My UEFI signed Kernel stub

create-my-signed-boot-cert.sh

#!/bin/bash
# Copyright (c) 2015 by Roderick W. Smith
# Licensed under the terms of the GPL v3


NAME=$(cat /etc/hostname)

if [ -z "$NAME" ]; then
    echo -n "Enter a Common Name to embed in the keys: "
    read NAME
fi

PREFIX="/etc/my-signed-boot"

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME PK/" -keyout ${PREFIX}/PK.key \
        -out ${PREFIX}/PK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME KEK/" -keyout ${PREFIX}/KEK.key \
        -out ${PREFIX}/KEK.crt -days 3650 -nodes -sha256
openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$NAME DB/" -keyout ${PREFIX}/DB.key \
        -out ${PREFIX}/DB.crt -days 3650 -nodes -sha256
openssl x509 -in ${PREFIX}/PK.crt -out ${PREFIX}/PK.cer -outform DER
openssl x509 -in ${PREFIX}/KEK.crt -out ${PREFIX}/KEK.cer -outform DER
openssl x509 -in ${PREFIX}/DB.crt -out ${PREFIX}/DB.cer -outform DER

uuidgen --random > ${PREFIX}/myGUID.txt
GUID=$(cat ${PREFIX}/myGUID.txt)

cert-to-efi-sig-list -g $GUID ${PREFIX}/PK.crt ${PREFIX}/PK.esl
cert-to-efi-sig-list -g $GUID ${PREFIX}/KEK.crt ${PREFIX}/KEK.esl
cert-to-efi-sig-list -g $GUID ${PREFIX}/DB.crt ${PREFIX}/DB.esl
rm -f ${PREFIX}/noPK.esl
touch ${PREFIX}/noPK.esl

sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k ${PREFIX}/PK.key -c ${PREFIX}/PK.crt PK ${PREFIX}/PK.esl ${PREFIX}/PK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k ${PREFIX}/PK.key -c ${PREFIX}/PK.crt PK ${PREFIX}/noPK.esl ${PREFIX}/noPK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k ${PREFIX}/PK.key -c ${PREFIX}/PK.crt KEK ${PREFIX}/KEK.esl ${PREFIX}/KEK.auth
sign-efi-sig-list -t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
                  -k ${PREFIX}/KEK.key -c ${PREFIX}/KEK.crt db ${PREFIX}/DB.esl ${PREFIX}/DB.auth

# TODO: this allow an race condition
chmod 0600 "${PREFIX}"/*.key

create-my-signed-boot-image.sh

#!/bin/bash

#TODO: check if is root

PREFIX="/etc/my-signed-boot"

cat /boot/*-ucode.img /boot/initramfs-linux.img > /tmp/initramfs-linux.img.tmp

objcopy \
    --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \
    --add-section .cmdline="/etc/my-signed-boot/kernel-command-line.txt" --change-section-vma .cmdline=0x30000 \
    --add-section .splash="/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
    --add-section .linux="/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \
    --add-section .initrd="/tmp/initramfs-linux.img.tmp" --change-section-vma .initrd=0x3000000 \
    "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/vmlinuz-linux.efi"

rm /tmp/initramfs-linux.img.tmp
cat /boot/*-ucode.img /boot/initramfs-linux-fallback.img > /tmp/initramfs-linux-fallback.img.tmp

objcopy \
    --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \
    --add-section .cmdline="/etc/my-signed-boot/kernel-command-line.txt" --change-section-vma .cmdline=0x30000 \
    --add-section .splash="/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
    --add-section .linux="/boot/vmlinuz-linux" --change-section-vma .linux=0x2000000 \
    --add-section .initrd="/tmp/initramfs-linux-fallback.img.tmp" --change-section-vma .initrd=0x3000000 \
    "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "/boot/vmlinuz-linux-fallback.efi"

rm /tmp/initramfs-linux-fallback.img.tmp

sbsign --key ${PREFIX}/DB.key --cert ${PREFIX}/DB.crt --output /boot/vmlinuz-linux.efi /boot/vmlinuz-linux.efi
sbsign --key ${PREFIX}/DB.key --cert ${PREFIX}/DB.crt --output /boot/vmlinuz-linux-fallback.efi /boot/vmlinuz-linux-fallback.efi

echo ""
echo "Add the stub to the EFI manually with: "
echo "sudo efibootmgr --disk /dev/nvme0n1 --part 1 --create --label \"Arch Linux\" --loader /vmlinuz-linux.efi"
echo "sudo efibootmgr --disk /dev/nvme0n1 --part 1 --create --label \"Arch Linux Fallback\" --loader /vmlinuz-linux-fallback.efi"
echo ""