pep-mklive/secureboot_tpm_setup.sh

68 lines
2.0 KiB
Bash
Raw Normal View History

#!/bin/bash
# secureboot_tpm_setup.sh - Script to set up Secure Boot and TPM during ISO build
set -e
# Paths and filenames
KEY_DIR="/etc/secureboot"
GRUB_PATH="/boot/EFI/BOOT/BOOTX64.EFI"
KERNEL_PATH="/boot/vmlinuz"
SIGNED_KERNEL_PATH="/boot/vmlinuz-signed"
SIGNED_GRUB_PATH="/boot/EFI/BOOT/BOOTX64.EFI.signed"
CONF_PATH="/etc/xbps.d"
# Create directory for storing Secure Boot keys
mkdir -p "$KEY_DIR"
chmod 700 "$KEY_DIR"
# Generate Secure Boot Keys
echo "Generating Secure Boot keys..."
openssl req -new -x509 -newkey rsa:2048 -keyout "$KEY_DIR/db.key" -out "$KEY_DIR/db.crt" -nodes -days 3650 -subj "/CN=Void Linux Secure Boot/"
openssl x509 -in "$KEY_DIR/db.crt" -outform DER -out "$KEY_DIR/db.der"
# Install required tools
echo "Installing required tools..."
xbps-install -S -y efitools sbsigntool tpm-tools tpm2-tools
# Sign the GRUB EFI binary
echo "Signing GRUB..."
sbsign --key "$KEY_DIR/db.key" --cert "$KEY_DIR/db.crt" --output "$SIGNED_GRUB_PATH" "$GRUB_PATH"
mv "$SIGNED_GRUB_PATH" "$GRUB_PATH"
# Sign the kernel
echo "Signing kernel..."
sbsign --key "$KEY_DIR/db.key" --cert "$KEY_DIR/db.crt" --output "$SIGNED_KERNEL_PATH" "$KERNEL_PATH"
mv "$SIGNED_KERNEL_PATH" "$KERNEL_PATH"
# Configure GRUB to load the signed kernel
echo "Configuring GRUB for signed kernel..."
cat << EOF > /etc/grub.d/40_custom
menuentry "Void Linux" {
insmod gzio
insmod part_gpt
insmod ext2
set root='hd0,gpt1'
linux /vmlinuz root=/dev/sdX ro
initrd /initramfs.img
}
EOF
# Regenerate GRUB configuration
echo "Generating GRUB configuration..."
grub-mkconfig -o /boot/grub/grub.cfg
# Set up TPM (optional, for integrity checks)
echo "Configuring TPM..."
echo "GRUB_CMDLINE_LINUX='tpm_tis.force=1'" >> /etc/default/grub
grub-mkconfig -o /boot/grub/grub.cfg
# Disable linux-headers to avoid conflicts with Secure Boot
echo "Disabling linux-headers package..."
mkdir -p "$CONF_PATH"
echo "ignorepkg=linux-headers" > "$CONF_PATH/00-ignore.conf"
# Clean up key files (optional, to avoid storing keys in ISO)
rm -rf "$KEY_DIR"
echo "Secure Boot and TPM setup completed."