fix bios boot issue and try to add secureboot suport

This commit is contained in:
manuel 2024-11-07 12:46:38 -01:00
parent 4e1a26843b
commit 1e289dc7a8
7 changed files with 178 additions and 312 deletions

View File

@ -74,7 +74,7 @@ build_variant() {
IMG=pep-live-${ARCH}-${DATE}-${variant}.iso IMG=pep-live-${ARCH}-${DATE}-${variant}.iso
GRUB_PKGS="grub-i386-efi grub-x86_64-efi" GRUB_PKGS="grub-i386-efi grub-x86_64-efi"
A11Y_PKGS="espeakup void-live-audio brltty" A11Y_PKGS="espeakup void-live-audio brltty"
PKGS="dialog octoxbps cryptsetup lvm2 mdadm void-docs-browse xtools-minimal xmirror chrony void-repo-nonfree void-repo-multilib void-repo-multilib-nonfree $A11Y_PKGS $GRUB_PKGS" PKGS="dialog octoxbps cryptsetup lvm2 mdadm rsync void-docs-browse xtools-minimal xmirror chrony void-repo-nonfree void-repo-multilib void-repo-multilib-nonfree $A11Y_PKGS $GRUB_PKGS"
XORG_PKGS="xorg xorg-input-drivers xorg-video-drivers setxkbmap xauth font-misc-misc terminus-font dejavu-fonts-ttf orca" XORG_PKGS="xorg xorg-input-drivers xorg-video-drivers setxkbmap xauth font-misc-misc terminus-font dejavu-fonts-ttf orca"
SERVICES="sshd chronyd" SERVICES="sshd chronyd"

View File

@ -25,7 +25,6 @@ sequence:
- displaymanager - displaymanager
- networkcfg - networkcfg
- hwclock - hwclock
# - services-runit
- grubcfg - grubcfg
- bootloader - bootloader
- postcfg - postcfg

View File

@ -1,167 +1,157 @@
#!/usr/bin/python3 #!/usr/bin/python3
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
#
# === This file is part of Calamares - <http://github.com/calamares> ===
#
# Copyright 2014 - 2019, Philip Müller <philm@manjaro.org>
# Copyright 2016, Artoo <artoo@manjaro.org>
#
# Calamares is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Calamares is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Calamares. If not, see <http://www.gnu.org/licenses/>.
import libcalamares import libcalamares
import subprocess import subprocess
from shutil import copy2 from shutil import copy2
from distutils.dir_util import copy_tree from distutils.dir_util import copy_tree
from os.path import join, exists from os.path import join, exists
from libcalamares.utils import target_env_call from libcalamares.utils import target_env_call, target_env_process_output
from libcalamares.utils import target_env_process_output
from libcalamares.utils import check_target_env_output
def pretty_name(): def pretty_name():
return ("Misc post-install configurations") return "Misc post-install configurations"
status = ("Misc post-install configurations") status = "Misc post-install configurations"
def pretty_status_message(): def pretty_status_message():
return status return status
class ConfigController: class ConfigController:
def __init__(self): def __init__(self):
self.__root = libcalamares.globalstorage.value("rootMountPoint") try:
self.__root = libcalamares.globalstorage.value("rootMountPoint")
except Exception as e:
print(f"Error initializing root mount point: {e}")
raise
@property @property
def root(self): def root(self):
return self.__root return self.__root
def terminate(self, proc): def terminate(self, proc):
target_env_call(['killall', '-9', proc]) try:
target_env_call(['killall', '-9', proc])
except Exception as e:
print(f"Error terminating process '{proc}': {e}")
def copy_file(self, file): def copy_file(self, file):
if exists("/" + file): try:
copy2("/" + file, join(self.root, file)) if exists("/" + file):
copy2("/" + file, join(self.root, file))
except Exception as e:
print(f"Error copying file '{file}': {e}")
def copy_folder(self, source, target): def copy_folder(self, source, target):
if exists("/" + source): try:
copy_tree("/" + source, join(self.root, target)) if exists("/" + source):
copy_tree("/" + source, join(self.root, target))
except Exception as e:
print(f"Error copying folder from '{source}' to '{target}': {e}")
def is_pkg_installed(self, pkg):
""" Checks if a package is installed in the target environment. """
try:
result = target_env_process_output(['xbps-query', pkg])
return result is not None # Package exists if query returns any result
except Exception as e:
print(f"Error checking if package '{pkg}' is installed: {e}")
return False
def remove_pkg(self, pkg): def remove_pkg(self, pkg):
libcalamares.utils.target_env_process_output(['xbps-remove', '-Ry', pkg]) try:
target_env_process_output(['xbps-remove', '-Ry', pkg])
except Exception as e:
print(f"Error removing package '{pkg}': {e}")
def umount(self, mp): def umount(self, mp):
subprocess.call(["umount", "-l", join(self.root, mp)]) try:
subprocess.call(["umount", "-l", join(self.root, mp)])
except Exception as e:
print(f"Error unmounting '{mp}': {e}")
def mount(self, mp): def mount(self, mp):
subprocess.call(["mount", "-B", "/" + mp, join(self.root, mp)]) try:
subprocess.call(["mount", "-B", "/" + mp, join(self.root, mp)])
except Exception as e:
print(f"Error mounting '{mp}': {e}")
def rmdir(self, dir): def rmdir(self, dir):
subprocess.call(["rm", "-Rf", join(self.root, dir)]) try:
subprocess.call(["rm", "-Rf", join(self.root, dir)])
except Exception as e:
print(f"Error removing directory '{dir}': {e}")
def mkdir(self, dir): def mkdir(self, dir):
subprocess.call(["mkdir", "-p", join(self.root, dir)]) try:
subprocess.call(["mkdir", "-p", join(self.root, dir)])
except Exception as e:
print(f"Error creating directory '{dir}': {e}")
def run(self): def run(self):
status = ("Removing CLI installer") try:
if exists(join(self.root, "usr/sbin/void-installer")): # Remove CLI installers
libcalamares.utils.target_env_process_output(["rm", "-fv", "usr/sbin/void-installer"]) if exists(join(self.root, "usr/sbin/void-installer")):
target_env_process_output(["rm", "-fv", "usr/sbin/void-installer"])
if exists(join(self.root, "usr/sbin/pep-installer")): if exists(join(self.root, "usr/sbin/pep-installer")):
libcalamares.utils.target_env_process_output(["rm", "-fv", "usr/sbin/pep-installer"]) target_env_process_output(["rm", "-fv", "usr/sbin/pep-installer"])
status = ("Initializing package manager databases") # Initialize package manager databases
if libcalamares.globalstorage.value("hasInternet"): if libcalamares.globalstorage.value("hasInternet"):
libcalamares.utils.target_env_process_output(["xbps-install", "-Syy"]) target_env_process_output(["xbps-install", "-Syy"])
# Remove calamares # Remove Calamares from target
status = ("Removing Calamares from target") self.remove_pkg("calamares")
self.remove_pkg("calamares") if exists(join(self.root, "usr/share/applications/calamares.desktop")):
if exists(join(self.root, "usr/share/applications/calamares.desktop")): target_env_call(["rm", "-fv", "usr/share/applications/calamares.desktop"])
target_env_call(["rm", "-fv", "usr/share/applications/calamares.desktop"])
# Remove Breeze if Plasma is not installed # Remove Emptty if LightDM is present
if exists(join(self.root, "usr/bin/startplasma-x11")): if exists(join(self.root, "etc/lightdm/lightdm.conf")):
print("Plasma is installed, not removing Breeze") if exists(join(self.root, "usr/bin/emptty")):
else: target_env_process_output(["rm", "-fv", "etc/runit/runsvdir/default/emptty"])
status = ("Removing Breeze") target_env_process_output(["rm", "-rfv", "etc/emptty"])
self.remove_pkg("breeze") self.remove_pkg("emptty")
# If Plasma or LXQt are installed, remove Qt5ct # Update grub.cfg
if exists(join(self.root, "usr/bin/startplasma-x11")): if exists(join(self.root, "usr/bin/update-grub")):
status = ("Removing Qt5ct") target_env_process_output(["update-grub"])
self.remove_pkg("qt5ct")
elif exists(join(self.root, "usr/bin/startlxqt")):
status = ("Removing Qt5ct")
self.remove_pkg("qt5ct")
# Remove Emptty if LightDM is present
if exists(join(self.root, "etc/lightdm/lightdm.conf")):
if exists(join(self.root, "usr/bin/emptty")):
status = ("Removing Emptty")
libcalamares.utils.target_env_process_output(["rm", "-fv" , "etc/runit/runsvdir/default/emptty"])
libcalamares.utils.target_env_process_output(["rm" , "-rfv", "etc/emptty"])
self.remove_pkg("emptty")
# Copy skel to root # Enable `menu_auto_hide` in grubenv if supported
status = ("Copying skel to root") if exists(join(self.root, "usr/bin/grub-set-bootflag")):
self.copy_folder('etc/skel', 'root') target_env_call(["grub-editenv", "-", "set", "menu_auto_hide=1", "boot_success=1"])
# Update grub.cfg # Enable doas if installed on target
status = ("Updating GRUB") if exists(join(self.root, "usr/bin/doas")):
if exists(join(self.root, "usr/bin/update-grub")): doasconf = "permit nopass :root ||\npermit persist :wheel"
libcalamares.utils.target_env_process_output(["update-grub"]) with open(join(self.root, "etc/doas.conf"), 'w') as conf:
conf.write(doasconf)
# Enable 'menu_auto_hide' when supported in grubenv # Mark current kernel as automatically installed
if exists(join(self.root, "usr/bin/grub-set-bootflag")): target_env_process_output(["xbps-pkgdb", "-m", "auto", "linux6.1"])
target_env_call(["grub-editenv", "-", "set", "menu_auto_hide=1", "boot_success=1"])
# # Enable plymouth # Remove linux-headers package if installed and ignore it in updates
# status = ("Enabling Plymouth on target") if self.is_pkg_installed("linux-headers"):
# libcalamares.utils.target_env_process_output(["plymouth-set-default-theme", "-R", "simply"]) self.remove_pkg("linux-headers")
else:
print("Package 'linux-headers' not installed, skipping removal.")
# Replace /etc/issue msg from live ignorepkg = "ignorepkg=linux-headers"
if exists(join(self.root, "etc/issue.new")): self.mkdir("etc/xbps.d/")
libcalamares.utils.target_env_process_output(["mv", "etc/issue.new", "etc/issue"]) with open(join(self.root, "etc/xbps.d/00-ignore.conf"), 'w') as conf:
conf.write(ignorepkg)
# If doas installed on target, enable it # Reconfigure all target packages
if exists(join(self.root, "usr/bin/doas")): target_env_process_output(["xbps-reconfigure", "-fa"])
doasconf = "permit nopass :root ||\npermit persist :wheel"
with open(join(self.root, "etc/doas.conf"), 'w') as conf:
conf.write(doasconf)
# Override default XFCE wallpaper except Exception as e:
if exists(join(self.root, "usr/share/backgrounds/xfce/xfce-shapes.png")): print(f"Error during run process: {e}")
libcalamares.utils.target_env_process_output(["rm", "-fv", "usr/share/backgrounds/xfce/xfce-shapes.png"]) raise
libcalamares.utils.target_env_process_output(["ln", "-frsv", "usr/share/backgrounds/wallpaper4.png", "usr/share/backgrounds/xfce/xfce-shapes.png"])
# Mark current kernel as automatically installed (this allows to remove old LTS kernels as orphaned packages).
libcalamares.utils.target_env_process_output(["xbps-pkgdb", "-m", "auto", "linux6.1"])
# Remove linux-headers meta-package
status = ("Removing linux-headers from target")
libcalamares.utils.target_env_process_output(["xbps-remove", "-RFyv", "linux-headers"])
ignorepkg = "ignorepkg=linux-headers"
self.mkdir("etc/xbps.d/")
with open(join(self.root, "etc/xbps.d/00-ignore.conf"), 'w') as conf:
conf.write(ignorepkg)
# Reconfigure all target packages to ensure everything is ok
status = ("Reconfiguring all target packages")
libcalamares.utils.target_env_process_output(["xbps-reconfigure", "-fa"])
def run(): def run():
""" Misc post-install configurations """ """ Misc post-install configurations """
try:
config = ConfigController()
return config.run()
except Exception as e:
print(f"Error in main run function: {e}")
return None
config = ConfigController()
return config.run()

View File

@ -23,22 +23,22 @@ MENU COLOR sel * #ffffffff #FF5255FF *
LABEL linux LABEL linux
MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@ MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@
KERNEL /boot/vmlinuz KERNEL /boot/vmlinuz
APPEND initrd=/boot/initrd root=live:CDLABEL=PEP-LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@ APPEND initrd=/boot/initrd root=live:CDLABEL=PEP_LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@
LABEL linuxram LABEL linuxram
MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@ (RAM) MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@ (RAM)
KERNEL /boot/vmlinuz KERNEL /boot/vmlinuz
APPEND initrd=/boot/initrd root=live:CDLABEL=PEP-LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@ rd.live.ram APPEND initrd=/boot/initrd root=live:CDLABEL=PEP_LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@ rd.live.ram
LABEL linuxa11y LABEL linuxa11y
MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@ with ^speech MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@ with ^speech
KERNEL /boot/vmlinuz KERNEL /boot/vmlinuz
APPEND initrd=/boot/initrd root=live:CDLABEL=PEP-LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@ live.accessibility live.autologin APPEND initrd=/boot/initrd root=live:CDLABEL=PEP_LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@ live.accessibility live.autologin
LABEL linuxa11yram LABEL linuxa11yram
MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@ with speech (^RAM) MENU LABEL @@BOOT_TITLE@@ @@KERNVER@@ @@ARCH@@ with speech (^RAM)
KERNEL /boot/vmlinuz KERNEL /boot/vmlinuz
APPEND initrd=/boot/initrd root=live:CDLABEL=PEP-LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@ live.accessibility live.autologin rd.live.ram APPEND initrd=/boot/initrd root=live:CDLABEL=PEP_LIVE init=/sbin/init ro rd.luks=0 rd.md=0 rd.dm=0 loglevel=4 vconsole.unicode=1 vconsole.keymap=@@KEYMAP@@ locale.LANG=@@LOCALE@@ @@BOOT_CMDLINE@@ live.accessibility live.autologin rd.live.ram
LABEL c LABEL c
MENU LABEL Boot first HD found by BIOS MENU LABEL Boot first HD found by BIOS

View File

@ -1,193 +0,0 @@
import sys
import subprocess
from PyQt5.QtWidgets import (QApplication, QMainWindow, QVBoxLayout, QLabel, QPushButton,
QWidget, QComboBox, QLineEdit, QProgressBar, QMessageBox,
QStackedWidget, QHBoxLayout, QFormLayout)
from PyQt5.QtGui import QPixmap, QFont
from PyQt5.QtCore import Qt
class InstallerWindow(QMainWindow):
def __init__(self):
super().__init__()
self.setWindowTitle("Void Linux Installer")
self.setGeometry(300, 200, 800, 600)
# Widget com layout empilhado para etapas de instalação
self.stack = QStackedWidget()
self.setCentralWidget(self.stack)
# Fontes e estilos básicos
self.title_font = QFont("Arial", 18, QFont.Bold)
self.normal_font = QFont("Arial", 12)
# Etapas do instalador
self.create_welcome_page()
self.create_partition_page()
self.create_user_page()
self.create_install_page()
# Layout para os botões de navegação
self.nav_layout = QHBoxLayout()
self.prev_button = QPushButton("Anterior")
self.prev_button.clicked.connect(self.prev_page)
self.prev_button.setEnabled(False) # Desativado na primeira página
self.next_button = QPushButton("Próximo")
self.next_button.clicked.connect(self.next_page)
self.nav_layout.addWidget(self.prev_button)
self.nav_layout.addWidget(self.next_button)
# Adicionar os botões de navegação no final
nav_widget = QWidget()
nav_widget.setLayout(self.nav_layout)
layout = QVBoxLayout()
layout.addWidget(self.stack)
layout.addWidget(nav_widget)
container = QWidget()
container.setLayout(layout)
self.setCentralWidget(container)
def create_welcome_page(self):
"""Página de boas-vindas."""
page = QWidget()
layout = QVBoxLayout()
welcome_label = QLabel("Bem-vindo ao Instalador do Void Linux")
welcome_label.setFont(self.title_font)
layout.addWidget(welcome_label, alignment=Qt.AlignCenter)
img_label = QLabel()
img = QPixmap("image.png") # Certifique-se de que o caminho da imagem esteja correto
img_label.setPixmap(img.scaled(300, 300, Qt.KeepAspectRatio))
layout.addWidget(img_label, alignment=Qt.AlignCenter)
page.setLayout(layout)
self.stack.addWidget(page)
def create_partition_page(self):
"""Página de seleção de partição."""
page = QWidget()
layout = QVBoxLayout()
title = QLabel("Seleção de Partição")
title.setFont(self.title_font)
layout.addWidget(title)
form_layout = QFormLayout()
self.partition_combo = QComboBox()
self.partition_combo.addItems(self.get_partitions())
form_layout.addRow("Escolha uma partição:", self.partition_combo)
# Botão para abrir GParted
gparted_button = QPushButton("Abrir GParted para Particionamento")
gparted_button.clicked.connect(self.open_gparted)
layout.addLayout(form_layout)
layout.addWidget(gparted_button)
page.setLayout(layout)
self.stack.addWidget(page)
def create_user_page(self):
"""Página de configuração de usuário e senha."""
page = QWidget()
layout = QVBoxLayout()
title = QLabel("Configuração do Usuário")
title.setFont(self.title_font)
layout.addWidget(title)
form_layout = QFormLayout()
self.user_input = QLineEdit()
self.password_input = QLineEdit()
self.password_input.setEchoMode(QLineEdit.Password)
form_layout.addRow("Nome do usuário:", self.user_input)
form_layout.addRow("Senha:", self.password_input)
layout.addLayout(form_layout)
page.setLayout(layout)
self.stack.addWidget(page)
def create_install_page(self):
"""Página de instalação com barra de progresso."""
page = QWidget()
layout = QVBoxLayout()
title = QLabel("Instalação do Sistema")
title.setFont(self.title_font)
layout.addWidget(title)
self.progress_bar = QProgressBar()
self.progress_bar.setAlignment(Qt.AlignCenter)
layout.addWidget(self.progress_bar)
install_button = QPushButton("Iniciar Instalação")
install_button.clicked.connect(self.start_installation)
layout.addWidget(install_button, alignment=Qt.AlignCenter)
page.setLayout(layout)
self.stack.addWidget(page)
def get_partitions(self):
"""Função para listar partições do sistema."""
partitions = subprocess.getoutput("lsblk -nd -o NAME").splitlines()
return [f"/dev/{p}" for p in partitions]
def open_gparted(self):
"""Abre o GParted para particionamento de disco."""
try:
subprocess.Popen(["gparted"])
except FileNotFoundError:
QMessageBox.critical(self, "Erro", "GParted não está instalado.")
def start_installation(self):
"""Inicia a instalação e atualiza a barra de progresso."""
partition = self.partition_combo.currentText()
username = self.user_input.text()
password = self.password_input.text()
if not partition or not username or not password:
QMessageBox.warning(self, "Erro", "Por favor, preencha todos os campos.")
return
try:
self.progress_bar.setValue(0)
subprocess.run(["./mklive.sh"], check=True)
self.progress_bar.setValue(25)
subprocess.run(["./mkrootfs.sh"], check=True)
self.progress_bar.setValue(50)
subprocess.run(["./mkimage.sh"], check=True)
self.progress_bar.setValue(75)
subprocess.run(["./installer.sh", partition, username, password], check=True)
self.progress_bar.setValue(100)
QMessageBox.information(self, "Sucesso", "Instalação concluída com sucesso!")
except subprocess.CalledProcessError as e:
QMessageBox.critical(self, "Erro", f"Ocorreu um erro: {e}")
def next_page(self):
"""Avançar para a próxima página."""
current_index = self.stack.currentIndex()
if current_index < self.stack.count() - 1:
self.stack.setCurrentIndex(current_index + 1)
self.prev_button.setEnabled(True)
# Alterar o texto do botão para "Instalar" na última página
if current_index == self.stack.count() - 2:
self.next_button.setText("Instalar")
else:
self.next_button.setText("Próximo")
def prev_page(self):
"""Voltar para a página anterior."""
current_index = self.stack.currentIndex()
if current_index > 0:
self.stack.setCurrentIndex(current_index - 1)
self.next_button.setText("Próximo")
if current_index == 1:
self.prev_button.setEnabled(False)
if __name__ == "__main__":
app = QApplication(sys.argv)
window = InstallerWindow()
window.show()
sys.exit(app.exec_())

View File

@ -585,6 +585,9 @@ generate_isolinux_boot
print_step "Generating GRUB support for EFI systems..." print_step "Generating GRUB support for EFI systems..."
generate_grub_efi_boot generate_grub_efi_boot
#print_step "Configuring Secure Boot and TPM support..."
#source ./secureboot_tpm_setup.sh
print_step "Cleaning up rootfs..." print_step "Cleaning up rootfs..."
cleanup_rootfs cleanup_rootfs

67
secureboot_tpm_setup.sh Executable file
View File

@ -0,0 +1,67 @@
#!/bin/bash
# secureboot_tpm_setup.sh - Script to set up Secure Boot and TPM during ISO build
set -e
# Paths and filenames
KEY_DIR="/etc/secureboot"
GRUB_PATH="/boot/EFI/BOOT/BOOTX64.EFI"
KERNEL_PATH="/boot/vmlinuz"
SIGNED_KERNEL_PATH="/boot/vmlinuz-signed"
SIGNED_GRUB_PATH="/boot/EFI/BOOT/BOOTX64.EFI.signed"
CONF_PATH="/etc/xbps.d"
# Create directory for storing Secure Boot keys
mkdir -p "$KEY_DIR"
chmod 700 "$KEY_DIR"
# Generate Secure Boot Keys
echo "Generating Secure Boot keys..."
openssl req -new -x509 -newkey rsa:2048 -keyout "$KEY_DIR/db.key" -out "$KEY_DIR/db.crt" -nodes -days 3650 -subj "/CN=Void Linux Secure Boot/"
openssl x509 -in "$KEY_DIR/db.crt" -outform DER -out "$KEY_DIR/db.der"
# Install required tools
echo "Installing required tools..."
xbps-install -S -y efitools sbsigntool tpm-tools tpm2-tools
# Sign the GRUB EFI binary
echo "Signing GRUB..."
sbsign --key "$KEY_DIR/db.key" --cert "$KEY_DIR/db.crt" --output "$SIGNED_GRUB_PATH" "$GRUB_PATH"
mv "$SIGNED_GRUB_PATH" "$GRUB_PATH"
# Sign the kernel
echo "Signing kernel..."
sbsign --key "$KEY_DIR/db.key" --cert "$KEY_DIR/db.crt" --output "$SIGNED_KERNEL_PATH" "$KERNEL_PATH"
mv "$SIGNED_KERNEL_PATH" "$KERNEL_PATH"
# Configure GRUB to load the signed kernel
echo "Configuring GRUB for signed kernel..."
cat << EOF > /etc/grub.d/40_custom
menuentry "Void Linux" {
insmod gzio
insmod part_gpt
insmod ext2
set root='hd0,gpt1'
linux /vmlinuz root=/dev/sdX ro
initrd /initramfs.img
}
EOF
# Regenerate GRUB configuration
echo "Generating GRUB configuration..."
grub-mkconfig -o /boot/grub/grub.cfg
# Set up TPM (optional, for integrity checks)
echo "Configuring TPM..."
echo "GRUB_CMDLINE_LINUX='tpm_tis.force=1'" >> /etc/default/grub
grub-mkconfig -o /boot/grub/grub.cfg
# Disable linux-headers to avoid conflicts with Secure Boot
echo "Disabling linux-headers package..."
mkdir -p "$CONF_PATH"
echo "ignorepkg=linux-headers" > "$CONF_PATH/00-ignore.conf"
# Clean up key files (optional, to avoid storing keys in ISO)
rm -rf "$KEY_DIR"
echo "Secure Boot and TPM setup completed."