You are not logged in.
Pages: 1
I'm looking for assistance/ideas on a reliable pacman hook used to run a script that compiles (initramfs, kernel, etc) and signs for secureboot.
Previous we could use:
[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = boot/vmlinuz-*
I have since been recommended to use:
[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/lib/modules/*/vmlinuz
The new trigger works great when a new kernel is installed (or re-installed).
The problem I'm facing with the new trigger is when a (non-kernel) package is installed that triggers a rebuild of the boot directory files. While the initramfs/vmlinuz-linux files are updated in the /boot directory - the hook doesn't run!
Maybe there is a trigger that covers that scenario?
[edited out inaccurate (noob) description]
Last edited by blufinney (2019-11-08 16:54:08)
Offline
/usr/share/libalpm/hooks/90-mkinitcpio-install.hook has a second target entry
Target = usr/lib/initcpio/*
If that is the cause of the update then perhaps adding that to your hook as well would solve the issue.
Offline
Take a look at what the mkinitcpio hook triggers on: /usr/share/libalpm/hooks/90-mkinitcpio-install.hook
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
Thanks for the responses.
I'll try adding:
Target = usr/lib/initcpio/*
I'll have to do some testing. I'm concerned the variable passed to the script when using the above trigger will not have information about the version of kernel in that case? How would my script know what kernel (e.g. linux vs linux-hardened) or what version?
Maybe I'm just noobing out on this, but having trouble seeing how that would work.
Offline
Matching usr/lib/initcpio/* in /usr/share/libalpm/hooks/90-mkinitcpio-install.hook will trigger all initrds to be rebuild.
So I believe your hook should then create new signed binaries for every kernel.
Offline
Matching usr/lib/initcpio/* in /usr/share/libalpm/hooks/90-mkinitcpio-install.hook will trigger all initrds to be rebuild.
So I believe your hook should then create new signed binaries for every kernel.
Ah, I see what you mean. I could change my signing script from using the variable passed from the hook to instead just looping all kernels when triggered.
Newb question: Let's say I create a stand-alone hook using the trigger "usr/lib/initcpio/*" and I updated at "Nov 8 00:01"
drwxr-xr-x 5 root root 4096 Nov 8 00:01 .
drwxr-xr-x 231 root root 208896 Nov 8 00:02 ..
-rwxr-xr-x 1 root root 512144 Mar 1 2019 busybox
-rw-r--r-- 1 root root 23329 Nov 6 12:31 functions
drwxr-xr-x 2 root root 4096 Nov 8 00:01 hooks
-rwxr-xr-x 1 root root 2093 Nov 6 12:31 init
-rw-r--r-- 1 root root 13140 Nov 6 12:31 init_functions
drwxr-xr-x 2 root root 4096 Nov 8 00:01 install
-rwxr-xr-x 1 root root 2746 Nov 6 12:31 shutdown
drwxr-xr-x 2 root root 4096 Nov 8 00:01 udev
How many times would my shiny new signing script run (against all kernels)? Twice in the above scenario? Looking for ways to reduce/eliminate redundantly running the script.
Offline
Can you please post your current script and hook?
Offline
Can you please post your current script and hook?
This is the current setup that works well (w/ mkinitcpio v27) when a kernel pkg is installed or updated - but doesn't trigger when a non-kernel pkg is installed/updated that triggers kernel rebuild.
This is of course before trying to use "Target = usr/lib/initcpio/*" in some way.
Current hook:
[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/lib/modules/*/vmlinuz
[Action]
When = PostTransaction
Exec = /bin/sh -c 'while read -r f; do /root/secure-boot/make-sign-image.sh "$f"; done'
NeedsTargets
Current script:
#!/bin/bash
PKGBASE="/$(echo $1 | sed 's/vmlinuz//')pkgbase"
KLABEL=$(cat $PKGBASE)
BOOTDIR=/boot
CERTDIR=/root/keys
KERNEL=$1
INITRAMFS="/boot/intel-ucode.img /boot/initramfs-$(echo $KLABEL).img"
EFISTUB=/usr/lib/systemd/boot/efi/linuxx64.efi.stub
BUILDDIR=_build
OUTIMG=/boot/$(echo $KLABEL).img
CMDLINE=/etc/cmdline
mkdir -p $BUILDDIR
cat ${INITRAMFS} > ${BUILDDIR}/initramfs.img
/usr/bin/objcopy \
--add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 \
--add-section .cmdline=${CMDLINE} --change-section-vma .cmdline=0x30000 \
--add-section .linux=${KERNEL} --change-section-vma .linux=0x40000 \
--add-section .initrd=${BUILDDIR}/initramfs.img --change-section-vma .initrd=0x3000000 \
${EFISTUB} ${BUILDDIR}/combined-boot.efi
/usr/bin/sbsign --key ${CERTDIR}/DB.key --cert ${CERTDIR}/DB.crt --output ${BUILDDIR}/combined-boot-signed.efi ${BUILDDIR}/combined-boot.efi
cp ${BUILDDIR}/combined-boot-signed.efi ${OUTIMG}
Offline
I would suggest changing the exec of the current hook to call a new script
Based on /usr/share/libalpm/scripts/mkinitcpio-install I would suggest the new script that does something similar to the following ( which is untested )
kernels=() #array of kernels that have been updated
all=0 #if usr/lib/initcpio/* is updated then all kernels will have been updated
while read -r line; do
if [[ $line != */vmlinuz ]]; then
# triggers when it's a change to usr/lib/initcpio/*
all=1
break
fi
if ! read -r pkgbase > /dev/null 2>&1 < "${line%/vmlinuz}/pkgbase"; then
# if the kernel has no pkgbase, we skip it
continue
fi
kernels+=("${pkgbase}")
done
if [[ all ]]; then
for kernel in /usr/lib/modules/*/pkgbase
do
/root/secure-boot/make-sign-image.sh "$kernel"
done
else
for kernel in "${kernels[@]}"
do
/root/secure-boot/make-sign-image.sh "$kernel"
done
fi
Last edited by loqs (2019-11-08 21:19:18)
Offline
/usr/share/libalpm/hooks/90-mkinitcpio-install.hook has a second target entry
Target = usr/lib/initcpio/*
If that is the cause of the update then perhaps adding that to your hook as well would solve the issue.
It's three years later, but I just wanted to add that this solved the issue for me, signing my UKI files after mkinitcpio was done.
A good test is to reinstall systemd.
Here's my hook:
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/initcpio/*
[Action]
Description = Signing kernels for Secure Boot
When = PostTransaction
Exec = /usr/bin/find /boot/EFI/Linux -maxdepth 1 -name 'arch*.efi' -exec sbctl sign {} ;
Depends = sbctl
Depends = findutils
Thanks!
Offline
Pages: 1