parent
dc8ed2a774
commit
8fb3174c78
3 changed files with 68 additions and 15 deletions
pkgs
|
|
@ -54,6 +54,22 @@ mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/sys
|
|||
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
|
||||
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
|
||||
|
||||
cat <<EOF > rootfs/usr/lib/systemd/system/secure-boot-import-keys.service
|
||||
[Unit]
|
||||
Description=Import Secure Boot keys
|
||||
DefaultDependencies=no
|
||||
RequiresMountsFor=/var/lib/sbctl /boot
|
||||
ConditionPathExists=/boot/sbctl/keys
|
||||
After=local-fs.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=sbctl import-keys -d /boot/sbctl/keys
|
||||
ExecStartPost=rm -rf /boot/sbctl
|
||||
EOF
|
||||
ln -sf ../secure-boot-import-keys.service rootfs/usr/lib/systemd/system/sysinit.target.wants/secure-boot-import-keys.service
|
||||
|
||||
# Initial partitioning
|
||||
cat <<EOF > init.repart.d/10-root.conf
|
||||
[Partition]
|
||||
|
|
@ -102,9 +118,7 @@ ${patosPkgs.systemd}/usr/bin/ukify build \
|
|||
-o patos_${version}.efi
|
||||
|
||||
# install ESP
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot \
|
||||
--secure-boot-auto-enroll=true --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem
|
||||
echo "timeout 2" > rootfs/boot/loader/loader.conf
|
||||
SYSTEMD_RELAX_ESP_CHECKS=1 ${patosPkgs.systemd}/usr/bin/bootctl install --root ./rootfs --esp-path /boot
|
||||
|
||||
# setup factory reset
|
||||
mkdir -p rootfs/boot/EFI/tools
|
||||
|
|
@ -122,21 +136,11 @@ options \EFI\tools\factoryreset.nsh L"t"
|
|||
efi EFI/tools/shell.efi
|
||||
EOF
|
||||
|
||||
# sign EFIs
|
||||
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
|
||||
rootfs/boot/EFI/tools/shell.efi --output=rootfs/boot/EFI/tools/shell.efi
|
||||
|
||||
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
|
||||
rootfs/boot/EFI/BOOT/BOOTX64.EFI --output=rootfs/boot/EFI/BOOT/BOOTX64.EFI
|
||||
|
||||
${patosPkgs.systemd}/usr/lib/systemd/systemd-sbsign sign --certificate=${patosPkgs.cert}/cert.pem --private-key=${patosPkgs.cert}/key.pem \
|
||||
patos_${version}.efi --output=patos_${version}.efi
|
||||
echo "timeout 2" > rootfs/boot/loader/loader.conf
|
||||
|
||||
# install UKI
|
||||
cp patos_${version}.efi rootfs/boot/EFI/Linux
|
||||
|
||||
echo "secure-boot-enroll force" >> rootfs/boot/loader/loader.conf
|
||||
|
||||
# Final partitioning
|
||||
cat <<EOF > final.repart.d/10-esp.conf
|
||||
[Partition]
|
||||
|
|
|
|||
|
|
@ -31,6 +31,49 @@ ln -sf /etc/os-release ./etc/initrd-release
|
|||
# set default target to initrd inside initrd
|
||||
ln -sf initrd.target ./usr/lib/systemd/system/default.target
|
||||
|
||||
# setup secure boot
|
||||
cat <<EOF > ./usr/bin/secure-boot-enroll
|
||||
#!/bin/sh
|
||||
set -ex -o pipefail
|
||||
|
||||
SETUP_MODE=\$(sbctl status --json | xq -r '.setup_mode')
|
||||
|
||||
[ "\$SETUP_MODE" = "false" ] && exit 0
|
||||
|
||||
cat <<EOL> /run/sbctl.yml
|
||||
---
|
||||
keydir: /sysroot/boot/sbctl/keys
|
||||
guid: /sysroot/boot/sbctl/GUID
|
||||
EOL
|
||||
|
||||
ESP=\$(blkid --label ESP)
|
||||
|
||||
mount \$ESP /sysroot/boot && \
|
||||
sbctl --config /run/sbctl.yml create-keys && \
|
||||
sbctl --config /run/sbctl.yml enroll-keys --yolo && \
|
||||
# Sign EFIs
|
||||
find /sysroot/boot -type f \( -iname "*.efi" -o -iname "*.EFI" \) -print0 | xargs -I {} sbctl --config /run/sbctl.yml sign {}
|
||||
|
||||
umount /sysroot/boot && \
|
||||
systemctl reboot -f
|
||||
EOF
|
||||
chmod +x ./usr/bin/secure-boot-enroll
|
||||
|
||||
cat <<EOF > ./usr/lib/systemd/system/secure-boot-enroll.service
|
||||
[Unit]
|
||||
Description=Enroll Secure Boot
|
||||
DefaultDependencies=false
|
||||
After=sysroot-run.mount
|
||||
Requires=sysroot-run.mount
|
||||
Before=systemd-repart.service initrd.target shutdown.target sysinit.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/secure-boot-enroll
|
||||
RemainAfterExit=yes
|
||||
EOF
|
||||
ln -sf ../secure-boot-enroll.service ./usr/lib/systemd/system/initrd-root-fs.target.wants/secure-boot-enroll.service
|
||||
|
||||
# bind mount /run to /sysroot/run
|
||||
cat <<EOF > ./usr/lib/systemd/system/sysroot-run.mount
|
||||
[Unit]
|
||||
|
|
|
|||
|
|
@ -172,7 +172,13 @@ cp -P ${pkgs.kmod.lib}/lib/*.so* $out/usr/lib/
|
|||
cp -P ${pkgs.kmod}/bin/* $out/usr/bin
|
||||
|
||||
### install libbpf
|
||||
cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib
|
||||
cp -P ${pkgs.libbpf}/lib/libbpf*.so* $out/usr/lib/
|
||||
|
||||
### install secure boot tools
|
||||
cp -P ${pkgs.sbctl}/bin/sbctl $out/usr/bin/
|
||||
rm -f $out/usr/bin/blkid
|
||||
cp -P ${pkgs.util-linuxMinimal}/bin/blkid $out/usr/bin/
|
||||
cp -P ${pkgs.xq}/bin/xq $out/usr/bin/
|
||||
|
||||
### install ca cert bundle
|
||||
chmod 755 $out/etc/ssl $out/etc/ssl/certs
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue