You are not logged in.

Pages: 1

#1 2020-01-04 19:19:39

xt1zer
Member
Registered: 2019-01-21
Posts: 9

[SOLVED] pacman hook to sign kernel and bootloader for secure boot

Following this guide and I can't quite figure out how could I use the new kernel downloaded to /usr/lib/modules after linux update to sign with my key. The warning above code block suggests I should look for new kernel in that directory instead of searching in boot partition, but how can I make this script use exactly the newly downloaded kernel? Shouldn't there under /usr/lib/modules be multiple directories after linux pacman update? What in my case should be written in "Exec" line?

Also, does the bootloader (in esp) get updated, or does it remain the same, thus always signed?

Last edited by xt1zer (2020-02-16 15:06:17)

Offline

#2 2020-01-08 10:46:06

sinatosk
Member
Registered: 2010-11-28
Posts: 107

Re: [SOLVED] pacman hook to sign kernel and bootloader for secure boot

I think that wiki article is out of date on some parts.

heres what I do in the pacman hook saved in a file called '89-secure_book.hook'

[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/lib/modules/*/vmlinuz
Target = boot/

[Action]
Description = Signing EFI file(s)
When = PostTransaction
Exec = /path/to/signing_script
Depends = sbsigntools
NeedsTargets

and then the script that signs the files is

#!/bin/bash

crtpath='/path/to/certificate'
keypath='/path/to/key'

signing_failed=0

if [ "$PWD" != "/" ]; then
	efipathprefix="$PWD/"
else
	efipathprefix="/"
fi

while read -r pacmanHookTarget
do
	efipath="$efipathprefix$pacmanHookTarget"

	# check if it's a file as pacman can sometimes sends directories only
	if [ ! -f $efipath ] || [ -d $efipath ]; then
		continue
	fi

	# basic check - if the first 2 bytes of the file equals 'MZ'
	if [ `head --bytes 2 "$efipath"` != "MZ" ]; then
		continue
	fi

	# check if the file is already signed by the certificate
	sbverify --cert ${crtpath} ${efipath} >/dev/null 2>&1

	if [ $? -eq 0 ]; then
		continue
	fi

	# sign the file
	echo Signing ${efipath}

	sbsign --key ${keypath} --cert ${crtpath} --output ${efipath} ${efipath} >/dev/null 2>&1

	# check if the file is signed correctly
	sbverify --cert ${crtpath} ${efipath} >/dev/null 2>&1

	if [ $? -ne 0 ]; then
		echo "ERROR: failed to sign '${efipath}'"
		signing_failed=1
	fi
done

if [ $signing_failed -eq 1 ]; then
	exit 1
fi

exit 0

note: you will need to change the following in the pacman hook file

Exec = /path/to/signing_script

and the following in the signing script

crtpath='/path/to/certificate'
keypath='/path/to/key'

I think this is cleaner than whats provided in the wiki and also bare in mind that this signs files triggered by paths, not packages

Last edited by sinatosk (2020-01-08 16:31:00)

Offline

Pages: 1

Board footer

Powered by FluxBB