From 2676c5ca3a62670898ed872c8e1136b7bb740979 Mon Sep 17 00:00:00 2001 From: Domenico Panella Date: Thu, 8 Oct 2020 16:04:59 +0200 Subject: [PATCH] New feature: bootloader signing --- grub/grub_void.cfg.in | 2 +- mklive.sh.in | 46 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 46 insertions(+), 2 deletions(-) diff --git a/grub/grub_void.cfg.in b/grub/grub_void.cfg.in index a2cda855ff..04e96d82af 100644 --- a/grub/grub_void.cfg.in +++ b/grub/grub_void.cfg.in @@ -15,7 +15,7 @@ insmod font if loadfont "(${voidlive})/boot/grub/fonts/unicode.pf2" ; then insmod gfxterm - set gfxmode="auto" + set gfxmode="1920x1440" terminal_input console terminal_output gfxterm diff --git a/mklive.sh.in b/mklive.sh.in index 90e3f1d157..c123c484d1 100644 --- a/mklive.sh.in +++ b/mklive.sh.in @@ -32,6 +32,7 @@ umask 022 readonly REQUIRED_PKGS="base-files libgcc dash coreutils sed tar gawk syslinux grub-i386-efi grub-x86_64-efi squashfs-tools xorriso" readonly INITRAMFS_PKGS="binutils xz device-mapper dhclient dracut-network openresolv" readonly PROGNAME=$(basename "$0") +toSign=0 info_msg() { printf "\033[1m$@\n\033[m" @@ -82,6 +83,8 @@ directory if unset). -C "cmdline args" Add additional kernel command line arguments. -T "title" Modify the bootloader title. -v linux Install a custom Linux version on ISO image (linux meta-package if unset). + -d Set a key file to sign bootloader. + -t Set a certificate file to sign bootloader. -K Do not remove builddir. The $PROGNAME script generates a live image of the Void Linux distribution. @@ -190,6 +193,17 @@ generate_isolinux_boot() { "$ISOLINUX_DIR"/isolinux.cfg } +dosign() { + print_step "Signing $2..." + + if ! sbsign --key "$DBKEY" --cert "$DBCRT" --output "$1.signed" "$1"; then + die "Failed to sign $2" + fi + if ! sbverify --cert "$DBCRT" "$1.signed"; then + die "failed to verify the signature" + fi +} + generate_grub_efi_boot() { cp -f grub/grub.cfg "$GRUB_DIR" cp -f grub/grub_void.cfg.in "$GRUB_DIR"/grub_void.cfg @@ -226,6 +240,12 @@ generate_grub_efi_boot() { fi mkdir -p "${GRUB_EFI_TMPDIR}"/EFI/BOOT cp -f "$VOIDHOSTDIR"/tmp/bootia32.efi "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTIA32.EFI + + #Bootloader signing + if [ $toSign -eq 1 ] && [ -f "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX32.EFI ]; then + dosign "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX32.EFI BOOTX32.EFI + fi + xbps-uchroot "$VOIDHOSTDIR" grub-mkstandalone -- \ --directory="/usr/lib/grub/x86_64-efi" \ --format="x86_64-efi" \ @@ -237,6 +257,12 @@ generate_grub_efi_boot() { die "Failed to generate EFI loader" fi cp -f "$VOIDHOSTDIR"/tmp/bootx64.efi "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI + + #Bootloader signing + if [ $toSign -eq 1 ] && [ -f "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI ]; then + dosign "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI BOOTX64.EFI + fi + umount "$GRUB_EFI_TMPDIR" losetup --detach "${LOOP_DEVICE}" rm -rf "$GRUB_EFI_TMPDIR" @@ -282,7 +308,7 @@ generate_iso_image() { # # main() # -while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:h" opt; do +while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:d:t:h" opt; do case $opt in a) BASE_ARCH="$OPTARG";; b) BASE_SYSTEM_PKG="$OPTARG";; @@ -300,6 +326,8 @@ while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:h" opt; do C) BOOT_CMDLINE="$OPTARG";; T) BOOT_TITLE="$OPTARG";; v) LINUX_VERSION="$OPTARG";; + d) DBKEY="$OPTARG";; + t) DBCRT="$OPTARG";; h) usage;; *) usage;; esac @@ -330,6 +358,22 @@ if [ "$(id -u)" -ne 0 ]; then die "Must be run as root, exiting..." fi +#The -d and -t options are complementary. If one exists, the other must also exist. +#If these options are set, I also check sbsign command. +if ([ $DBKEY ] && [ ! $DBCRT ]) || ([ ! $DBKEY ] && [ $DBCRT ]); then + die "Must be set a key and certificate via -d and -t option, exiting..." +elif [ $DBKEY ] && [ $DBCRT ]; then + if [ ! -f $DBKEY ]; then + die "$DBKEY does not exist, exiting..." + elif [ ! -f $DBCRT ]; then + die "$DBCRT does not exist, exiting..." + elif ! command -v sbsign > /dev/null; then + die "sbsign command does not exist, exiting..." + else + toSign=1 + fi +fi + if [ -n "$ROOTDIR" ]; then BUILDDIR=$(mktemp --tmpdir="$ROOTDIR" -d) else