From db1ff9818795496c965482e06793b8175df053db Mon Sep 17 00:00:00 2001 From: Tobias Powalowski Date: Tue, 12 Oct 2021 11:55:47 +0200 Subject: [PATCH] add secure bootloaders from fedora and to archboot environment --- usr/bin/archboot-x86_64-iso.sh | 25 ++++++++++++- usr/lib/initcpio/install/archboot_secure_boot | 37 ++++++++++++++++--- 2 files changed, 55 insertions(+), 7 deletions(-) diff --git a/usr/bin/archboot-x86_64-iso.sh b/usr/bin/archboot-x86_64-iso.sh index 6301221ee..e66abc241 100755 --- a/usr/bin/archboot-x86_64-iso.sh +++ b/usr/bin/archboot-x86_64-iso.sh @@ -117,15 +117,36 @@ _prepare_kernel_initramfs_files() { _prepare_prebootloader_uefi () { mkdir -p "${X86_64}/EFI/BOOT" - cp -f "/usr/share/efitools/efi/PreLoader.efi" "${X86_64}/EFI/BOOT/BOOTX64.EFI" - cp -f "/usr/share/efitools/efi/HashTool.efi" "${X86_64}/EFI/BOOT/HashTool.efi" + # use signed files here, although they are from 2013 + curl -L -o "${X86_64}/EFI/BOOT/BOOTX64.EFI" https://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi + curl -L -o "${X86_64}/EFI/BOOT/HashTool.efi" https://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi + # add fallback if download is broken, although probably useless + [[ ! - f "${X86_64}/EFI/BOOT/BOOTX64.EFI" ]] && cp -f "/usr/share/efitools/efi/PreLoader.efi" "${X86_64}/EFI/BOOT/BOOTX64.EFI" + [[ ! - f "${X86_64}/EFI/BOOT/HashTool.efi" ]] cp -f "/usr/share/efitools/efi/HashTool.efi" "${X86_64}/EFI/BOOT/HashTool.efi" + # keytool is not available as signed file cp -f "/usr/share/efitools/efi/KeyTool.efi" "${X86_64}/EFI/BOOT/KeyTool.efi" } +_prepare_fedora_bootloaer () { + # add shim signed files from fedora + SHIM=$(mktemp -d /var/tmp/shim.XXXX) + curl --create-dirs -L -O --output-dir ${SHIM} https://kojipkgs.fedoraproject.org/packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm + bsdtar -C ${SHIM} -xf ${SHIM}/shim-x64-15.4-5.x86_64.rpm + cp "${SHIM}/boot/efi/EFI/fedora/mmx64.efi" "${X86_64}/EFI/BOOT/mmx64.efi" + cp "${SHIM}/boot/efi/EFI/fedora/shim.efi" "${X86_64}/EFI/BOOT/shim.efi" + cp "${SHIM}/boot/efi/EFI/fedora/shimx64.efi" "${X86_64}/EFI/BOOT/shimx64.efi" + # add grub signed from fedora + GRUB2=$(mktemp -d /var/tmp/grub2.XXXX) + curl --create-dirs -L -O --output-dir ${GRUB2} https://kojipkgs.fedoraproject.org/packages/grub2/2.06/8.fc36/x86_64/grub2-efi-x64-2.06-8.fc36.x86_64.rpm + bsdtar -C ${GRUB2} -xf ${GRUB2}/grub2-efi-x64-2.06-8.fc36.x86_64.rpm + cp ${GRUB2}/boot/efi/EFI/fedora/grubx64.efi "${X86_64}/EFI/BOOT/grubx64.efi" +} + _prepare_lockdown_ms_uefi () { mkdir -p "${X86_64}/EFI/BOOT" cp -f "/usr/lib/lockdown-ms/LockDown_ms.efi" "${X86_64}/EFI/BOOT/LockDown_ms.efi" } + _prepare_uefi_image() { ## get size of boot x86_64 files diff --git a/usr/lib/initcpio/install/archboot_secure_boot b/usr/lib/initcpio/install/archboot_secure_boot index 213df60ec..8fb4c5061 100644 --- a/usr/lib/initcpio/install/archboot_secure_boot +++ b/usr/lib/initcpio/install/archboot_secure_boot @@ -3,12 +3,15 @@ build () { - apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var hash-to-efi-sig-list sig-list-to-certs cert-to-efi-list sign-efi-sig-list sbattach sbkeysync sbsiglist sbsign sbvarsign sbverify " + # https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot + apps="openssl python3 cert-to-efi-hash-list efi-readvar efi-updatevar efitool-mkusb flash-var \ + hash-to-efi-sig-list sig-list-to-certs cert-to-efi-list sign-efi-sig-list sbattach sbkeysync \ + sbsiglist sbsign sbvarsign sbverify " add_file "/etc/ssl/openssl.cnf" for i in $apps; do add_binary "$i" done - # add mkkeys.sh curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh + # add mkkeys.sh curl -L -o ${MKKEYS} https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh MKKEYS=$(mktemp /var/tmp/mkkeys.XXXX) chmod 755 ${MKKEYS} @@ -17,18 +20,42 @@ build () add_full_dir /usr/lib/python3.9/encodings add_full_dir /usr/lib/python3.9/collections add_full_dir /usr/lib/python3.9/logging - PYTHON_DYN="select.cpython-39-x86_64-linux-gnu.so math.cpython-39-x86_64-linux-gnu.so _random.cpython-39-x86_64-linux-gnu.so _sha512.cpython-39-x86_64-linux-gnu.so _posixsubprocess.cpython-39-x86_64-linux-gnu.so" - PYTHON_FILES="_collections_abc.py keyword.py heapq.py collections.py platform.py types.py enum.py uuid.py _sitebuiltins.py genericpath.py posixpath.py _collections_abc.py stat.py os.py site.py abc.py io.py codecs.py operator.py reprlib.py re.py sre_compile.py sre_parse.py sre_constants.py functools.py copyreg.py subprocess.py signal.py threading.py _weakrefset.py warnings.py contextlib.py random.py bisect.py hashlib.py traceback.py linecache.py tokenize.py token.py weakref.py string.py" + PYTHON_FILES="_collections_abc.py keyword.py heapq.py collections.py platform.py types.py enum.py uuid.py \ + _sitebuiltins.py genericpath.py posixpath.py _collections_abc.py stat.py os.py site.py abc.py io.py codecs.py \ + operator.py reprlib.py re.py sre_compile.py sre_parse.py sre_constants.py functools.py copyreg.py subprocess.py \ + signal.py threading.py _weakrefset.py warnings.py contextlib.py random.py bisect.py hashlib.py traceback.py \ + linecache.py tokenize.py token.py weakref.py string.py" + PYTHON_DYN="select.cpython-39-x86_64-linux-gnu.so math.cpython-39-x86_64-linux-gnu.so _random.cpython-39-x86_64-linux-gnu.so \ + _sha512.cpython-39-x86_64-linux-gnu.so _posixsubprocess.cpython-39-x86_64-linux-gnu.so" for i in "${PYTHON_FILES}"; do add_file "/usr/lib/python3.9/"$i"" done for i in "${PYTHON_DYN}"; do - add_file "/usr/lib/python3.9/lib-dynload/"${i}"" + add_file "/usr/lib/python3.9/lib-dynload/"$i"" done # add preloader files add_file "/usr/share/efitools/efi/PreLoader.efi" add_file "/usr/share/efitools/efi/HashTool.efi" add_file "/usr/share/efitools/efi/KeyTool.efi" + # add preloader_signed files + PRELOADER_SIGNED=$(mktemp /var/tmp/preloader.XXXX) + HASHTOOL_SIGNED=$(mktemp /var/tmp/hashtool.XXXX) + curl -L -o ${PRELOADER_SIGNED} https://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi + curl -L -o ${HASHTOOL_SIGNED} https://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi + add_file "${PRELOADER_SIGNED}" "/usr/share/preloader-signed/PreLoader.efi" + add_file "${HASHTOOL_SIGNED}" "/usr/share/preloader-signed/HashTool.efi" + # add shim signed files from fedora + SHIM=$(mktemp -d /var/tmp/shim.XXXX) + curl --create-dirs -L -O --output-dir ${SHIM} https://kojipkgs.fedoraproject.org/packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm + bsdtar -C ${SHIM} -xf ${SHIM}/shim-x64-15.4-5.x86_64.rpm + add_file "${SHIM}/boot/efi/EFI/fedora/mmx64.efi" "/usr/share/fedora-shim/mmx64.efi" + add_file "${SHIM}/boot/efi/EFI/fedora/shim.efi" "/usr/share/fedora-shim/shim.efi" + add_file "${SHIM}/boot/efi/EFI/fedora/shimx64.efi" "/usr/share/fedora-shim/shimx64.efi" + # add grub signed from fedora + GRUB2=$(mktemp -d /var/tmp/grub2.XXXX) + curl --create-dirs -L -O --output-dir ${GRUB2} https://kojipkgs.fedoraproject.org/packages/grub2/2.06/8.fc36/x86_64/grub2-efi-x64-2.06-8.fc36.x86_64.rpm + bsdtar -C ${GRUB2} -xf ${GRUB2}/grub2-efi-x64-2.06-8.fc36.x86_64.rpm + add_file ${GRUB2}/boot/efi/EFI/fedora/grubx64.efi "/usr/share/fedora-grub2/grubx64.efi" } help ()