grub-sbctl-sign


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

#!/bin/bash

set -euo pipefail

# Ensure the script is run as root
if [ $EUID != 0 ]; then
	echo "Insufficient permission!"
	echo "Please run this script as root"
	exit 1
fi

# Source configuration file(s)
# shellcheck disable=SC1091
if "${_RUN_FROM_SETUP:=false}"; then
	if [ -f /etc/gsb.conf ]; then
		source /etc/gsb.conf
		if [ -f /etc/gsb.user.conf ]; then
			source /etc/gsb.user.conf
		fi
	else
		source gsb.conf # For debugging purposes
	fi
fi

# Check for key existence
if [ ! -f "$GRUB_KEYDIR/boot.key" ]; then
	echo "grub-sbctl is not set up. Skipping..."
	exit 0
fi

sign_efi() {
	# Sign EFI binaries and kernel images with sbctl
	# shellcheck disable=SC2181
	for f in $(find "$BL_PATH" -mindepth 2 -maxdepth 2 -type f -iname "grub*.efi" | head -1) /boot/vmlinu[xz]-* /boot/kernel-*; do
		[ -f "$f" ] || continue
		sbctl sign -s "$(realpath "$f")"
		# Add a little delay while sbctl updates its database
		sleep 1
	done
}

update_grub() {

	# Generate GRUB config
	grub-mkconfig -o "$GRUB_CONFDIR/grub.cfg"

	# Sign GRUB files and modules with gpg
	for f in $(find "$BL_PATH" -type f | grep -Ev '\.(efi|sig)') $(find "$GRUB_CONFDIR" -type f | grep -Ev '\.sig'); do
		if [ -f "${f}.sig" ]; then
			gpg --homedir "$GRUB_KEYDIR" --verify "${f}.sig" 2>/dev/null && continue
			rm -f "${f}.sig"
		fi
		echo "Signing $f..."
		gpg --homedir "$GRUB_KEYDIR" --detach-sign "$f" 2>/dev/null
	done
}

sign_efi &
update_grub
wait