2fc1b5ea55011a3a2cca0f7ac4c' - 'badc4c0a167af7606df2076929d3ccede9da971b9e6c7bc24e9dfb22ea29cd3a' - '3f7f448987c82b9475182cc2bf5b861780e9da2a121b3607c5d24bc836846e86' - 'ff1993aff155370018deeb78a0a112e887394fe3c5d289140d17462d1c2f1cc6') + edk2-update.hook + secureboot-helper.sysusers + uki-sbsign.post) +b2sums=('e91df3a7cb2797210666d22716b9e93153d1a4571f90b0cd85f0d5e3f6a18b12f8892c40bce144859e6509107a76db20a855b1922180406f086c32d591febc0a' + '1dbbe7d5a44ff7751f4237f0e5c803091f7c289d030f647b89b22d99acb43aa7c2981c49234e3f6db035f02118295a2ffa9f7bc57d95da1e119e3a10700ccaae' + '6e5d318f43fab74dc8e9d8964ff8f1d2f29862da510a05da8d5c6931954b3d5e07969f94ae356f30157dc98f59544945550ad3db1dbcdfc048d6179fe4d00fcd' + '9397cee519512c05fd61d08d732e4cf72222a6b44068a5a9de865c43da971157d8385028d18f0d060a47ce5a69b5142bb9506c0af5e536a63c705f028a7a6074' + 'acd0ba657a2707620e9dba6f798dfff9323ac35508f32954b4235876bcd9357dda81951c0115d5d3810a4497e1f527abd81539b0a5bdb864203478137716bf1f' + '70f37c68498e027e2104a2103da2619fb68bca3f850e2b6acd75a82cd97193e6fc16c29a05e7f25f8711b9236c4528ae8ccb7434800f89ef94cad98520b00c6e' + '4c558c19ba88f5c471076c220c767d21b4e5f6629ddf2d4fd652c1252a6de1ea236ead6f9a6674178af8c0e98afc51099a7b36a5421a581c4cb411b68ca86a7c' + 'd3c1dd19016f9bf06255d30f05929cc040e05aec51ce6178be9024506c9050de3057e993e5193dbe6043c09b466ebcb80659a1443f4f736b3f399d474c4e41da') prepare() { sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-kernel.hook sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-systemd.hook sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-ucode.hook sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper.sysusers + if !$_gen_new_key; then + cp -r /etc/secureboot/keys "$srcdir/keys" + fi } package() { install -dm500 "$pkgdir/$_sign_location/"{PK,KEK,db} cd $pkgdir/$_sign_location - uuidgen --random > GUID.txt + if $_gen_new_key; then + uuidgen --random > GUID.txt - # Platform key - msg 'Generating PK.key' - cd $pkgdir/$_sign_location/PK - openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Platform Key/" -out PK.crt - openssl x509 -outform DER -in PK.crt -out PK.cer - cert-to-efi-sig-list -g "$(< ../GUID.txt)" PK.crt PK.esl - sign-efi-sig-list -g "$(< ../GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth - sign-efi-sig-list -g "$(< ../GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth + # Platform key + msg 'Generating PK.key' + cd $pkgdir/$_sign_location/PK + openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Platform Key/" -out PK.crt + openssl x509 -outform DER -in PK.crt -out PK.cer + cert-to-efi-sig-list -g "$(< ../GUID.txt)" PK.crt PK.esl + sign-efi-sig-list -g "$(< ../GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth + sign-efi-sig-list -g "$(< ../GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth - # Key exchange key - msg 'Generating KEK.key' - cd $pkgdir/$_sign_location/KEK - openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Key Exchange Key/" -out KEK.crt - openssl x509 -outform DER -in KEK.crt -out KEK.cer - cert-to-efi-sig-list -g "$(< ../GUID.txt)" KEK.crt KEK.esl - sign-efi-sig-list -g "$(< ../GUID.txt)" -k ../PK/PK.key -c ../PK/PK.crt KEK KEK.esl KEK.auth + # Key exchange key + msg 'Generating KEK.key' + cd $pkgdir/$_sign_location/KEK + openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Key Exchange Key/" -out KEK.crt + openssl x509 -outform DER -in KEK.crt -out KEK.cer + cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl + sign-efi-sig-list -g "$(< GUID.txt)" -k ../PK/PK.key -c ../PK/PK.crt KEK KEK.esl KEK.auth - # Signature Database key - msg 'Generating DB.key' - cd $pkgdir/$_sign_location/db - openssl req -newkey rsa:2048 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Signature Database key/" -out db.crt - openssl x509 -outform DER -in db.crt -out db.cer - cert-to-efi-sig-list -g "$(< ../GUID.txt)" db.crt db.esl - sign-efi-sig-list -g "$(< ../GUID.txt)" -k ../KEK/KEK.key -c ../KEK/KEK.crt db db.esl db.auth + # Signature Database key + msg 'Generating DB.key' + openssl req -newkey rsa:2048 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Signature Database key/" -out db.crt + openssl x509 -outform DER -in db.crt -out db.cer + cert-to-efi-sig-list -g "$(< ../GUID.txt)" db.crt db.esl + sign-efi-sig-list -g "$(< ../GUID.txt)" -k ../KEK/KEK.key -c ../KEK/KEK.crt db db.esl db.auth + else + cp -ra $srcdir/keys/* ./ + fi - for hook in secureboot-helper-ucode secureboot-helper-kernel secureboot-helper-systemd; do - install -Dm644 $srcdir/$hook.hook $pkgdir/usr/share/libalpm/hooks/95-$hook.hook + for hook in ucode kernel systemd edk2; do + install -Dm644 "$srcdir/secureboot-helper-$hook.hook" "$pkgdir/usr/share/libalpm/hooks/95-secureboot-helper-$hook.hook" done - install -Dm644 $srcdir/systemd-boot-update.hook $pkgdir/usr/share/libalpm/hooks/96-systemd-boot-update.hook + install -Dm644 $srcdir/systemd-boot-update.hook $pkgdir/usr/share/libalpm/hooks/96-systemd-boot-update.hook + install -Dm644 $srcdir/edk2-update.hook $pkgdir/usr/share/libalpm/hooks/96-edk2-update.hook install -Dm644 $srcdir/secureboot-helper.sysusers $pkgdir/usr/lib/sysusers.d/secureboot-helper.conf + install -Dm644 $srcdir/uki-sbsign.post $pkgdir/usr/lib/initcpio/post/uki-sbsign } diff --git a/edk2-update.hook b/edk2-update.hook new file mode 100644 index 000000000000..09a2a425fbd4 --- /dev/null +++ b/edk2-update.hook @@ -0,0 +1,11 @@ +[Trigger] +Operation = Install +Operation = Upgrade +Type = Package +Target = edk2-shell + +[Action] +Description = Update EDK2 EFI Shell Binary +When = PostTransaction +Exec = /usr/bin/cp -uv /usr/share/edk2-shell/x64/Shell_Full.efi /boot/shellx64.efi +Depends = coreutils diff --git a/secureboot-helper-edk2.hook b/secureboot-helper-edk2.hook new file mode 100644 index 000000000000..b297e744334d --- /dev/null +++ b/secureboot-helper-edk2.hook @@ -0,0 +1,12 @@ +[Trigger] +Operation = Install +Operation = Upgrade +Type = Package +Target = edk2-shell + +[Action] +Description = Signing EDK2 EFI Shell Binary for SecureBoot +When = PostTransaction +Exec = /usr/bin/sbsign --key /%SIGN_LOCATION%/db/db.key --cert /%SIGN_LOCATION%/db/db.crt --output "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" "/usr/share/edk2-shell/x64/Shell_Full.efi" +Depends = sbsigntools +Depends = grep diff --git a/secureboot-helper-systemd.hook b/secureboot-helper-systemd.hook index ed4dc5abb35f..d60ccbfae341 100644 --- a/secureboot-helper-systemd.hook +++ b/secureboot-helper-systemd.hook @@ -9,5 +9,4 @@ Description = Signing SystemD for SecureBoot When = PostTransaction Exec = /usr/bin/sbsign --key /%SIGN_LOCATION%/db/db.key --cert /%SIGN_LOCATION%/db/db.crt --output "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" Depends = sbsigntools -Depends = findutils Depends = grep diff --git a/uki-sbsign.post b/uki-sbsign.post new file mode 100644 index 000000000000..b19c36fd4a0b --- /dev/null +++ b/uki-sbsign.post @@ -0,0 +1,13 @@ +#!/usr/bin/env bash + +uki="$3" +[[ -n "$uki" ]] || exit 0 + +keypairs=(/etc/secureboot/keys/db/db.key /etc/secureboot/keys/db/db.crt) + +for (( i=0; i<${#keypairs[@]}; i+=2 )); do + key="${keypairs[$i]}" cert="${keypairs[(( i + 1 ))]}" + if ! sbverify --cert "$cert" "$uki" &>/dev/null; then + sbsign --key "$key" --cert "$cert" --output "$uki" "$uki" + fi +done |