From bf4d1368fcdab9bcb7f594868c5791197ce0d797 Mon Sep 17 00:00:00 2001 From: Noel Miller <4983138+noelmiller@users.noreply.github.com> Date: Fri, 23 Feb 2024 12:10:17 -0600 Subject: [PATCH] feat: Add Secure Boot Support and Remove Grub Entry for Test this Media (#28) * chore: First pass of adding secure boot key enrollment * feat: Add secure boot support * feat: Removed Test this media grub entry and set default to install * fix: simplify secureboot scripts --------- Co-authored-by: Kyle Gospodnetich --- Makefile | 6 ++++++ lorax_templates/secure_boot_key.tmpl | 9 +++++++++ scripts/enroll-secureboot-key.sh | 19 +++++++++++++++++++ scripts/ublue-os-akmods-public-key.der | Bin 0 -> 1548 bytes xorriso/gen_input.sh.in | 5 ++++- 5 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 lorax_templates/secure_boot_key.tmpl create mode 100755 scripts/enroll-secureboot-key.sh create mode 100644 scripts/ublue-os-akmods-public-key.der diff --git a/Makefile b/Makefile index 09e90a8..56de4cc 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,11 @@ lorax_templates/%.tmpl: lorax_templates/%.tmpl.in # Step 2: Build boot.iso using Lorax boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl rm -Rf $(_BASE_DIR)/results + sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg + sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg + sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg + sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg + lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \ --isfinal --buildarch=$(ARCH) --volid=$(_VOLID) \ $(_LORAX_ARGS) \ @@ -55,6 +60,7 @@ boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades. --repo /etc/yum.repos.d/fedora-updates.repo \ --add-template $(_BASE_DIR)/lorax_templates/set_installer.tmpl \ --add-template $(_BASE_DIR)/lorax_templates/configure_upgrades.tmpl \ + --add-template $(_BASE_DIR)/lorax_templates/secure_boot_key.tmpl \ $(_BASE_DIR)/results/ mv $(_BASE_DIR)/results/images/boot.iso $(_BASE_DIR)/ diff --git a/lorax_templates/secure_boot_key.tmpl b/lorax_templates/secure_boot_key.tmpl new file mode 100644 index 0000000..e0c9809 --- /dev/null +++ b/lorax_templates/secure_boot_key.tmpl @@ -0,0 +1,9 @@ +append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot" +append usr/share/anaconda/interactive-defaults.ks "set -m" +append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh" +append usr/share/anaconda/interactive-defaults.ks "%end" + +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end" diff --git a/scripts/enroll-secureboot-key.sh b/scripts/enroll-secureboot-key.sh new file mode 100755 index 0000000..1e74f40 --- /dev/null +++ b/scripts/enroll-secureboot-key.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +set -oue pipefail + +readonly SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der" +readonly ENROLLMENT_PASSWORD="ublue-os" + +if [[ ! -d "/sys/firmware/efi" ]]; then + echo "EFI mode not detected. Skipping key enrollment." + exit 0 +fi + +if [[ ! -f "${SECUREBOOT_KEY}" ]]; then + echo "Secure boot key not found: ${SECUREBOOT_KEY}" + exit 1 +fi + +mokutil --timeout -1 || : +echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || : diff --git a/scripts/ublue-os-akmods-public-key.der b/scripts/ublue-os-akmods-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..a2ee4477b594f1a9670b00cd4d4944e20bbfdc47 GIT binary patch literal 1548 zcmXqLV&gDqV*apznTe5!NyL#SS6w*FGqmjfi-jdimMH1X;F@T_%f_kI=F#?@mywa1 zmBFBKo}svbC>wJq3l|SxXkKPnYEf}wj)GH8X{sSVP%%(~n};niJ2yY2*ih9#8Lpd? zQA{i=zbHLbFFCQeq$uAZJvT8kM=v=)*O1qM8>Ek&hs7^HFBQh+fO5GFI6<;(!b}kn zh6)C9APzH+IK&Etocv^<^~IU#d6{|X3eJuOa^k#3#s;Q_=7y%m2FAuw;=INnt_hSo z_&w0Xq=X#kjI0dIO-%d@22D&{OifIT43~Pv7p!VTOHIM=vs&{$)_@Ts&@#q2fin`-9cgn$xsp+dcoFinO^$FBsk^^LrZoz9;_QDcjA4 zZ8~;mJl^+An*PGj{PD*9ZoZ$_tP;65+lSTWnq9uFu3e20N4Uk-$!@nRt@S3Ie6wr9 z&kK9%4=XXUHr4lwZ}6S2mGJ^`s6s;|&&15gz_{4P zz{-FJm=$D&85#exFc~m_^N=h*3kx$7dxL>2NQ#d|j78-A^cgapU;pp8Sdsc*1H)G7 z$W!*l$mt81se$Q>kzvbK8^;6{H|OdLk4v9avWjONPk8rARF@;-altGf1+&@Z+kIIN zt~+qbk8w?2;L|r2CCiI!ejZ;T$i)1EIe*SS$7%D9d{USC`{lZTMyu(nDK2g=at^cV zZ}_FGsx?2J)7o_AmBlfMThilstUqe;I`=c4czExeYrdl*Px$k-LR0zmsk*b06imss1nHe9_C5W4z4HU5&qFf0|T>xU|lfdCl{W&bb<$+dpmDztS_Z z*UilL3fp~eebXe~u61}#$Al#>M3hf0bb0N5-*RGLM*4Gw{XE~b`fmHhIbM#|v2|X1 z{PG^b*OOf)3ja@D;`q|AYx!;Al~=CHy*9nI%;%<7^|r4u8_#~MT^hfa?NG+cHIGgz z&Qm(R?x)6_vcPKB^fZZ0+uFPIE93SRyZ(A@yLjF7YZ;s6VpPlbZmw7v^yKa=OX<4i z*PbQS?F_;kw%#exh`d=UE@Z5>f?Atbb^^0W2V=QN~ig$3F nR@r~?