archboot/usr/lib/initcpio/install/archboot_secure_boot

#!/usr/bin/env bash
# Created by Tobias Powalowski <tpowa@archlinux.org>

build ()
{
    # https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
    apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \
          hash-to-efi-sig-list sig-list-to-certs cert-to-efi-list sign-efi-sig-list sbattach sbkeysync \
          sbsiglist sbsign sbvarsign sbverify "
    add_file "/etc/ssl/openssl.cnf"
    for i in $apps; do
        add_binary "$i"
    done
    # add mkkeys.sh
    curl -L -o ${MKKEYS} https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh 
    MKKEYS=$(mktemp /var/tmp/mkkeys.XXXX)
    chmod 755 ${MKKEYS}
    add_file "${MKKEYS}" "/usr/bin/mkkeys.sh"
    # add python3 files for script
    add_full_dir /usr/lib/python3.9/encodings
    add_full_dir /usr/lib/python3.9/collections
    add_full_dir /usr/lib/python3.9/logging
    PYTHON_FILES="_collections_abc.py keyword.py heapq.py collections.py platform.py types.py enum.py uuid.py \
                  _sitebuiltins.py genericpath.py posixpath.py _collections_abc.py stat.py os.py site.py abc.py io.py codecs.py \
                  operator.py reprlib.py re.py sre_compile.py sre_parse.py sre_constants.py functools.py copyreg.py subprocess.py \
                  signal.py threading.py _weakrefset.py warnings.py contextlib.py random.py bisect.py hashlib.py traceback.py \
                  linecache.py tokenize.py token.py weakref.py string.py"
    PYTHON_DYN="select.cpython-39-x86_64-linux-gnu.so math.cpython-39-x86_64-linux-gnu.so _random.cpython-39-x86_64-linux-gnu.so \
                _sha512.cpython-39-x86_64-linux-gnu.so _posixsubprocess.cpython-39-x86_64-linux-gnu.so" 
    for i in "${PYTHON_FILES}"; do
        add_file "/usr/lib/python3.9/"$i""
    done
    for i in "${PYTHON_DYN}"; do
        add_file "/usr/lib/python3.9/lib-dynload/"$i""
    done
    # add preloader files
    add_file "/usr/share/efitools/efi/PreLoader.efi"
    add_file "/usr/share/efitools/efi/HashTool.efi"
    add_file "/usr/share/efitools/efi/KeyTool.efi"
    # add preloader_signed files
    PRELOADER_SIGNED=$(mktemp /var/tmp/preloader.XXXX)
    HASHTOOL_SIGNED=$(mktemp /var/tmp/hashtool.XXXX)
    curl -L -o ${PRELOADER_SIGNED} https://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi
    curl -L -o ${HASHTOOL_SIGNED} https://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi
    add_file "${PRELOADER_SIGNED}" "/usr/share/preloader-signed/PreLoader.efi"
    add_file "${HASHTOOL_SIGNED}" "/usr/share/preloader-signed/HashTool.efi"
    # add shim signed files from fedora
    SHIM=$(mktemp -d /var/tmp/shim.XXXX)
    curl --create-dirs -L -O --output-dir ${SHIM} https://kojipkgs.fedoraproject.org/packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm
    bsdtar -C ${SHIM} -xf ${SHIM}/shim-x64-15.4-5.x86_64.rpm
    add_file "${SHIM}/boot/efi/EFI/fedora/mmx64.efi" "/usr/share/fedora-shim/mmx64.efi"
    add_file "${SHIM}/boot/efi/EFI/fedora/shim.efi" "/usr/share/fedora-shim/shim.efi"
    add_file "${SHIM}/boot/efi/EFI/fedora/shimx64.efi" "/usr/share/fedora-shim/shimx64.efi"
    # add grub signed from fedora
    GRUB2=$(mktemp -d /var/tmp/grub2.XXXX)
    curl --create-dirs -L -O --output-dir ${GRUB2} https://kojipkgs.fedoraproject.org/packages/grub2/2.06/8.fc36/x86_64/grub2-efi-x64-2.06-8.fc36.x86_64.rpm
    bsdtar -C ${GRUB2} -xf ${GRUB2}/grub2-efi-x64-2.06-8.fc36.x86_64.rpm
    add_file ${GRUB2}/boot/efi/EFI/fedora/grubx64.efi "/usr/share/fedora-grub2/grubx64.efi"
}

help ()
{
cat<<HELPEOF
  This hook includes secure boot tools on an archboot image.
HELPEOF
}
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`#!/usr/bin/env bash`
			`# Created by Tobias Powalowski <tpowa@archlinux.org>`

			`build ()`
			`{`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`# https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot`
			`apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \`
			`hash-to-efi-sig-list sig-list-to-certs cert-to-efi-list sign-efi-sig-list sbattach sbkeysync \`
			`sbsiglist sbsign sbvarsign sbverify "`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`add_file "/etc/ssl/openssl.cnf"`
			`for i in $apps; do`
			`add_binary "$i"`
			`done`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`# add mkkeys.sh`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`curl -L -o ${MKKEYS} https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh`
			`MKKEYS=$(mktemp /var/tmp/mkkeys.XXXX)`
			`chmod 755 ${MKKEYS}`
			`add_file "${MKKEYS}" "/usr/bin/mkkeys.sh"`
			`# add python3 files for script`
			`add_full_dir /usr/lib/python3.9/encodings`
			`add_full_dir /usr/lib/python3.9/collections`
			`add_full_dir /usr/lib/python3.9/logging`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`PYTHON_FILES="_collections_abc.py keyword.py heapq.py collections.py platform.py types.py enum.py uuid.py \`
			`_sitebuiltins.py genericpath.py posixpath.py _collections_abc.py stat.py os.py site.py abc.py io.py codecs.py \`
			`operator.py reprlib.py re.py sre_compile.py sre_parse.py sre_constants.py functools.py copyreg.py subprocess.py \`
			`signal.py threading.py _weakrefset.py warnings.py contextlib.py random.py bisect.py hashlib.py traceback.py \`
			`linecache.py tokenize.py token.py weakref.py string.py"`
			`PYTHON_DYN="select.cpython-39-x86_64-linux-gnu.so math.cpython-39-x86_64-linux-gnu.so _random.cpython-39-x86_64-linux-gnu.so \`
			`_sha512.cpython-39-x86_64-linux-gnu.so _posixsubprocess.cpython-39-x86_64-linux-gnu.so"`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`for i in "${PYTHON_FILES}"; do`
			`add_file "/usr/lib/python3.9/"$i""`
			`done`
			`for i in "${PYTHON_DYN}"; do`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`add_file "/usr/lib/python3.9/lib-dynload/"$i""`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`done`
			`# add preloader files`
			`add_file "/usr/share/efitools/efi/PreLoader.efi"`
			`add_file "/usr/share/efitools/efi/HashTool.efi"`
			`add_file "/usr/share/efitools/efi/KeyTool.efi"`
add secure bootloaders from fedora and to archboot environment 2021-10-12 11:55:47 +02:00			`# add preloader_signed files`
			`PRELOADER_SIGNED=$(mktemp /var/tmp/preloader.XXXX)`
			`HASHTOOL_SIGNED=$(mktemp /var/tmp/hashtool.XXXX)`
			`curl -L -o ${PRELOADER_SIGNED} https://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi`
			`curl -L -o ${HASHTOOL_SIGNED} https://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi`
			`add_file "${PRELOADER_SIGNED}" "/usr/share/preloader-signed/PreLoader.efi"`
			`add_file "${HASHTOOL_SIGNED}" "/usr/share/preloader-signed/HashTool.efi"`
			`# add shim signed files from fedora`
			`SHIM=$(mktemp -d /var/tmp/shim.XXXX)`
			`curl --create-dirs -L -O --output-dir ${SHIM} https://kojipkgs.fedoraproject.org/packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm`
			`bsdtar -C ${SHIM} -xf ${SHIM}/shim-x64-15.4-5.x86_64.rpm`
			`add_file "${SHIM}/boot/efi/EFI/fedora/mmx64.efi" "/usr/share/fedora-shim/mmx64.efi"`
			`add_file "${SHIM}/boot/efi/EFI/fedora/shim.efi" "/usr/share/fedora-shim/shim.efi"`
			`add_file "${SHIM}/boot/efi/EFI/fedora/shimx64.efi" "/usr/share/fedora-shim/shimx64.efi"`
			`# add grub signed from fedora`
			`GRUB2=$(mktemp -d /var/tmp/grub2.XXXX)`
			`curl --create-dirs -L -O --output-dir ${GRUB2} https://kojipkgs.fedoraproject.org/packages/grub2/2.06/8.fc36/x86_64/grub2-efi-x64-2.06-8.fc36.x86_64.rpm`
			`bsdtar -C ${GRUB2} -xf ${GRUB2}/grub2-efi-x64-2.06-8.fc36.x86_64.rpm`
			`add_file ${GRUB2}/boot/efi/EFI/fedora/grubx64.efi "/usr/share/fedora-grub2/grubx64.efi"`
add secure boot tools and remove preloader 2021-10-12 10:08:10 +02:00			`}`

			`help ()`
			`{`
			`cat<<HELPEOF`
			`This hook includes secure boot tools on an archboot image.`
			`HELPEOF`
			`}`