mirror of
https://gitlab.archlinux.org/tpowa/archboot.git
synced 2024-09-20 03:50:37 +02:00
replace mkkeys.sh with a modified uuidgen one
This commit is contained in:
parent
b022a14758
commit
5e379267ee
3 changed files with 48 additions and 72 deletions
|
@ -1,41 +1,44 @@
|
|||
#!/bin/bash
|
||||
_MKKEYS_SERVER="https://www.rodsbooks.com/efi-bootloaders"
|
||||
_MKKEYS_URL="${_MKKEYS_SERVER}/mkkeys.sh"
|
||||
_USER="tobias"
|
||||
_GROUP="users"
|
||||
_GPG="--detach-sign --no-armor --batch --passphrase-file /etc/archboot/gpg.passphrase --pinentry-mode loopback -u 7EDF681F"
|
||||
_SERVER="pkgbuild.com"
|
||||
_MKKEYS_ARCH_SERVERDIR="/home/tpowa/public_html/archboot-helper/mkkeys"
|
||||
# Copyright (c) 2015 by Roderick W. Smith
|
||||
# Licensed under the terms of the GPL v3
|
||||
# replaced GUID with uuidgen
|
||||
|
||||
### check for root
|
||||
if ! [[ ${UID} -eq 0 ]]; then
|
||||
echo "ERROR: Please run as root user!"
|
||||
exit 1
|
||||
fi
|
||||
### check for tpowa's build server
|
||||
if [[ ! "$(cat /etc/hostname)" == "T-POWA-LX" ]]; then
|
||||
echo "This script should only be run on tpowa's build server. Aborting..."
|
||||
exit 1
|
||||
fi
|
||||
# download packages from fedora server
|
||||
echo "Downloading mkkeys.sh..."
|
||||
mkdir -m 777 mkkeys
|
||||
curl -s --create-dirs -L -O --output-dir ./mkkeys/ ${_MKKEYS_URL} || exit 1
|
||||
# sign files
|
||||
echo "Sign files and upload ..."
|
||||
#shellcheck disable=SC2086
|
||||
cd mkkeys/ || exit 1
|
||||
chown "${_USER}" ./*
|
||||
chgrp "${_GROUP}" ./*
|
||||
for i in *; do
|
||||
#shellcheck disable=SC2086
|
||||
[[ -f "${i}" ]] && sudo -u "${_USER}" gpg ${_GPG} "${i}" || exit 1
|
||||
[[ -f "${i}" ]] && cksum -a sha256 "${i}" >> sha256sum.txt
|
||||
[[ -f "${i}.sig" ]] && cksum -a sha256 "${i}.sig" >> sha256sum.txt
|
||||
done
|
||||
sudo -u "${_USER}" scp ./* "${_SERVER}:${_MKKEYS_ARCH_SERVERDIR}" || exit 1
|
||||
# cleanup
|
||||
echo "Remove mkkeys directory."
|
||||
cd ..
|
||||
rm -r mkkeys
|
||||
echo "Finished fedora Shim."
|
||||
echo -n "Enter a Common Name to embed in the keys: "
|
||||
read NAME
|
||||
|
||||
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout PK.key \
|
||||
-out PK.crt -days 3650 -nodes -sha256
|
||||
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout KEK.key \
|
||||
-out KEK.crt -days 3650 -nodes -sha256
|
||||
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout DB.key \
|
||||
-out DB.crt -days 3650 -nodes -sha256
|
||||
openssl x509 -in PK.crt -out PK.cer -outform DER
|
||||
openssl x509 -in KEK.crt -out KEK.cer -outform DER
|
||||
openssl x509 -in DB.crt -out DB.cer -outform DER
|
||||
|
||||
uuidgen > myGUID.txt
|
||||
|
||||
cert-to-efi-sig-list -g $GUID PK.crt PK.esl
|
||||
cert-to-efi-sig-list -g $GUID KEK.crt KEK.esl
|
||||
cert-to-efi-sig-list -g $GUID DB.crt DB.esl
|
||||
rm -f noPK.esl
|
||||
touch noPK.esl
|
||||
|
||||
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k PK.key -c PK.crt PK PK.esl PK.auth
|
||||
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k PK.key -c PK.crt PK noPK.esl noPK.auth
|
||||
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k PK.key -c PK.crt KEK KEK.esl KEK.auth
|
||||
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k KEK.key -c KEK.crt db DB.esl DB.auth
|
||||
|
||||
chmod 0600 *.key
|
||||
|
||||
echo ""
|
||||
echo ""
|
||||
echo "For use with KeyTool, copy the *.auth and *.esl files to a FAT USB"
|
||||
echo "flash drive or to your EFI System Partition (ESP)."
|
||||
echo "For use with most UEFIs' built-in key managers, copy the *.cer files;"
|
||||
echo "but some UEFIs require the *.auth files."
|
||||
echo ""
|
||||
|
|
|
@ -53,17 +53,9 @@ if [[ -n "${_DIR}" ]]; then
|
|||
cd BACKUP || exit 1; mokutil --export; cd .. || exit 1
|
||||
echo "Generating Keys in $_DIR"
|
||||
# add mkkeys.sh
|
||||
if [[ ! -f /usr/bin/mkkeys.sh ]]; then
|
||||
curl -s -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh || exit 1
|
||||
chmod 755 mkkeys.sh
|
||||
./mkkeys.sh <<EOF
|
||||
./mkkeys.sh <<EOF
|
||||
${NAME}
|
||||
EOF
|
||||
else
|
||||
mkkeys.sh <<EOF
|
||||
${NAME}
|
||||
EOF
|
||||
fi
|
||||
# download MS Certificates, else EFI might get broken!
|
||||
curl -s -L -O https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
|
||||
curl -s -L -O https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
|
||||
|
|
|
@ -5,36 +5,17 @@ build ()
|
|||
{
|
||||
# https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
|
||||
_RUNNING_ARCH="$(uname -m)"
|
||||
apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \
|
||||
apps="openssl cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \
|
||||
hash-to-efi-sig-list sig-list-to-certs cert-to-efi-sig-list sign-efi-sig-list sbattach sbkeysync \
|
||||
sbsiglist sbsign sbvarsign sbverify mokutil"
|
||||
add_file "/etc/ssl/openssl.cnf"
|
||||
for i in $apps; do
|
||||
add_binary "$i"
|
||||
done
|
||||
# add mkkeys.sh
|
||||
MKKEYS=$(mktemp /var/tmp/mkkeys.XXXX)
|
||||
curl -s -L -o "${MKKEYS}" https://pkgbuild.com/~tpowa/archboot-helper/mkkeys/mkkeys.sh
|
||||
chmod 755 "${MKKEYS}"
|
||||
add_file "${MKKEYS}" "/usr/bin/mkkeys.sh"
|
||||
# add python3 files for script
|
||||
add_full_dir /usr/lib/python3.10/encodings
|
||||
add_full_dir /usr/lib/python3.10/collections
|
||||
add_full_dir /usr/lib/python3.10/logging
|
||||
PYTHON_FILES="_collections_abc keyword heapq platform types enum uuid \
|
||||
_sitebuiltins genericpath posixpath _collections_abc stat os site abc io codecs \
|
||||
operator reprlib re sre_compile sre_parse sre_constants functools copyreg subprocess \
|
||||
signal threading _weakrefset warnings contextlib random bisect hashlib traceback \
|
||||
linecache tokenize token weakref string selectors"
|
||||
for i in ${PYTHON_FILES}; do
|
||||
add_file "/usr/lib/python3.10/$i.py"
|
||||
done
|
||||
PYTHON_DYN="select.cpython-310-${_RUNNING_ARCH}-linux-gnu math.cpython-310-${_RUNNING_ARCH}-linux-gnu \
|
||||
_random.cpython-310-${_RUNNING_ARCH}-linux-gnu _sha512.cpython-310-${_RUNNING_ARCH}-linux-gnu \
|
||||
_posixsubprocess.cpython-310-${_RUNNING_ARCH}-linux-gnu"
|
||||
for i in ${PYTHON_DYN}; do
|
||||
add_file "/usr/lib/python3.10/lib-dynload/$i.so"
|
||||
done
|
||||
# add mkkeys.sh,
|
||||
# curl -s -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh
|
||||
# modiiied to use uuidgen instead of python
|
||||
add_file "/usr/bin/archboot-mkkeys.sh" "/usr/bin/mkkeys.sh"
|
||||
# add efitools files
|
||||
[[ "${_RUNNING_ARCH}" == "x86_64" ]] && add_file "/usr/share/efitools/efi/PreLoader.efi"
|
||||
add_file "/usr/share/efitools/efi/HashTool.efi"
|
||||
|
|
Loading…
Reference in a new issue