feat: initial secure boot
This commit is contained in:
parent
f01ed61b00
commit
03c39fbedf
8 changed files with 187 additions and 1 deletions
|
|
@ -6,6 +6,15 @@ when:
|
|||
|
||||
steps:
|
||||
check:
|
||||
image: docker.io/nixpkgs/nix-flakes:nixos-24.05
|
||||
image: docker.io/nixpkgs/nix-flakes:nixos-25.05
|
||||
commands:
|
||||
- nix flake check
|
||||
|
||||
sign:
|
||||
image: docker.io/nixpkgs/nix-flakes:nixos-25.05
|
||||
env:
|
||||
DB_KEY: ${{ secrets.DBKEY }}
|
||||
DB_CRT: ${{ secrets.DBCRT }}
|
||||
commands:
|
||||
- ./scripts/sign-release.sh
|
||||
|
||||
|
|
|
|||
|
|
@ -80,8 +80,11 @@
|
|||
|
||||
devShells.${system}.default = pkgs.mkShell {
|
||||
buildInputs = with pkgs; [
|
||||
efitools
|
||||
erofs-utils
|
||||
just
|
||||
openssl
|
||||
sbsigntool
|
||||
self.packages.${system}.qemu-uefi-tpm
|
||||
squashfs-tools-ng
|
||||
];
|
||||
|
|
|
|||
BIN
keys/DB.auth
Normal file
BIN
keys/DB.auth
Normal file
Binary file not shown.
BIN
keys/KEK.auth
Normal file
BIN
keys/KEK.auth
Normal file
Binary file not shown.
BIN
keys/PK.auth
Normal file
BIN
keys/PK.auth
Normal file
Binary file not shown.
|
|
@ -76,6 +76,7 @@ let
|
|||
contents = {
|
||||
"/EFI/BOOT/BOOT${lib.toUpper efiArch}.EFI".source = "${pkgs.systemdUkify}/lib/systemd/boot/efi/systemd-boot${efiArch}.efi";
|
||||
"/EFI/Linux/${config.system.boot.loader.ukiFile}".source = "${config.system.build.uki}/${config.system.boot.loader.ukiFile}";
|
||||
"/EFI/loader/keys/patos".source = ../../keys;
|
||||
"/EFI/memtest86/memtest86.efi".source = "${pkgs.memtest86plus}/memtest.efi";
|
||||
"/loader/entries/patos-factory-reset.conf".source = pkgs.writeText "patos-factory-reset.conf" ''
|
||||
title Patos Factory Reset
|
||||
|
|
|
|||
154
scripts/sbkeys
Executable file
154
scripts/sbkeys
Executable file
|
|
@ -0,0 +1,154 @@
|
|||
#!/usr/bin/env bash
|
||||
# Copyright (c) 2015 by Roderick W. Smith
|
||||
# Copyright (c) 2020 Corey Hinshaw
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
[ -n "${DEBUG}" ] && set -x
|
||||
set -e
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
Usage: sbkeys [OPTION]...
|
||||
Generate secure boot keys
|
||||
|
||||
Options:
|
||||
-h Print this help text
|
||||
-m Generate signature database entries for Microsoft certificates
|
||||
EOF
|
||||
}
|
||||
|
||||
generate_keys() {
|
||||
# Do not create new keys if key files already exist
|
||||
KEYS=(
|
||||
PK.key PK.crt PK.cer PK.esl PK.auth
|
||||
KEK.key KEK.crt KEK.cer KEK.esl KEK.auth
|
||||
DB.key DB.crt DB.cer DB.esl DB.auth
|
||||
noPK.esl noPK.auth
|
||||
myGUID.txt
|
||||
)
|
||||
for file in ${KEYS[@]}; do
|
||||
if [ -f ${file} ]; then
|
||||
echo "Skipping key generation: keys already exist in $(pwd)"
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
||||
echo -n "Enter a Common Name to embed in the keys: "
|
||||
read NAME
|
||||
|
||||
# Platform key
|
||||
openssl req -new -x509 \
|
||||
-subj "/CN=${NAME} PK/" -days 3650 -nodes \
|
||||
-newkey rsa:2048 -sha256 \
|
||||
-keyout PK.key -out PK.crt
|
||||
openssl x509 -in PK.crt -out PK.cer -outform DER
|
||||
|
||||
# Key exchange key
|
||||
openssl req -new -x509 \
|
||||
-subj "/CN=${NAME} KEK/" -days 3650 -nodes \
|
||||
-newkey rsa:2048 -sha256 \
|
||||
-keyout KEK.key -out KEK.crt
|
||||
openssl x509 -in KEK.crt -out KEK.cer -outform DER
|
||||
|
||||
# Signature database
|
||||
openssl req -new -x509 \
|
||||
-subj "/CN=${NAME} DB/" -days 3650 -nodes \
|
||||
-newkey rsa:2048 -sha256 \
|
||||
-keyout DB.key -out DB.crt
|
||||
openssl x509 -in DB.crt -out DB.cer -outform DER
|
||||
|
||||
GUID="$(uuidgen -r)"
|
||||
echo ${GUID} > myGUID.txt
|
||||
|
||||
cert-to-efi-sig-list -g ${GUID} PK.crt PK.esl
|
||||
cert-to-efi-sig-list -g ${GUID} KEK.crt KEK.esl
|
||||
cert-to-efi-sig-list -g ${GUID} DB.crt DB.esl
|
||||
rm -f noPK.esl
|
||||
touch noPK.esl
|
||||
|
||||
sign-efi-sig-list \
|
||||
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k PK.key -c PK.crt \
|
||||
PK PK.esl PK.auth
|
||||
sign-efi-sig-list \
|
||||
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k PK.key -c PK.crt \
|
||||
PK noPK.esl noPK.auth
|
||||
sign-efi-sig-list \
|
||||
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k PK.key -c PK.crt \
|
||||
KEK KEK.esl KEK.auth
|
||||
sign-efi-sig-list \
|
||||
-t "$(date --date='1 second' +'%Y-%m-%d %H:%M:%S')" \
|
||||
-k KEK.key -c KEK.crt \
|
||||
DB DB.esl DB.auth
|
||||
|
||||
chmod 0600 *.key
|
||||
}
|
||||
|
||||
generate_ms_db() {
|
||||
msguid=77fa9abd-0359-4d32-bd60-28f4e78f784b
|
||||
|
||||
msdb="MS_db.esl add_MS_db.auth"
|
||||
for file in $msdb; do
|
||||
if [ -f $file ]; then
|
||||
echo "Microsoft signature lists already exist in $(pwd)"
|
||||
return
|
||||
fi
|
||||
done
|
||||
|
||||
wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
|
||||
wget --user-agent="Mozilla" https://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
|
||||
|
||||
sbsiglist --owner "$msguid" --type x509 --output MS_Win_db.esl MicWinProPCA2011_2011-10-19.crt
|
||||
sbsiglist --owner "$msguid" --type x509 --output MS_UEFI_db.esl MicCorUEFCA2011_2011-06-27.crt
|
||||
cat MS_Win_db.esl MS_UEFI_db.esl > MS_db.esl
|
||||
sign-efi-sig-list -a -g "$msguid" -k KEK.key -c KEK.crt DB MS_db.esl add_MS_db.auth
|
||||
|
||||
rm MS_Win_db.esl MS_UEFI_db.esl MicWinProPCA2011_2011-10-19.crt MicCorUEFCA2011_2011-06-27.crt
|
||||
}
|
||||
|
||||
mskeys=0
|
||||
|
||||
while getopts ":hm" opt; do
|
||||
case $opt in
|
||||
h)
|
||||
usage
|
||||
cat <<EOF
|
||||
|
||||
For use with KeyTool, copy the *.auth and *.esl files to a FAT USB
|
||||
flash drive or to your EFI System Partition (ESP).
|
||||
For use with most UEFIs' built-in key managers, copy the *.cer files.
|
||||
|
||||
To add Microsoft's certificates use KeyTool or UEFI to append
|
||||
add_MS_db.auth to the signature database.
|
||||
EOF
|
||||
exit 0
|
||||
;;
|
||||
m)
|
||||
mskeys=1
|
||||
;;
|
||||
\?)
|
||||
echo "Invalid option: -$OPTARG" >&2
|
||||
usage >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
generate_keys
|
||||
if [ $mskeys -eq 1 ]; then
|
||||
generate_ms_db
|
||||
fi
|
||||
19
scripts/sign-release.sh
Executable file
19
scripts/sign-release.sh
Executable file
|
|
@ -0,0 +1,19 @@
|
|||
#! /usr/bin/env nix-shell
|
||||
#! nix-shell -i bash -p efitools
|
||||
|
||||
set -eux
|
||||
|
||||
mkdir signed
|
||||
cp -L result/* signed/
|
||||
|
||||
loopdev=$(sudo losetup -f)
|
||||
sudo losetup -P "$loopdev" signed/*.img
|
||||
sudo mount "${loopdev}p1" /mnt -t vfat
|
||||
|
||||
sudo find signed/ /mnt/ -name "*.efi" -type f -exec sbsign --key <(echo "$DB_KEY") --cert <(echo "$DB_CRT") --output {} {} \;
|
||||
|
||||
sudo mkdir -p /mnt/loader/keys/patos
|
||||
sudo cp keys/*.auth /mnt/loader/keys/patos/
|
||||
|
||||
sudo umount /mnt
|
||||
sudo losetup -d "$loopdev"
|
||||
Loading…
Add table
Reference in a new issue