Created
October 2, 2019 15:23
-
-
Save teemow/6cb6af6f4849dcd906dd3c0e28a83687 to your computer and use it in GitHub Desktop.
pacman hooks for kernel signing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Trigger] | |
| Type = Package | |
| Operation = Install | |
| Operation = Upgrade | |
| Target = intel-ucode | |
| [Action] | |
| Description = Sign the intel ucode for secure boot | |
| Depends = sbsigntools | |
| When = PostTransaction | |
| Exec = /usr/local/bin/sign-kernel-image |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| set -eu | |
| KERNEL=/boot/vmlinuz-linux | |
| CERTDIR=/etc/ssl/private | |
| INITRAMFS="/boot/intel-ucode.img /boot/initramfs-linux.img" | |
| EFISTUB=/usr/lib/systemd/boot/efi/linuxx64.efi.stub | |
| BUILDDIR=/tmp/_build | |
| OUTIMG=/boot/linux.img | |
| CMDLINE=/etc/cmdline | |
| mkdir -p $BUILDDIR | |
| cat ${INITRAMFS} > ${BUILDDIR}/initramfs.img | |
| /usr/bin/objcopy \ | |
| --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \ | |
| --add-section .cmdline=${CMDLINE} --change-section-vma .cmdline=0x30000 \ | |
| --add-section .linux=${KERNEL} --change-section-vma .linux=0x40000 \ | |
| --add-section .initrd=${BUILDDIR}/initramfs.img --change-section-vma .initrd=0x3000000 \ | |
| ${EFISTUB} ${BUILDDIR}/combined-boot.efi | |
| /usr/bin/sbsign --key ${CERTDIR}/db.key --cert ${CERTDIR}/db.crt --output ${BUILDDIR}/combined-boot-signed.efi ${BUILDDIR}/combined-boot.efi | |
| cp ${BUILDDIR}/combined-boot-signed.efi ${OUTIMG} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Trigger] | |
| Operation = Install | |
| Operation = Upgrade | |
| Type = Package | |
| Target = linux | |
| [Action] | |
| Description = Sign the kernel for secure boot | |
| Depends = sbsigntools | |
| When = PostTransaction | |
| Exec = /usr/local/bin/sign-kernel-image |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [Trigger] | |
| Type = Package | |
| Operation = Install | |
| Operation = Upgrade | |
| Target = systemd | |
| [Action] | |
| Description = Update and sign systemd-boot for secure boot | |
| Depends = sbsigntools | |
| When = PostTransaction | |
| Exec = /bin/sh -c '/usr/bin/bootctl update && /usr/bin/sbsign --key /etc/ssl/private/db.key --cert /etc/ssl/private/db.crt --output /boot/EFI/systemd/systemd-bootx64.efi /boot/EFI/systemd/systemd-bootx64.efi && /usr/local/bin/sign-kernel-image' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment