#!/bin/bash # secureboot_tpm_setup.sh - Script to set up Secure Boot and TPM during ISO build set -e # Paths and filenames KEY_DIR="/etc/secureboot" GRUB_PATH="/boot/EFI/BOOT/BOOTX64.EFI" KERNEL_PATH="/boot/vmlinuz" SIGNED_KERNEL_PATH="/boot/vmlinuz-signed" SIGNED_GRUB_PATH="/boot/EFI/BOOT/BOOTX64.EFI.signed" CONF_PATH="/etc/xbps.d" # Create directory for storing Secure Boot keys mkdir -p "$KEY_DIR" chmod 700 "$KEY_DIR" # Generate Secure Boot Keys echo "Generating Secure Boot keys..." openssl req -new -x509 -newkey rsa:2048 -keyout "$KEY_DIR/db.key" -out "$KEY_DIR/db.crt" -nodes -days 3650 -subj "/CN=Void Linux Secure Boot/" openssl x509 -in "$KEY_DIR/db.crt" -outform DER -out "$KEY_DIR/db.der" # Install required tools echo "Installing required tools..." xbps-install -S -y efitools sbsigntool tpm-tools tpm2-tools # Sign the GRUB EFI binary echo "Signing GRUB..." sbsign --key "$KEY_DIR/db.key" --cert "$KEY_DIR/db.crt" --output "$SIGNED_GRUB_PATH" "$GRUB_PATH" mv "$SIGNED_GRUB_PATH" "$GRUB_PATH" # Sign the kernel echo "Signing kernel..." sbsign --key "$KEY_DIR/db.key" --cert "$KEY_DIR/db.crt" --output "$SIGNED_KERNEL_PATH" "$KERNEL_PATH" mv "$SIGNED_KERNEL_PATH" "$KERNEL_PATH" # Configure GRUB to load the signed kernel echo "Configuring GRUB for signed kernel..." cat << EOF > /etc/grub.d/40_custom menuentry "Void Linux" { insmod gzio insmod part_gpt insmod ext2 set root='hd0,gpt1' linux /vmlinuz root=/dev/sdX ro initrd /initramfs.img } EOF # Regenerate GRUB configuration echo "Generating GRUB configuration..." grub-mkconfig -o /boot/grub/grub.cfg # Set up TPM (optional, for integrity checks) echo "Configuring TPM..." echo "GRUB_CMDLINE_LINUX='tpm_tis.force=1'" >> /etc/default/grub grub-mkconfig -o /boot/grub/grub.cfg # Disable linux-headers to avoid conflicts with Secure Boot echo "Disabling linux-headers package..." mkdir -p "$CONF_PATH" echo "ignorepkg=linux-headers" > "$CONF_PATH/00-ignore.conf" # Clean up key files (optional, to avoid storing keys in ISO) rm -rf "$KEY_DIR" echo "Secure Boot and TPM setup completed."