Skip to content

Instantly share code, notes, and snippets.

@JPablomr

JPablomr/install-ubuntu-signed-shim.sh

Created September 1, 2023 22:15
Show Gist options
  • Save JPablomr/4efea087910d069fc3c383669921816e to your computer and use it in GitHub Desktop.
Save JPablomr/4efea087910d069fc3c383669921816e to your computer and use it in GitHub Desktop.
Download ZIP
Installs ubuntu signed shim on arch, configures/signs grub, the kernel, and sets up signing for dkms (untested)
Raw
install-ubuntu-signed-shim.sh
#!/usr/bin/env zsh
# Installs ubuntu's secure boot shim into the EFI partition.
# While my motherboard allows me to add custom keys and stuff it's
# easier for me to just use this for now.
# WARNING: Here be dragons, this can mess up your bootloader and
# I make no guarantees it won't. Most likely it will and you should
# have a plan to fix it if so (a liveUSB or something that you can use to
# reinstall grub.)
#
# This also assumes things specific to my setup, so really read this
# before you use it.
set -e
# Recommended reading:
# - https://wiki.debian.org/SecureBoot
# - https://wiki.archlinux.org/title/GRUB#Shim-lock
# - https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#shim
[[ $(id -u) -ne 0 ]] && echo "You must be root to run this" && exit 1
# If you want to gift me an arm64 machine to try it out I won't say no.
ARCH="amd64"
ESP="/boot"
ESP_DISK="/dev/nvme0n1"
PARTITION="1"
MOK_DIR="/var/lib/shim-signed/mok"
BOOT_DIR="$ESP/EFI/BOOT"
MY_BOOT_LOADER="$BOOT_DIR/BOOTX64.EFI"
backup_bootloader() {
[[ ! -f "$MY_BOOT_LOADER.bak" ]] && cp $MY_BOOT_LOADER $MY_BOOT_LOADER.bak
}
delete_all_boot_entries() {
efibootmgr | grep -e '^Boot[[:digit:]]' | cut -d '*' -f1 | cut -d 't' -f2 | xargs -n1 efibootmgr -B -b
}
install_shim_into_esp() {
echo "Getting shim-signed from ubuntu"
mkdir -p ./temp-download
pushd ./temp-download
# Get shim-signed from ubuntu
PKG="http://de.archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.51+15.4-0ubuntu9_amd64.deb"
curl $PKG -o shim-signed.deb
# It used to be that I thought I might need multiple packages, but maybe not
# I'll leave this be for now, just in case
for deb in *.deb; do
ar -x $deb
tar -xf data.tar.xz
rm *.tar.xz
rm debian-binary
done
# Move grub out of the way
[[ ! -f "$BOOT_DIR/grubx64.efi" ]] && mv $MY_BOOT_LOADER "$BOOT_DIR/grubx64.efi"
echo "Putting efi files in place"
# M$-signed shim
cp -v ./usr/lib/shim/shimx64.efi.signed "$BOOT_DIR/BOOTX64.efi"
# MOK manager, in charge of holding our key
cp -v ./usr/lib/shim/mmx64.efi "$BOOT_DIR"
# Create the boot label to boot the shim
echo "Creating shim boot entry"
efibootmgr --unicode --disk $ESP_DISK --part $PARTITION --create --label "Shim" --loader /EFI/BOOT/BOOTX64.EFI
}
create_signing_key() {
# https://wiki.debian.org/SecureBoot#Generating_a_new_key
[[ -d "$MOK_DIR" ]] && \
[[ -f "$MOK_DIR/MOK.der" ]] && \
[[ -f "$MOK_DIR/MOK.pem" ]] && \
[[ -f "$MOK_DIR/MOK.priv" ]] && \
echo "All required files present!" && return 0
mkdir -p "$MOK_DIR"
pushd "$MOK_DIR"
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=Manakin Machine Owner Key/"
openssl x509 -inform der -in MOK.der -out MOK.pem
openssl x509 -inform der -in MOK.der -out MOK.crt
mokutil --import /var/lib/shim-signed/mok/MOK.der # prompts for one-time password
}
install_signed_grub() {
echo "installing signed grub"
GRUB_MODULES="
all_video
bli
boot
btrfs
cat
chain
configfile
cpuid
echo
efi_gop
efi_uga
efifwsetup
efinet
ext2
fat
font
gettext
gfxmenu
gfxterm
gfxterm_background
gzio
halt
help
jpeg
keystatus
loadenv
loopback
linux
ls
lsefi
lsefimmap
lsefisystab
lssal
luks
lvm
memdisk
minicmd
normal
part_msdos
part_gpt
password_pbkdf2
play
png
probe
reboot
regexp
search
search_fs_uuid
search_fs_file
search_label
sleep
smbios
squash4
test
tpm
true
video
video_bochs
video_cirrus
xfs
"
grub-install --target=x86_64-efi --efi-directory=$ESP --bootloader-id="GRUB" --modules=${GRUB_MODULES} --sbat /usr/share/grub/sbat.csv
grub-mkconfig -o /boot/grub/grub.cfg
sbsign --key "$MOK_DIR/MOK.priv" --cert "$MOK_DIR/MOK.crt" --output "$ESP/EFI/GRUB/grubx64.efi" "$ESP/EFI/GRUB/grubx64.efi"
cp -v "$ESP/EFI/GRUB/grubx64.efi" "$ESP/EFI/BOOT/grubx64.efi"
}
sign_current_kernel() {
sbsign --key "$MOK_DIR/MOK.priv" --cert "$MOK_DIR/MOK.crt" --output /boot/vmlinuz-linux /boot/vmlinuz-linux
}
add_pacman_kernel_sign_hook() {
mkdir -p /etc/pacman.d/hooks/
cat >/etc/pacman.d/hooks/999-sign_kernel_for_secureboot.hook <<-EOF
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = linux
Target = linux-lts
Target = linux-hardened
Target = linux-zen
[Action]
Description = Signing kernel with Machine Owner Key for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/ -maxdepth 1 -name 'vmlinuz-*' -exec /usr/bin/sh -c 'if ! /usr/bin/sbverify --list {} 2>/dev/null | /usr/bin/grep -q "signature certificates"; then /usr/bin/sbsign --key $MOK_DIR/MOK.priv --cert $MOK_DIR/MOK.crt --output {} {}; fi' ;
Depends = sbsigntools
Depends = findutils
Depends = grep
EOF
}
add_signing_key_to_dkms() {
cat >/etc/dkms/framework.conf.d/mok_keys.conf <<-EOF
mok_signing_key="$MOK_DIR/MOK.priv"
mok_certificate="$MOK_DIR/MOK.der"
sign_tool="/etc/dkms/sign_helper.sh"
EOF
cat >/etc/dkms/sign_helper.sh<<-EOF
/lib/modules/"$1"/build/scripts/sign-file sha512 "$MOK_DIR/MOK.priv" "$MOK_DIR/MOK.der""$2"
EOF
chmod +x /etc/dkms/sign_helper.sh
}
backup_bootloader
#delete_all_boot_entries
#install_shim_into_esp
#create_signing_key
#install_signed_grub
#sign_current_kernel
#add_pacman_kernel_sign_hook
#add_signing_key_to_dkms
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment