update to 1.2.0

- add edk2 hook - add uki efi image hook
author: Brli 2024-04-14 12:27:55 +0800
committer: Brli 2024-04-14 12:27:55 +0800
commit: c6f80711500a148e30f733195bb85f4691e499b3 (patch)
tree: f1430d58e6dc8ee1f5edc8f7c7db0b89101e7d07
parent: e75a80512ad301c066275e5bb3d297ef98dd621d (diff)
download: aur-c6f80711500a148e30f733195bb85f4691e499b3.tar.gz
5 files changed, 86 insertions, 35 deletions
diff --git a/PKGBUILD b/PKGBUILD
index 9802bb87f1c1..a3a552f2eb51 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,17 +3,19 @@
 # 2. Some UEFI firmware requires the keys to be in FAT filesystem in order they can be imported, consider cp the keys to your ESP before reboot
 # 3. Read the Secure Boot Archwiki (https://wiki.archlinux.org/index.php/Secure_Boot)
 _sign_location="etc/secureboot/keys"
+_gen_new_key="$GEN_NEW_KEY"
 
 # Maintainer: BrLi <brli@chakralinux.org>
 pkgname=secureboot-helper
-pkgver=1.1.3
+pkgver=1.2.0
 pkgrel=1
 pkgdesc="Kernel signing helper for UEFI secure boot"
 arch=('any')
 url="https://wiki.archlinux.org/index.php/Secure_Boot#Signing_kernel_with_pacman_hook"
 license=('GPL')
-depends=(sbsigntools)
+depends=(sbsigntools mkinitcpio)
 makedepends=(efitools)
+optdepends=(edk2-shell)
 conflicts=(sbupdate)
 backup=($_sign_location/db/db.auth
         $_sign_location/db/db.cer
@@ -35,53 +37,67 @@ backup=($_sign_location/db/db.auth
 source=(secureboot-helper-kernel.hook
         secureboot-helper-systemd.hook
         secureboot-helper-ucode.hook
+        secureboot-helper-edk2.hook
         systemd-boot-update.hook
-        secureboot-helper.sysusers)
-sha256sums=('431c8804e41f42ef71e461c322e53908474982f011a19c69dc6776a5fefe2371'
-            'fa56188cb7d1175283ad7bbdc06a540ba8c1a2fc1b5ea55011a3a2cca0f7ac4c'
-            'badc4c0a167af7606df2076929d3ccede9da971b9e6c7bc24e9dfb22ea29cd3a'
-            '3f7f448987c82b9475182cc2bf5b861780e9da2a121b3607c5d24bc836846e86'
-            'ff1993aff155370018deeb78a0a112e887394fe3c5d289140d17462d1c2f1cc6')
+        edk2-update.hook
+        secureboot-helper.sysusers
+        uki-sbsign.post)
+b2sums=('e91df3a7cb2797210666d22716b9e93153d1a4571f90b0cd85f0d5e3f6a18b12f8892c40bce144859e6509107a76db20a855b1922180406f086c32d591febc0a'
+        '1dbbe7d5a44ff7751f4237f0e5c803091f7c289d030f647b89b22d99acb43aa7c2981c49234e3f6db035f02118295a2ffa9f7bc57d95da1e119e3a10700ccaae'
+        '6e5d318f43fab74dc8e9d8964ff8f1d2f29862da510a05da8d5c6931954b3d5e07969f94ae356f30157dc98f59544945550ad3db1dbcdfc048d6179fe4d00fcd'
+        '9397cee519512c05fd61d08d732e4cf72222a6b44068a5a9de865c43da971157d8385028d18f0d060a47ce5a69b5142bb9506c0af5e536a63c705f028a7a6074'
+        'acd0ba657a2707620e9dba6f798dfff9323ac35508f32954b4235876bcd9357dda81951c0115d5d3810a4497e1f527abd81539b0a5bdb864203478137716bf1f'
+        '70f37c68498e027e2104a2103da2619fb68bca3f850e2b6acd75a82cd97193e6fc16c29a05e7f25f8711b9236c4528ae8ccb7434800f89ef94cad98520b00c6e'
+        '4c558c19ba88f5c471076c220c767d21b4e5f6629ddf2d4fd652c1252a6de1ea236ead6f9a6674178af8c0e98afc51099a7b36a5421a581c4cb411b68ca86a7c'
+        'd3c1dd19016f9bf06255d30f05929cc040e05aec51ce6178be9024506c9050de3057e993e5193dbe6043c09b466ebcb80659a1443f4f736b3f399d474c4e41da')
 
 prepare() {
     sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-kernel.hook
     sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-systemd.hook
     sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-ucode.hook
     sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper.sysusers
+    if !$_gen_new_key; then
+        cp -r /etc/secureboot/keys "$srcdir/keys"
+    fi
 }
 package() {
     install -dm500 "$pkgdir/$_sign_location/"{PK,KEK,db}
     cd $pkgdir/$_sign_location
-    uuidgen --random > GUID.txt
+    if $_gen_new_key; then
+        uuidgen --random > GUID.txt
 
-    # Platform key
-    msg 'Generating PK.key'
-    cd $pkgdir/$_sign_location/PK
-    openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Platform Key/" -out PK.crt
-    openssl x509 -outform DER -in PK.crt -out PK.cer
-    cert-to-efi-sig-list -g "$(< ../GUID.txt)" PK.crt PK.esl
-    sign-efi-sig-list -g "$(< ../GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
-    sign-efi-sig-list -g "$(< ../GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth
+        # Platform key
+        msg 'Generating PK.key'
+        cd $pkgdir/$_sign_location/PK
+        openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Platform Key/" -out PK.crt
+        openssl x509 -outform DER -in PK.crt -out PK.cer
+        cert-to-efi-sig-list -g "$(< ../GUID.txt)" PK.crt PK.esl
+        sign-efi-sig-list -g "$(< ../GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth
+        sign-efi-sig-list -g "$(< ../GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth
 
-    # Key exchange key
-    msg 'Generating KEK.key'
-    cd $pkgdir/$_sign_location/KEK
-    openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Key Exchange Key/" -out KEK.crt
-    openssl x509 -outform DER -in KEK.crt -out KEK.cer
-    cert-to-efi-sig-list -g "$(< ../GUID.txt)" KEK.crt KEK.esl
-    sign-efi-sig-list -g "$(< ../GUID.txt)" -k ../PK/PK.key -c ../PK/PK.crt KEK KEK.esl KEK.auth
+        # Key exchange key
+        msg 'Generating KEK.key'
+        cd $pkgdir/$_sign_location/KEK
+        openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Key Exchange Key/" -out KEK.crt
+        openssl x509 -outform DER -in KEK.crt -out KEK.cer
+        cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
+        sign-efi-sig-list -g "$(< GUID.txt)" -k ../PK/PK.key -c ../PK/PK.crt KEK KEK.esl KEK.auth
 
-    # Signature Database key
-    msg 'Generating DB.key'
-    cd $pkgdir/$_sign_location/db
-    openssl req -newkey rsa:2048 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Signature Database key/" -out db.crt
-    openssl x509 -outform DER -in db.crt -out db.cer
-    cert-to-efi-sig-list -g "$(< ../GUID.txt)" db.crt db.esl
-    sign-efi-sig-list -g "$(< ../GUID.txt)" -k ../KEK/KEK.key -c ../KEK/KEK.crt db db.esl db.auth
+        # Signature Database key
+        msg 'Generating DB.key'
+        openssl req -newkey rsa:2048 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Signature Database key/" -out db.crt
+        openssl x509 -outform DER -in db.crt -out db.cer
+        cert-to-efi-sig-list -g "$(< ../GUID.txt)" db.crt db.esl
+        sign-efi-sig-list -g "$(< ../GUID.txt)" -k ../KEK/KEK.key -c ../KEK/KEK.crt db db.esl db.auth
+    else
+        cp -ra $srcdir/keys/* ./
+    fi
 
-    for hook in secureboot-helper-ucode secureboot-helper-kernel secureboot-helper-systemd; do
-        install -Dm644 $srcdir/$hook.hook $pkgdir/usr/share/libalpm/hooks/95-$hook.hook
+    for hook in ucode kernel systemd edk2; do
+        install -Dm644 "$srcdir/secureboot-helper-$hook.hook" "$pkgdir/usr/share/libalpm/hooks/95-secureboot-helper-$hook.hook"
     done
-    install -Dm644 $srcdir/systemd-boot-update.hook $pkgdir/usr/share/libalpm/hooks/96-systemd-boot-update.hook
+    install -Dm644 $srcdir/systemd-boot-update.hook   $pkgdir/usr/share/libalpm/hooks/96-systemd-boot-update.hook
+    install -Dm644 $srcdir/edk2-update.hook           $pkgdir/usr/share/libalpm/hooks/96-edk2-update.hook
     install -Dm644 $srcdir/secureboot-helper.sysusers $pkgdir/usr/lib/sysusers.d/secureboot-helper.conf
+    install -Dm644 $srcdir/uki-sbsign.post            $pkgdir/usr/lib/initcpio/post/uki-sbsign
 }
diff --git a/edk2-update.hook b/edk2-update.hook
new file mode 100644
index 000000000000..09a2a425fbd4
--- /dev/null
+++ b/edk2-update.hook
@@ -0,0 +1,11 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Type = Package
+Target = edk2-shell
+
+[Action]
+Description = Update EDK2 EFI Shell Binary
+When = PostTransaction
+Exec = /usr/bin/cp -uv /usr/share/edk2-shell/x64/Shell_Full.efi /boot/shellx64.efi
+Depends = coreutils
diff --git a/secureboot-helper-edk2.hook b/secureboot-helper-edk2.hook
new file mode 100644
index 000000000000..b297e744334d
--- /dev/null
+++ b/secureboot-helper-edk2.hook
@@ -0,0 +1,12 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Type = Package
+Target = edk2-shell
+
+[Action]
+Description = Signing EDK2 EFI Shell Binary for SecureBoot
+When = PostTransaction
+Exec = /usr/bin/sbsign --key /%SIGN_LOCATION%/db/db.key --cert /%SIGN_LOCATION%/db/db.crt --output "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" "/usr/share/edk2-shell/x64/Shell_Full.efi"
+Depends = sbsigntools
+Depends = grep
diff --git a/secureboot-helper-systemd.hook b/secureboot-helper-systemd.hook
index ed4dc5abb35f..d60ccbfae341 100644
--- a/secureboot-helper-systemd.hook
+++ b/secureboot-helper-systemd.hook
@@ -9,5 +9,4 @@ Description = Signing SystemD for SecureBoot
 When = PostTransaction
 Exec = /usr/bin/sbsign --key /%SIGN_LOCATION%/db/db.key --cert /%SIGN_LOCATION%/db/db.crt --output "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" "/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
 Depends = sbsigntools
-Depends = findutils
 Depends = grep
diff --git a/uki-sbsign.post b/uki-sbsign.post
new file mode 100644
index 000000000000..b19c36fd4a0b
--- /dev/null
+++ b/uki-sbsign.post
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+uki="$3"
+[[ -n "$uki" ]] || exit 0
+
+keypairs=(/etc/secureboot/keys/db/db.key /etc/secureboot/keys/db/db.crt)
+
+for (( i=0; i<${#keypairs[@]}; i+=2 )); do
+    key="${keypairs[$i]}" cert="${keypairs[(( i + 1 ))]}"
+    if ! sbverify --cert "$cert" "$uki" &>/dev/null; then
+        sbsign --key "$key" --cert "$cert" --output "$uki" "$uki"
+    fi
+done
author	Brli	2024-04-14 12:27:55 +0800
committer	Brli	2024-04-14 12:27:55 +0800
commit	c6f80711500a148e30f733195bb85f4691e499b3 (patch)
tree	f1430d58e6dc8ee1f5edc8f7c7db0b89101e7d07
parent	e75a80512ad301c066275e5bb3d297ef98dd621d (diff)
download	aur-c6f80711500a148e30f733195bb85f4691e499b3.tar.gz