summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author Eric Hameleers <alien@slackware.com>2021-11-08 09:18:14 +0100
committer Eric Hameleers <alien@slackware.com>2021-11-08 09:18:14 +0100
commitf5a3e197512428a14925376345215fcc79f73c8b (patch)
tree6318419b1d61e33f40757c7d6a68e88eb97ca4e9
parent5321fa4452c34f5b5d2547682ac9ea890378268c (diff)
downloadliveslak-f5a3e197512428a14925376345215fcc79f73c8b.tar.gz
liveslak-f5a3e197512428a14925376345215fcc79f73c8b.tar.xz
liveslak: add Secure Boot support to all 64bit ISOs
Read the updates in the README for more background and guidance. User notice: As a one-time action the very first time you boot a Secure Boot enabled liveslak ISO, you will have to enroll the liveslak certificate (/EFI/BOOT/liveslak.der) with which the Slackware boot-up binaries (grub and kernel) were signed into your computer's MOK (Machine Owner Key database). This enrollment request will show on-screen during initial boot, just follow the prompts to 'enroll from disk'. Afterwards the computer will reboot and from then on, your liveslak will boot without any user intervention on your Secure Boot computer. Note: liveslak uses Fedora's initial boot loader (the 'shim') which has been signed by Microsoft. In future we may get our own signed shim for liveslak and/or Slackware, but don't hold your breath.
-rw-r--r--EFI/BOOT/make-grub.sh5
-rw-r--r--README.txt35
-rw-r--r--grub.tpl6
-rwxr-xr-xmake_slackware_live.sh195
-rw-r--r--pkglists/secureboot.conf12
-rw-r--r--pkglists/secureboot.lst3
6 files changed, 252 insertions, 4 deletions
diff --git a/EFI/BOOT/make-grub.sh b/EFI/BOOT/make-grub.sh
index 6575ea7..a4f1f50 100644
--- a/EFI/BOOT/make-grub.sh
+++ b/EFI/BOOT/make-grub.sh
@@ -44,12 +44,13 @@ echo "Building ${EFIDIR}/boot${EFISUFF}.efi and /boot/syslinux/efiboot.img."
# works with mutiple grub releases (grub-2.02 added the 'disk' module):
GMODDIR="$(dirname $(LANG=C grub-mkimage -O ${EFIFORM}-efi -p ${EFIDIR} alienbob 2>&1 | cut -d\` -f2 |cut -d\' -f1) )"
GMODLIST=""
-for GMOD in part_gpt part_msdos fat ext2 iso9660 ntfs chain linux boot configfile normal regexp extcmd minicmd reboot halt search search_fs_file search_fs_uuid search_label gfxterm gfxmenu gfxterm_background efi_gop efi_uga all_video loadbios gzio echo true probe loadenv bitmap_scale font cat help ls png jpeg tga test at_keyboard usb_keyboard disk memdisk nativedisk file loopback tar tftp net efinet efifwsetup ; do
+# 'shim_lock' is built into grub, not a module anymore:
+for GMOD in part_gpt part_msdos fat ext2 f2fs iso9660 ntfs chain linux boot configfile normal regexp extcmd minicmd reboot halt search search_fs_file search_fs_uuid search_label gfxterm gfxmenu gfxterm_menu gfxterm_background efi_gop efi_uga all_video loadbios gzio echo true probe loadenv bitmap_scale font cat help ls png jpeg tga test at_keyboard usb_keyboard disk memdisk nativedisk file loopback tar tftp net efinet efifwsetup zstd ; do
[ -f ${GMODDIR}/${GMOD}.mod ] && GMODLIST="${GMODLIST} ${GMOD}" || echo ">> ${GMOD} not found"
done
# Build bootx64.efi/bootia32.efi, which will be installed here in ${EFIDIR}.
-grub-mkimage --format=${EFIFORM}-efi --output=boot${EFISUFF}.efi --config=grub-embedded.cfg --compression=xz --prefix=${EFIDIR} ${GMODLIST}
+grub-mkimage --format=${EFIFORM}-efi --output=boot${EFISUFF}.efi --config=grub-embedded.cfg --sbat=grub_sbat.csv --compression=xz --prefix=${EFIDIR} ${GMODLIST}
# Then, create a FAT formatted image that contains bootx64.efi in the
# ${EFIDIR} directory. This is used to bootstrap GRUB from the ISO image.
diff --git a/README.txt b/README.txt
index f0cf0bf..6f334cb 100644
--- a/README.txt
+++ b/README.txt
@@ -101,6 +101,35 @@ Editing a Grub menu before booting it is possible by pressing the "e" key. Afte
Another difference between Syslinux and Grub2 menus: in Grub2 you can select a non-US keyboard, language and/or timezone and you will return to the main menu every time. You still have to select "Start SLACKWARE Live" to boot the computer. In the Syslinux menu, only the keyboard selection menu will return you to the main menu. Any non-US *language* selection on the other hand will boot you into Slackware Live immediately; without returning to the main menu. This is a limitation of syslinux which would require exponentially more menu files to construct a menu with more choices. Grub2 supports variables which make it easy to modify a menu entry's characteristics.
+=== UEFI Secure Boot ===
+
+
+On computers with Secure Boot enabled, extra measures may be required to boot an Operating System. Slackware for instance, is unable to boot on a computer that has Secure Boot enabled. Historic liveslak based ISOs are also not able to boot there. From liveslak-1.5.0 and onwards, Secure Boot is supported for the 64-bit ISO images.
+
+Secure Boot enforces that the first-stage bootloader is signed with an encryption key known to Microsoft. For Linux based Operating Systems, the most widely used solution is to place an small single-purpose bootloader before the regular Linux bootloader. This EFI bootloader is called 'shim'. Shim must be cryptographically signed by Microsoft for it to successfully boot a computer. This is not a trivial process, Microsoft is very strict about the signing process because in essence your signed bootloader will boot anything on a Secure Boot enabled computer, including malware if that was signed by your 'distro key'. That would create a huge security hole and defy the purpose of Secure Boot.
+
+Signing your Grub bootloader and your kernel also becomes mandatory, because the 'shim' refuses to load un-signed binaries. This complicates the process of upgrading to a new kernel further.
+
+The Slackware Live OS boots on a Secure Boot enabled computer if created with liveslak-1.5.0 or newer, and only for the 64-bit liveslak ISO images. The Slackware Linux distro does not ship a 'shim' which is signed by Microsoft, so how to get around the dilemma of requiring a signed 'shim'?
+
+To realize this, the Slackware Live ISO 'borrows' a 3rd-party 'shim'. The binaryis actually called ''bootx64.efi'' in the ''/EFI/BOOT/'' directory and has been extracted from another distro's officially signed 'shim' package; Fedora by default but the Debian and openSUSE shim are also supported by the ''make_slackware_live.sh'' script. This 3rd-party 'shim' binary has been signed by 'Microsoft UEFI CA' which will allow it to boot on any computer. We just need to tell it that is OK to load Slackware's Grub and kernel into memory.
+
+A distro 'shim' like Fedora's contains an embedded distro SSL certificate and 'shim' will trust the signature of any binary (grub, kernel, etc) which has been signed using that certificate. Of course, 3rd-party 'shim' binaries do not embed a Slackware SSL certificate. Therefore, another means must be used to establish trust. Secure Boot recognizes additional SSL certificates in the computer's MOK (Machine Owner Key) database as valid. The 'shim' trusts custom SSL vertificates of signed binaries, if they are present in the MOK database. It is up to the user (the Machine Owner) to enroll a custom SSL certificate into that database.
+
+The Grub and kernel images of Slackware Live Edition are signed with an 'Alien BOB' SSL certificate and private key. This SSL certificate needs to be added to the MOK database of your Secure Boot enabled computer. All liveslak ISOs use this specific certificate plus its associated private key. The private key will of course never be distributed but a 'DER-encoded' version of the public certificate is distributed as part of the ISO. You can find it as ''/EFI/BOOT/liveslak.der'' inside the ISO. On a persistent USB stick which you created from the ISO, this will be on the second partition (the ESP).
+
+== Add the ''liveslak.der'' certificate to the MOK database ==
+
+There are two ways to add or enroll this certificate.
+ * When you boot a Secure Boot enabled liveslak ISO for the first time, the 'shim' will fail to validate the certificate of liveslak's Grub. It will then start the 'MokManager' showing you a nice blue screen with a dialog requesting you to enroll a public key (aka the SSL certificate) from disk. You can use the file selector to browse to the 'efi' partition and there to the ''./EFI/BOOT/'' directory. Select the ''liveslak.der'' and confirm that this is the correct certificate. The computer will then reboot and after reboot, you will automatically end up in the Grub boot menu without any further intervention.
+ * If you already have a Linux OS up and running on that computer, you can use the program ''mokutil'' to enroll the key before you boot a liveslak ISO:<code>
+# mokutil --import liveslak.der</code>. This command will schedule a request to shim, and the first time you boot a liveslak ISO the MokManager will ask confirmation to enroll the scheduled key. In other words, you won't have to 'enroll from disk'.
+
+Note that MOK key enrollment is a one-time action for the official liveslak based ISOs. All future liveslak ISOs will also be signed using this ''liveslak.der'' certificate and as long as it stays in your computer's MOK database, the 'shim' will load Grub and the kernel without complaint.
+
+Note that you can create your own SSL certificate plus private key and use those to generate custom liveslak ISO images with Secure Boot support. All you need to do is to enroll the public key (the DER-encoded version of your SSL certificate) into the MOK database of your computer. The MOK database has room for multiple keys so yours as well as liveslak's keys (and more) will fit there.
+
+
==== Transfering ISO content to USB stick ====
@@ -736,6 +765,9 @@ The script's parameters are:
-M Add multilib (x86_64 only).
-O outfile Custom filename for the ISO.
-R runlevel Runlevel to boot into (default: 4).
+ -S privkey:cert Enable SecureBoot support and sign binaries
+ using the full path to colon-separated
+ private key and certificate files.
-X Use xorriso instead of mkisofs/isohybrid.
</code>
@@ -750,6 +782,9 @@ When all pre-reqs are met, you issue a single command to generate the ISO. The
Another example which creates a MATE variant, configuring runlevel '3' as default and specifying a custom path for the Slackware package repository root (note that the script will look for a subdirectory "slackware64-current" below this directory if you are generating this ISO for slackware64-current):
# ./make_slackware_live.sh -d MATE -R 3 -s ~ftp/pub/Slackware
+An example on how to create a DAW Live ISO which supports UEFI SecureBoot (since liveslak 1.5.0 and only for 64-bit), is compressed using 'zstd' instead of the default 'xz' and is generated using xorriso instead of mkisofs. You need to provide the full path to a SSL private key and certificate file:
+ # ./make_slackware_live.sh -d DAW -c zstd -X -S /root/liveslak.key:/root/liveslak.pem
+
If you want to know what package sets are included in any of these Desktop Environments, run the following command:
# grep ^SEQ_ make_slackware_live.sh
for MATE, you will find:
diff --git a/grub.tpl b/grub.tpl
index ead3a36..82ecf32 100644
--- a/grub.tpl
+++ b/grub.tpl
@@ -22,6 +22,12 @@ if [ -z "$sl_locale" ]; then
export sl_locale
fi
+# Check whether we are in a Secure Boot scenario:
+if [ "x$lockdown" != "x" ]; then
+ set check_signatures=enforce
+ export check_signatures
+fi
+
# Determine whether we can show a graphical themed menu:
insmod font
if loadfont $prefix/theme/dejavusansmono12.pf2 ; then
diff --git a/make_slackware_live.sh b/make_slackware_live.sh
index 08e8995..eee602c 100755
--- a/make_slackware_live.sh
+++ b/make_slackware_live.sh
@@ -67,6 +67,23 @@ BOOTLOADSIZE=${BOOTLOADSIZE:-4}
# Therefore we disable 32bit EFI by default. Enable at your own peril:
EFI32=${EFI32:-"NO"}
+# Set to '1' using the "-S" parameter to the script,
+# if the liveslak ISO should support SecureBoot-enabled computers:
+SECUREBOOT=0
+
+# Which shim to download and install?
+# Supported are 'debian' 'fedora' 'opensuse'.
+SHIM_3RDP=${SHIM_3RDP:-"fedora"}
+
+# When enabling SecureBoot support, we need a MOK certificate plus private key,
+# which we use to sign grub and kernel.
+# MOKCERT contains the location of the certificate,
+# to be defined through the '-S' parameter:
+MOKCERT=""
+# MOKPRIVKEY points to the location of the private key,
+# to be defined through the '-S' parameter:
+MOKPRIVKEY=""
+
# Set to YES if you want to use the SMP kernel on 32bit Slackware:
SMP32=${SMP32:-"NO"}
@@ -892,6 +909,130 @@ EOL
} # End of gen_uefimenu()
+
+#
+# Add UEFI SecureBoot support:
+#
+function secureboot() {
+ # Liveslak uses Fedora's shim (for now), which is signed by
+ # 'Microsoft UEFI CA' and contains Fedora's CA certificate.
+ # We sign liveslak's grub and kernel with our own key/certificate pair.
+ # This means that the user of liveslak will have to enroll liveslak's
+ # public certificate via MokManager. This needs to be done only once.
+
+ # Note that we use the generic fallback directory /EFI/BOOT/ for the Live ISO
+ # instead of a custom distro entry for UEFI such as /EFI/BOOT/Slackware/
+ # When shim is booted with path /EFI/BOOT/bootx64.efi, and there is a
+ # Fallback binary (fbx64.efi) , shim will load that one instead of grub,
+ # so Fallback can create a NVRAM boot entry for a custom distro directory
+ # (which we do not have) causing a reset boot loop.
+ # This is why liveslak does not install fbx64.efi. A regular distro should
+ # install that file in its distro subdirectory!
+
+ SHIM_VENDOR="$1"
+ [ -z "${SHIM_VENDOR}" ] && SHIM_VENDOR="fedora"
+
+ case $SHIM_VENDOR in
+ opensuse) GRUB_SIGNED="grub.efi"
+ ;;
+ *) GRUB_SIGNED="grubx64.efi"
+ ;;
+ esac
+ mkdir -p ${LIVE_WORK}/shim
+ cd ${LIVE_WORK}/shim
+
+ echo "-- Signing grub+kernel with '${LIVE_STAGING}/EFI/BOOT/liveslak.pem'."
+ # Sign grub:
+ # The Grub EFI image must be renamed appropriately for shim to find it,
+ # since some distros change the default 'grubx64.efi' filename:
+ mv -i ${LIVE_STAGING}/EFI/BOOT/bootx64.efi \
+ ${LIVE_WORK}/shim/grubx64.efi.unsigned
+ sbsign --key ${MOKPRIVKEY} --cert ${MOKCERT} \
+ --output ${LIVE_STAGING}/EFI/BOOT/${GRUB_SIGNED} \
+ ${LIVE_WORK}/shim/grubx64.efi.unsigned
+ # Sign the kernel:
+ mv ${LIVE_STAGING}/boot/generic ${LIVE_WORK}/shim/generic.unsigned
+ sbsign --key ${MOKPRIVKEY} --cert ${MOKCERT} \
+ --output ${LIVE_STAGING}/boot/generic \
+ ${LIVE_WORK}/shim/generic.unsigned
+
+ if [ "${SHIM_VENDOR}" = "fedora" ]; then
+ # The version of Fedora's shim package - always use the latest!
+ SHIM_MAJVER=15.4
+ SHIM_MINVER=5
+ SHIMSRC="https://kojipkgs.fedoraproject.org/packages/shim/${SHIM_MAJVER}/${SHIM_MINVER}/x86_64/shim-x64-${SHIM_MAJVER}-${SHIM_MINVER}.x86_64.rpm"
+ echo "-- Downloading/installing the SecureBoot signed shim from Fedora."
+ wget -q --progress=dot:mega --show-progress ${SHIMSRC} -O - \
+ | rpm2cpio - | cpio -dim
+ echo ""
+ # Install signed efi files into UEFI BOOT directory of the esp partition:
+ # The name of the shim in the ISO, *must* be 'bootx64.efi':
+ install -D -m0644 boot/efi/EFI/fedora/shimx64.efi \
+ ${LIVE_STAGING}/EFI/BOOT/bootx64.efi
+ install -D -m0644 boot/efi/EFI/fedora/mmx64.efi \
+ ${LIVE_STAGING}/EFI/BOOT/mmx64.efi
+ #install -D -m0644 boot/efi/EFI/BOOT/fbx64.efi \
+ # ${LIVE_STAGING}/EFI/BOOT/fbx64.efi
+ elif [ "${SHIM_VENDOR}" = "opensuse" ]; then
+ SHIM_MAJVER=15.4
+ SHIM_MINVER=4.2
+ SHIMSRC="https://download.opensuse.org/repositories/openSUSE:/Factory/standard/x86_64/shim-${SHIM_MAJVER}-${SHIM_MINVER}.x86_64.rpm"
+ echo "-- Downloading/installing the SecureBoot signed shim from openSUSE."
+ wget -q --progress=dot:mega --show-progress ${SHIMSRC} -O - \
+ | rpm2cpio - | cpio -dim
+ echo ""
+ # Install signed efi files into UEFI BOOT directory of the esp partition:
+ # The name of the shim in the ISO, *must* be 'bootx64.efi':
+ install -D -m0644 usr/share/efi/x86_64/shim-opensuse.efi \
+ ${LIVE_STAGING}/EFI/BOOT/bootx64.efi
+ install -D -m0644 usr/share/efi/x86_64/MokManager.efi \
+ ${LIVE_STAGING}/EFI/BOOT/MokManager.efi
+ #install -D -m0644 usr/share/efi/x86_64/fallback.efi \
+ # ${LIVE_STAGING}/EFI/BOOT/fallback.efi
+ elif [ "${SHIM_VENDOR}" = "debian" ]; then
+ DEBSHIM_VER=1.38
+ DEBMOKM_VER=1
+ SHIM_MAJVER=15.4
+ SHIM_MINVER=7
+ SHIMSRC="http://ftp.de.debian.org/debian/pool/main/s/shim-signed/shim-signed_${DEBSHIM_VER}+${SHIM_MAJVER}-${SHIM_MINVER}_amd64.deb"
+ MOKMSRC="http://ftp.de.debian.org/debian/pool/main/s/shim-helpers-amd64-signed/shim-helpers-amd64-signed_${DEBMOKM_VER}+${SHIM_MAJVER}+${SHIM_MINVER}_amd64.deb"
+ echo "-- Downloading the SecureBoot signed shim from Debian."
+ wget -q --progress=dot:mega --show-progress ${SHIMSRC}
+ echo ""
+ echo "-- Installing the SecureBoot signed shim to the ESP."
+ # Extract discarding any directory structure:
+ ar p $(basename ${SHIMSRC}) data.tar.xz | tar --xform='s#^.+/##x' -Jxf - \
+ ./usr/lib/shim/shimx64.efi.signed
+ echo "-- Downloading the SecureBoot signed mokmanager from Debian."
+ wget -q --progress=dot:mega --show-progress ${MOKMSRC}
+ echo ""
+ echo "-- Installing the SecureBoot signed mokmanager to the ESP."
+ # Extract discarding any directory structure:
+ ar p $(basename ${MOKMSRC}) data.tar.xz | tar --xform='s#^.+/##x' -Jxf - \
+ ./usr/lib/shim/fbx64.efi.signed ./usr/lib/shim/mmx64.efi.signed
+ # Install signed efi files into UEFI BOOT directory of the esp partition:
+ # The name of the shim in the ISO, *must* be 'bootx64.efi':
+ install -D -m0644 ./shimx64.efi.signed \
+ ${LIVE_STAGING}/EFI/BOOT/bootx64.efi
+ install -D -m0644 ./mmx64.efi.signed \
+ ${LIVE_STAGING}/EFI/BOOT/mmx64.efi
+ #install -D -m0644 ./fbx64.efi.signed \
+ # ${LIVE_STAGING}/EFI/BOOT/fbx64.efi
+ else
+ echo ">> A '${SHIM_VENDOR}' shim was requested, but only 'opensuse' 'fedora' or 'debian' shim/mokmanager are supported."
+ echo ">> Expect trouble ahead."
+ fi
+ cd - 1>/dev/null
+
+ ## Write CSV file for the Fallback EFI program so that it knows what to boot:
+ #echo -n "bootx64.efi,SHIM,,SecureBoot UEFI entry for liveslak" \
+ # | iconv -t UCS-2 > ${LIVE_STAGING}/EFI/BOOT/BOOT.CSV
+
+ # Cleanup:
+ rm -rf ${LIVE_WORK}/shim
+
+} # End of secureboot()
+
#
# Create an ISO file from a directory's content:
#
@@ -1079,7 +1220,7 @@ EOT
# Action!
# ---------------------------------------------------------------------------
-while getopts "a:c:d:efhl:m:r:s:t:vz:CGH:MO:R:X" Option
+while getopts "a:c:d:efhl:m:r:s:t:vz:CGH:MO:R:S:X" Option
do
case $Option in
h )
@@ -1122,6 +1263,9 @@ do
echo " -M Add multilib (x86_64 only)."
echo " -O outfile Custom filename for the ISO."
echo " -R runlevel Runlevel to boot into (default: $RUNLEVEL)."
+ echo " -S privkey:cert Enable SecureBoot support and sign binaries"
+ echo " using the full path to colon-separated"
+ echo " private key and certificate files"
echo " -X Use xorriso instead of mkisofs/isohybrid."
exit
;;
@@ -1162,6 +1306,12 @@ do
;;
R ) RUNLEVEL=${OPTARG}
;;
+ S ) MOKPRIVKEY=$(readlink -f $(echo ${OPTARG} |cut -d: -f1))
+ MOKCERT=$(readlink -f $(echo ${OPTARG} |cut -d: -f2))
+ TEMP_3RDP=$(echo ${OPTARG} |cut -d: -f3)
+ [ -n "${TEMP_3RDP}" ] && SHIM_3RDP=${TEMP_3RDP}
+ unset TEMP_3RDP
+ ;;
X ) USEXORR="YES"
;;
* ) echo "You passed an illegal switch to the program!"
@@ -1206,6 +1356,16 @@ if [ "$SL_ARCH" != "x86_64" -a "$MULTILIB" = "YES" ]; then
exit 1
fi
+if [ -n "${MOKPRIVKEY}" ] && [ -n "${MOKCERT}" ]; then
+ if [ -f ${MOKPRIVKEY} ] && [ -f ${MOKCERT} ]; then
+ echo "-- Enabling SecureBoot support (${SHIM_3RDP} shim)."
+ SECUREBOOT=1
+ else
+ echo ">> SecureBoot can not be enabled; MOK key and/or cert not found."
+ exit 1
+ fi
+fi
+
# Determine which module sequence we have to build:
case "$LIVEDE" in
SLACKWARE) MSEQ="${SEQ_SLACKWARE}" ;;
@@ -1282,7 +1442,11 @@ DEF_SL_PATCHROOT=${SL_PATCHROOT}
# Are all the required add-on tools present?
[ "$USEXORR" = "NO" ] && ISOGEN="mkisofs isohybrid" || ISOGEN="xorriso"
PROG_MISSING=""
-for PROGN in mksquashfs unsquashfs grub-mkfont grub-mkimage syslinux $ISOGEN installpkg upgradepkg keytab-lilo rsync mkdosfs ; do
+REQTOOLS="mksquashfs unsquashfs grub-mkfont grub-mkimage syslinux $ISOGEN installpkg upgradepkg keytab-lilo rsync wget mkdosfs"
+if [ $SECUREBOOT -eq 1 ]; then
+ REQTOOLS="${REQTOOLS} openssl sbsign"
+fi
+for PROGN in ${REQTOOLS} ; do
if ! which $PROGN 1>/dev/null 2>/dev/null ; then
PROG_MISSING="${PROG_MISSING}-- $PROGN\n"
fi
@@ -1404,6 +1568,12 @@ RODIRS="${LIVE_BOOT}"
# Create the verification file for the install_pkgs function:
echo "${THEDATE} (${BUILDER})" > ${LIVE_BOOT}/${MARKER}
+# Do we need to include secureboot module?
+if [ $SECUREBOOT -eq 1 ]; then
+ echo "-- Adding secureboot module."
+ MSEQ="${MSEQ} pkglist:secureboot"
+fi
+
# Do we need to create/include additional module(s) defined by a pkglist:
if [ -n "$SEQ_ADDMOD" ]; then
echo "-- Adding ${SEQ_ADDMOD}."
@@ -3056,6 +3226,10 @@ else
KVER=$(ls --indicator-style=none ${LIVE_ROOTDIR}/lib/modules/ |grep smp |head -1)
fi
+# Determine Slackware's GRUB version and build (we will use this later):
+GRUBVER=$(find ${DEF_SL_PKGROOT}/../ -name "grub-*.t?z" |rev |cut -d- -f3 |rev)
+GRUBBLD=$(find ${DEF_SL_PKGROOT}/../ -name "grub-*.t?z" |rev |cut -d- -f1 |cut -d. -f2 |rev)
+
# Create an initrd for the generic kernel, using a modified init script:
echo "-- Creating initrd for kernel-generic $KVER ..."
chroot ${LIVE_ROOTDIR} /sbin/mkinitrd -c -w ${WAIT} -l us -o /boot/initrd_${KVER}.img -k ${KVER} -m ${KMODS} -L -C dummy 1>${DBGOUT} 2>${DBGOUT}
@@ -3166,8 +3340,13 @@ cp -a ${LIVE_TOOLDIR}/syslinux ${LIVE_STAGING}/boot/
# EFI support always for 64bit architecture, but conditional for 32bit.
if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then
# Copy the UEFI boot directory structure:
+ rm -rf ${LIVE_STAGING}/EFI/BOOT
mkdir -p ${LIVE_STAGING}/EFI/BOOT
cp -a ${LIVE_TOOLDIR}/EFI/BOOT/{grub-embedded.cfg,make-grub.sh,*.txt,theme} ${LIVE_STAGING}/EFI/BOOT/
+ if [ ${SECUREBOOT} -eq 1 ]; then
+ # User needs a DER-encoded copy of the signing cert for MOK enrollment:
+ openssl x509 -outform der -in ${MOKCERT} -out ${LIVE_STAGING}/EFI/BOOT/liveslak.der
+ fi
if [ "$LIVEDE" = "XFCE" ]; then
# We do not use the unicode font, so it can be removed to save space:
rm -f ${LIVE_STAGING}/EFI/BOOT/theme/unicode.pf2
@@ -3188,6 +3367,12 @@ if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then
# Generate the UEFI grub boot image if needed:
if [ ! -f ${LIVE_STAGING}/EFI/BOOT/boot${EFISUFF}.efi -o ! -f ${LIVE_STAGING}/boot/syslinux/efiboot.img ]; then
( cd ${LIVE_STAGING}/EFI/BOOT
+ # Create a SBAT file 'grub_sbat.csv' to be used by make-grub.sh :
+ cat <<HSBAT > ${LIVE_STAGING}/EFI/BOOT/grub_sbat.csv
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
+grub.liveslak,1,The liveslak project,grub,${GRUBVER}-${GRUBBLD},https://download.liveslak.org/
+HSBAT
sed -i -e "s/SLACKWARELIVE/${MARKER}/g" grub-embedded.cfg
sh make-grub.sh EFIFORM=${EFIFORM} EFISUFF=${EFISUFF}
)
@@ -3195,6 +3380,12 @@ if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then
# Generate the grub configuration for UEFI boot:
gen_uefimenu ${LIVE_STAGING}/EFI/BOOT
+
+ # Add SecureBoot support if requested:
+ if [ ${SECUREBOOT} -eq 1 ]; then
+ secureboot ${SHIM_3RDP}
+ fi
+
fi # End EFI support menu.
if [ "$SYSMENU" = "NO" ]; then
diff --git a/pkglists/secureboot.conf b/pkglists/secureboot.conf
new file mode 100644
index 0000000..a81a7c2
--- /dev/null
+++ b/pkglists/secureboot.conf
@@ -0,0 +1,12 @@
+# If 'SL_REPO_URL' is a rsync:// URL and 'SL_REPO' points to a non-existent
+# or empty directory, then the content of 'SL_REPO_URL' will be rsync-ed
+# to the local directory 'SL_REPO'.
+SL_REPO_URL="rsync://slackware.uk/people/alien/sbrepos/${SL_VERSION}/${SL_ARCH}"
+SL_REPO="/var/cache/liveslak/sbrepos/${SL_VERSION}/${SL_ARCH}"
+
+# Package root directory:
+SL_PKGROOT=${SL_REPO}
+
+# Patches root directory:
+SL_PATCHROOT=""
+
diff --git a/pkglists/secureboot.lst b/pkglists/secureboot.lst
new file mode 100644
index 0000000..260a246
--- /dev/null
+++ b/pkglists/secureboot.lst
@@ -0,0 +1,3 @@
+mokutil
+sbsigntools
+