New feature: bootloader signing

Domenico Panella · Domenico Panella · commit d2fa19bc5fcd · 2020-10-08T16:42:02.000+02:00
diff --git a/mklive.sh.in b/mklive.sh.in
@@ -82,6 +82,8 @@ directory if unset).
  -C "cmdline args"  Add additional kernel command line arguments.
  -T "title"         Modify the bootloader title.
  -v linux<version>  Install a custom Linux version on ISO image (linux meta-package if unset).
+ -d <key-file>      Set a key file to sign bootloader.
+ -t <cert-file>     Set a certificate file to sign bootloader.
  -K                 Do not remove builddir.
 
 The $PROGNAME script generates a live image of the Void Linux distribution.
@@ -233,6 +235,13 @@ generate_grub_efi_boot() {
     fi
     mkdir -p "${GRUB_EFI_TMPDIR}"/EFI/BOOT
     cp -f "$VOIDHOSTDIR"/tmp/bootia32.efi "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTIA32.EFI
+
+    #Bootloader signing
+    if  ([ $toSign ] &&  [ -f "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX32.EFI ]);then
+        print_step "Signing BOOTX32.EFI..."
+        sbsign --key $DBKEY --cert $DBCRT --output "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX32-signed.EFI "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX32.EFI
+    fi
+    
     xbps-uchroot "$VOIDHOSTDIR" grub-mkstandalone -- \
 		 --directory="/usr/lib/grub/x86_64-efi" \
 		 --format="x86_64-efi" \
@@ -244,6 +253,13 @@ generate_grub_efi_boot() {
         die "Failed to generate EFI loader"
     fi
     cp -f "$VOIDHOSTDIR"/tmp/bootx64.efi "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI
+    
+    #Bootloader signing
+    if  ([ $toSign ] &&  [ -f "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI ]);then
+        print_step "Signing BOOTX64.EFI..."
+        sbsign --key $DBKEY --cert $DBCRT --output "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64-signed.EFI "${GRUB_EFI_TMPDIR}"/EFI/BOOT/BOOTX64.EFI
+    fi
+    
     umount "$GRUB_EFI_TMPDIR"
     losetup --detach "${LOOP_DEVICE}"
     rm -rf "$GRUB_EFI_TMPDIR"
@@ -289,7 +305,7 @@ generate_iso_image() {
 #
 # main()
 #
-while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:h" opt; do
+while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:d:t:h" opt; do
     case $opt in
         a) BASE_ARCH="$OPTARG";;
         b) BASE_SYSTEM_PKG="$OPTARG";;
@@ -307,6 +323,8 @@ while getopts "a:b:r:c:C:T:Kk:l:i:I:s:S:o:p:v:h" opt; do
         C) BOOT_CMDLINE="$OPTARG";;
         T) BOOT_TITLE="$OPTARG";;
         v) LINUX_VERSION="$OPTARG";;
+        d) DBKEY="$OPTARG";;
+        t) DBCRT="$OPTARG";;
         h) usage;;
 	*) usage;;
     esac
@@ -337,6 +355,22 @@ if [ "$(id -u)" -ne 0 ]; then
     die "Must be run as root, exiting..."
 fi
 
+#The -d and -t options are complementary. If one exists, the other must also exist. 
+#If these options are set, I also check sbsign command.
+if  ([ -z $DBKEY ] &&  [ ! -z $DBCRT ]) || ([ ! -z $DBKEY ] &&  [ -z $DBCRT ]); then
+    die "Must be set a key and certificate via -d and -t option, exiting..."
+elif ([ $DBKEY ] && [ $DBCRT ]); then
+    if [ $DBKEY ] && [ ! -f $DBKEY ]; then
+        die "$DBKEY does not exist, exiting..."
+    elif [ $DBCRT ] && [ ! -f $DBCRT ]; then
+        die "$DBCRT does not exist, exiting..."
+    elif ! [ -x "$(command -v sbsign)" ]; then
+        die "sbsign command does not exist, exiting..."
+    else
+        toSign=true
+    fi
+fi
+
 if [ -n "$ROOTDIR" ]; then
     BUILDDIR=$(mktemp --tmpdir="$ROOTDIR" -d)
 else
