archboot/usr/lib/initcpio/install/archboot_secure_boot

#!/usr/bin/env bash
# Created by Tobias Powalowski <tpowa@archlinux.org>

build ()
{
    # https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
    apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \
          hash-to-efi-sig-list sig-list-to-certs cert-to-efi-sig-list sign-efi-sig-list sbattach sbkeysync \
          sbsiglist sbsign sbvarsign sbverify mokutil"
    add_file "/etc/ssl/openssl.cnf"
    for i in $apps; do
        add_binary "$i"
    done
    # add mkkeys.sh
    MKKEYS=$(mktemp /var/tmp/mkkeys.XXXX)
    curl -s -L -o "${MKKEYS}" https://pkgbuild.com/~tpowa/archboot-helper/mkkeys/mkkeys.sh 
    chmod 755 "${MKKEYS}"
    add_file "${MKKEYS}" "/usr/bin/mkkeys.sh"
    # add python3 files for script
    add_full_dir /usr/lib/python3.10/encodings
    add_full_dir /usr/lib/python3.10/collections
    add_full_dir /usr/lib/python3.10/logging
    PYTHON_FILES="_collections_abc keyword heapq platform types enum uuid \
                  _sitebuiltins genericpath posixpath _collections_abc stat os site abc io codecs \
                  operator reprlib re sre_compile sre_parse sre_constants functools copyreg subprocess \
                  signal threading _weakrefset warnings contextlib random bisect hashlib traceback \
                  linecache tokenize token weakref string selectors"
    if [[ "$(uname -m)" == "x86_64" ]]; then
        PYTHON_DYN="select.cpython-310-x86_64-linux-gnu math.cpython-310-x86_64-linux-gnu _random.cpython-310-x86_64-linux-gnu \
                    _sha512.cpython-310-x86_64-linux-gnu _posixsubprocess.cpython-310-x86_64-linux-gnu"
    fi
    if [[ "$(uname -m)" == "aarch64" ]]; then
       PYTHON_DYN="select.cpython-310-aarch64-linux-gnu math.cpython-310-aarch64-linux-gnu _random.cpython-310-aarch64-linux-gnu \
                  _sha512.cpython-310-aarch64-linux-gnu _posixsubprocess.cpython-310-aarch64-linux-gnu"
    fi  
    for i in ${PYTHON_FILES}; do
        add_file "/usr/lib/python3.10/$i.py"
    done
    for i in ${PYTHON_DYN}; do
        add_file "/usr/lib/python3.10/lib-dynload/$i.so"
    done
    # add efitools files
    if [[ "$(uname -m)" == "x86_64" ]]; then
        add_file "/usr/share/efitools/efi/PreLoader.efi"
    fi
    add_file "/usr/share/efitools/efi/HashTool.efi"
    add_file "/usr/share/efitools/efi/KeyTool.efi"
    # add shim signed files from fedora
    _SHIM_URL="https://pkgbuild.com/~tpowa/archboot-helper/fedora-shim"
    _SHIM=$(mktemp -d /var/tmp/shim.XXXX)
    if [[ "$(uname -m)" == "x86_64" ]]; then
        curl -s --create-dirs -L -O --output-dir "${_SHIM}" "${_SHIM_URL}"/{mmx64.efi,shimx64.efi,mmia32.efi,shimia32.efi}
        add_file "${_SHIM}/mmx64.efi" "/usr/share/archboot/fedora-shim/mmx64.efi"
        add_file "${_SHIM}/shimx64.efi" "/usr/share/archboot/fedora-shim/shimx64.efi"
        add_file "${_SHIM}/mmia32.efi" "/usr/share/archboot/fedora-shim/mmia32.efi"
        add_file "${_SHIM}/shimia32.efi" "/usr/share/archboot/fedora-shim/shimia32.efi"
    fi
     if [[ "$(uname -m)" == "aarch64" ]]; then
        curl -s --create-dirs -L -O --output-dir "${_SHIM}" "${_SHIM_URL}"/{mmaa64.efi,shimaa64.efi}
        add_file "${_SHIM}/mmaa64.efi" "/usr/share/archboot/fedora-shim/mmaa64.efi"
        add_file "${_SHIM}/shimaa64.efi" "/usr/share/archboot/fedora-shim/shimaa64.efi"
    fi
    # add generate keys script
    add_file "/usr/bin/archboot-secureboot-keys.sh" "/usr/bin/secureboot-keys.sh"
}

help ()
{
cat<<HELPEOF
  This hook includes secure boot tools on an archboot image.
HELPEOF
}
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`#!/usr/bin/env bash`
			`# Created by Tobias Powalowski <tpowa@archlinux.org>`

			`build ()`
			`{`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`# https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot`
			`apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \`
fix errors 2021-10-12 12:28:30 +02:00			`hash-to-efi-sig-list sig-list-to-certs cert-to-efi-sig-list sign-efi-sig-list sbattach sbkeysync \`
remove sbctl it is not bullet proof yet 2021-10-14 21:34:46 +02:00			`sbsiglist sbsign sbvarsign sbverify mokutil"`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`add_file "/etc/ssl/openssl.cnf"`
			`for i in $apps; do`
			`add_binary "$i"`
			`done`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`# add mkkeys.sh`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`MKKEYS=$(mktemp /var/tmp/mkkeys.XXXX)`
correct download link 2022-01-30 16:01:15 +01:00			`curl -s -L -o "${MKKEYS}" https://pkgbuild.com/~tpowa/archboot-helper/mkkeys/mkkeys.sh`
code cleanup 2022-01-21 12:27:31 +01:00			`chmod 755 "${MKKEYS}"`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`add_file "${MKKEYS}" "/usr/bin/mkkeys.sh"`
			`# add python3 files for script`
change to python 3.10 2022-01-05 14:04:37 +01:00			`add_full_dir /usr/lib/python3.10/encodings`
			`add_full_dir /usr/lib/python3.10/collections`
			`add_full_dir /usr/lib/python3.10/logging`
fix secure boot tools 2021-10-15 10:16:35 +02:00			`PYTHON_FILES="_collections_abc keyword heapq platform types enum uuid \`
			`_sitebuiltins genericpath posixpath _collections_abc stat os site abc io codecs \`
			`operator reprlib re sre_compile sre_parse sre_constants functools copyreg subprocess \`
			`signal threading _weakrefset warnings contextlib random bisect hashlib traceback \`
			`linecache tokenize token weakref string selectors"`
merge secureboot 2022-01-06 18:31:16 +01:00			`if [[ "$(uname -m)" == "x86_64" ]]; then`
			`PYTHON_DYN="select.cpython-310-x86_64-linux-gnu math.cpython-310-x86_64-linux-gnu _random.cpython-310-x86_64-linux-gnu \`
			`_sha512.cpython-310-x86_64-linux-gnu _posixsubprocess.cpython-310-x86_64-linux-gnu"`
			`fi`
			`if [[ "$(uname -m)" == "aarch64" ]]; then`
			`PYTHON_DYN="select.cpython-310-aarch64-linux-gnu math.cpython-310-aarch64-linux-gnu _random.cpython-310-aarch64-linux-gnu \`
			`_sha512.cpython-310-aarch64-linux-gnu _posixsubprocess.cpython-310-aarch64-linux-gnu"`
			`fi`
code cleanup 2022-01-21 12:27:31 +01:00			`for i in ${PYTHON_FILES}; do`
change to python 3.10 2022-01-05 14:04:37 +01:00			`add_file "/usr/lib/python3.10/$i.py"`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`done`
code cleanup 2022-01-21 12:27:31 +01:00			`for i in ${PYTHON_DYN}; do`
change to python 3.10 2022-01-05 14:04:37 +01:00			`add_file "/usr/lib/python3.10/lib-dynload/$i.so"`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`done`
fix secure boot tools 2021-10-15 10:16:35 +02:00			`# add efitools files`
merge secureboot 2022-01-06 18:31:16 +01:00			`if [[ "$(uname -m)" == "x86_64" ]]; then`
			`add_file "/usr/share/efitools/efi/PreLoader.efi"`
			`fi`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`add_file "/usr/share/efitools/efi/HashTool.efi"`
			`add_file "/usr/share/efitools/efi/KeyTool.efi"`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`# add shim signed files from fedora`
don't rely on fedora infrastructure 2022-01-30 15:23:11 +01:00			`_SHIM_URL="https://pkgbuild.com/~tpowa/archboot-helper/fedora-shim"`
			`_SHIM=$(mktemp -d /var/tmp/shim.XXXX)`
merge secureboot 2022-01-06 18:31:16 +01:00			`if [[ "$(uname -m)" == "x86_64" ]]; then`
don't rely on fedora infrastructure 2022-01-30 15:23:11 +01:00			`curl -s --create-dirs -L -O --output-dir "${_SHIM}" "${_SHIM_URL}"/{mmx64.efi,shimx64.efi,mmia32.efi,shimia32.efi}`
			`add_file "${_SHIM}/mmx64.efi" "/usr/share/archboot/fedora-shim/mmx64.efi"`
			`add_file "${_SHIM}/shimx64.efi" "/usr/share/archboot/fedora-shim/shimx64.efi"`
			`add_file "${_SHIM}/mmia32.efi" "/usr/share/archboot/fedora-shim/mmia32.efi"`
			`add_file "${_SHIM}/shimia32.efi" "/usr/share/archboot/fedora-shim/shimia32.efi"`
merge secureboot 2022-01-06 18:31:16 +01:00			`fi`
			`if [[ "$(uname -m)" == "aarch64" ]]; then`
don't rely on fedora infrastructure 2022-01-30 15:23:11 +01:00			`curl -s --create-dirs -L -O --output-dir "${_SHIM}" "${_SHIM_URL}"/{mmaa64.efi,shimaa64.efi}`
			`add_file "${_SHIM}/mmaa64.efi" "/usr/share/archboot/fedora-shim/mmaa64.efi"`
			`add_file "${_SHIM}/shimaa64.efi" "/usr/share/archboot/fedora-shim/shimaa64.efi"`
merge secureboot 2022-01-06 18:31:16 +01:00			`fi`
add ovmf file from fedora to test securboot in qemu 2021-10-14 15:12:56 +02:00			`# add generate keys script`
add backup of secureboot keys and rename script 2021-10-15 11:11:37 +02:00			`add_file "/usr/bin/archboot-secureboot-keys.sh" "/usr/bin/secureboot-keys.sh"`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`}`

			`help ()`
			`{`
			`cat<<HELPEOF`
			`This hook includes secure boot tools on an archboot image.`
			`HELPEOF`
			`}`