feat: enable secure boot
This commit is contained in:
parent
1fcc45dd32
commit
1f1c93b775
4 changed files with 52 additions and 12 deletions
pkgs/image
|
|
@ -18,6 +18,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
|
|||
mtools
|
||||
e2fsprogs
|
||||
jq
|
||||
openssl
|
||||
];
|
||||
|
||||
env = {
|
||||
|
|
|
|||
|
|
@ -58,8 +58,7 @@ $systemd/usr/bin/systemd-repart \
|
|||
--split=true \
|
||||
--json=pretty \
|
||||
--root=$out \
|
||||
patos-$version.raw > init-repart-output.json
|
||||
rm -f patos-$version.raw
|
||||
patos-$version.raw > init-repart-output.json && rm -f patos-$version.raw
|
||||
|
||||
roothash=$(jq -r '.[0].roothash' init-repart-output.json)
|
||||
rootPart=$(jq -r '.[0].split_path' init-repart-output.json)
|
||||
|
|
@ -91,12 +90,29 @@ $systemd/usr/bin/ukify build \
|
|||
--os-release @./reset-os-release \
|
||||
--cmdline "$kernelCmdLine roothash=$roothash systemd.factory_reset=yes" \
|
||||
-o patos_factory_reset.efi
|
||||
rm -rf rootfs
|
||||
|
||||
cp patos_${version}.efi boot/
|
||||
cp patos_factory_reset.efi boot/
|
||||
cp ${systemd}/usr/lib/systemd/boot/efi/systemd-bootx64.efi boot/
|
||||
echo "timeout 2" > boot/loader.conf
|
||||
# Secure boot
|
||||
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem -subj "/CN=patagia-signing"
|
||||
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 $systemd/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
|
||||
--secure-boot-auto-enroll=true --certificate=./cert.pem --private-key=./key.pem
|
||||
|
||||
# install UKIs
|
||||
cp patos_${version}.efi rootfs/boot/EFI/Linux
|
||||
cp patos_factory_reset.efi rootfs/boot/EFI/Linux
|
||||
|
||||
# sign EFIs
|
||||
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
|
||||
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
|
||||
|
||||
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
|
||||
rootfs/boot/EFI/Linux/patos_0.0.1.efi --output=rootfs/boot/EFI/Linux/patos_0.0.1.efi
|
||||
|
||||
$systemd/usr/lib/systemd/systemd-sbsign sign --certificate=./cert.pem --private-key=./key.pem \
|
||||
rootfs/boot/EFI/Linux/patos_factory_reset.efi --output=rootfs/boot/EFI/Linux/patos_factory_reset.efi
|
||||
|
||||
echo "timeout 2" > rootfs/boot/loader/loader.conf
|
||||
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
|
||||
|
||||
# Final partitioning
|
||||
cat <<EOF > final.repart.d/10-esp.conf
|
||||
|
|
@ -105,10 +121,7 @@ Type=esp
|
|||
Format=vfat
|
||||
SizeMinBytes=160M
|
||||
SizeMaxBytes=160M
|
||||
CopyFiles=/boot/systemd-bootx64.efi:/EFI/BOOT/BOOTX64.EFI
|
||||
CopyFiles=/boot/patos_${version}.efi:/EFI/Linux/patos_${version}.efi
|
||||
CopyFiles=/boot/patos_factory_reset.efi:/EFI/Linux/patos_factory_reset.efi
|
||||
CopyFiles=/boot/loader.conf:/loader/loader.conf
|
||||
CopyFiles=/rootfs/boot:/
|
||||
EOF
|
||||
|
||||
cat <<EOF > final.repart.d/20-root.conf
|
||||
|
|
@ -142,6 +155,6 @@ $systemd/usr/bin/systemd-repart \
|
|||
--root=$out \
|
||||
patos-$version.raw > final-repart-output.json
|
||||
|
||||
rm -rf boot
|
||||
rm -rf rootfs
|
||||
|
||||
popd
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue