diff --git a/secureboot.sh b/secureboot.sh new file mode 100644 index 0000000..83d0db9 --- /dev/null +++ b/secureboot.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +pacman -S --noconfirm sbsigntools efitools openssl +mkdir -p /etc/efi-keys +cd /etc/efi-keys +curl -L -O https://www.rodsbooks.com/efi-bootloaders/mkkeys.sh +chmod +x mkkeys.sh +./mkkeys.sh + +chmod -R g-rwx /etc/efi-keys +chmod -R o-rwx /etc/efi-keys + +if [ -f /boot/vmlinuz-linux ]; then + sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux +fi + +if [ -f /boot/vmlinuz-linux-lts ]; then + sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux-lts /boot/vmlinuz-linux-lts +fi + +if [ -f /boot/vmlinuz-linux-hardened ]; then + sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux-hardened /boot/vmlinuz-linux-hardened +fi + +if [ -f /boot/vmlinuz-linux-zen ]; then + sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux-zen /boot/vmlinuz-linux-zen +fi + +cp /usr/share/libalpm/hooks/90-mkinitcpio-install.hook /etc/pacman.d/hooks/90-mkinitcpio-install.hook +sed -i 's#Exec = /usr/share/libalpm/scripts/mkinitcpio-install#Exec = /usr/local/share/libalpm/scripts/mkinitcpio-install#g' /etc/pacman.d/hooks/90-mkinitcpio-install.hook + +cp /usr/share/libalpm/scripts/mkinitcpio-install /usr/local/share/libalpm/scripts/mkinitcpio-install +sed -i 's#install -Dm644 "${line}" "/boot/vmlinuz-${pkgbase}"#sbsign --key /etc/efi-keys/DB.crt --cert /path/to/db.crt --output "/boot/vmlinuz-${pkgbase}" "${line}"#g' /usr/local/share/libalpm/scripts/mkinitcpio-install + +mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK} +ln -s /etc/efi-keys/DB.auth /etc/secureboot/keys/db/DB.auth +ln -s /etc/efi-keys/KEK.auth /etc/secureboot/keys/KEK/KEK.auth +ln -s /etc/efi-keys/PK.auth /etc/secureboot/keys/KEK/PK.auth + +sbkeysync --verbose --pk + +chmod -R g-rwx /etc/secureboot +chmod -R g-rwx /etc/secureboot + +grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=GRUB --modules="normal test efi_gop efi_uga search echo linux all_video gfxmenu gfxterm_background gfxterm_menu gfxterm loadenv configfile tpm gzio part_gpt cryptodisk luks gcry_rijndael gcry_sha256 btrfs" --disable-shim-lock +sbsign --key /etc/efi-keys/DB.key --cert /etc/efi-keys/DB.crt --output /boot/efi/EFI/GRUB/grubx64.efi /boot/efi/EFI/GRUB/grubx64.efi +grub-mkconfig -o /boot/grub/grub.cfg \ No newline at end of file