archiso-sb-shim/mkarchiso.patch at main · solsticedhiver/archiso-sb-shim · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
--- mkarchiso	2026-02-04 23:50:10.914863568 +0100
+++ mkarchiso	2026-02-04 23:50:42.188306309 +0100
@@ -376,6 +376,16 @@
     fi

     _msg_info "Done! Packages installed successfully."
+
+    # sign the kernel
+    for kernel in "${pacstrap_dir}/boot/vmlinuz-"*; do
+        sbsign --key MOK.key --cert MOK.crt --output "$kernel" "$kernel"
+    done
+    # signing systemd-boot and shell once and for all
+    sbsign --key MOK.key --cert MOK.crt --output "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${uefi_arch[$arch],,}.efi" \
+        "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${uefi_arch[$arch],,}.efi"
+    sbsign --key MOK.key --cert MOK.crt --output "${pacstrap_dir}/usr/share/edk2-shell/${uefi_arch[$arch],,}/Shell_Full.efi" \
+        "${pacstrap_dir}/usr/share/edk2-shell/${uefi_arch[$arch],,}/Shell_Full.efi"
 }

 # Customize installation.
@@ -696,11 +706,18 @@
         --locales="en@quot" \
         --themes="" \
         --sbat=/usr/share/grub/sbat.csv \
-        --disable-shim-lock \
         -o "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg"
+    sbsign --key MOK.key --cert MOK.crt --output "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" "${work_dir}/BOOT${uefi_arch[$arch]}.EFI"
     # Add GRUB to the list of files used to calculate the required FAT image size.
     efiboot_files+=("${work_dir}/BOOT${uefi_arch[$arch]}.EFI"
                     "${pacstrap_dir}/usr/share/edk2-shell/${uefi_arch[$arch],,}/Shell_Full.efi")
+    if [[ "$arch" == 'x86_64' ]]; then
+        efiboot_files+=("${pacstrap_dir}/usr/share/shim-signed/shimx64.efi"
+                        "${pacstrap_dir}/usr/share/shim-signed/mmx64.efi")
+    fi
+    if [[ -f MOK.cer ]] ;then
+        efiboot_files+=(MOK.cer)
+    fi

     # Create IA32 EFI binary for mixed-mode booting on x86_64 systems with IA32 UEFI
     if [[ "$arch" == 'x86_64' ]]; then
@@ -724,8 +741,27 @@
     install -d -m 0755 -- "${isofs_dir}/EFI/BOOT"

     # Copy GRUB EFI binary to the default/fallback boot path
-    mcopy -i "${efibootimg}" "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" "::/EFI/BOOT/BOOT${uefi_arch[$arch]}.EFI"
-    install -m 0644 -- "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" "${isofs_dir}/EFI/BOOT/BOOT${uefi_arch[$arch]}.EFI"
+    if [[ "$arch" == 'x86_64' ]]; then
+        # Copy shim EFI binary to the default/fallback boot path
+        mcopy -i "${efibootimg}" \
+            "${pacstrap_dir}/usr/share/shim-signed/shimx64.efi" ::/EFI/BOOT/BOOTx64.EFI
+        install -m 0644 -- "${pacstrap_dir}/usr/share/shim-signed/shimx64.efi" "${isofs_dir}/EFI/BOOT/BOOTx64.EFI"
+        mcopy -i "${efibootimg}" \
+            "${pacstrap_dir}/usr/share/shim-signed/mmx64.efi" ::/EFI/BOOT/mmx64.efi
+        install -m 0644 -- "${pacstrap_dir}/usr/share/shim-signed/mmx64.efi" "${isofs_dir}/EFI/BOOT/mmx64.efi"
+        # Copy GRUB EFI binary as grubx64.efi chainloaded by shimx64.efi
+        mcopy -i "${efibootimg}" "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" ::/EFI/BOOT/grubx64.efi
+        install -m 0644 -- "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" "${isofs_dir}/EFI/BOOT/grubx64.efi"
+
+        # Copy MOK certificate
+        if [[ -f MOK.cer ]] ;then
+            mcopy -o -i "${efibootimg}" MOK.cer ::/EFI/MOK.cer
+            install -m 0644 -- "MOK.cer" "${isofs_dir}/EFI/MOK.cer"
+        fi
+    else
+        mcopy -i "${efibootimg}" "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" "::/EFI/BOOT/BOOT${uefi_arch[$arch]}.EFI"
+        install -m 0644 -- "${work_dir}/BOOT${uefi_arch[$arch]}.EFI" "${isofs_dir}/EFI/BOOT/BOOT${uefi_arch[$arch]}.EFI"
+    fi
     # Set up mixed mode booting for x86_64 systems with IA32 UEFI
     if [[ "$arch" == 'x86_64' ]]; then
         mcopy -i "${efibootimg}" "${work_dir}/BOOTIA32.EFI" ::/EFI/BOOT/BOOTIA32.EFI
@@ -783,11 +819,26 @@
 _make_common_bootmode_uefi.systemd-boot_copy_files() {
     local target_arch="$1"

-    # Copy systemd-boot EFI binary to the default/fallback boot path
-    mcopy -i "${efibootimg}" \
-        "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${target_arch,,}.efi" "::/EFI/BOOT/BOOT${target_arch}.EFI"
-    install -m 0644 -- "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${target_arch,,}.efi" \
-        "${isofs_dir}/EFI/BOOT/BOOT${target_arch}.EFI"
+    if [[ "$target_arch" == 'x64' && "$arch" == 'x86_64' ]]; then
+        # Copy shim EFI binary to the default/fallback boot path
+        mcopy -i "${efibootimg}" \
+            "${pacstrap_dir}/usr/share/shim-signed/shimx64.efi" ::/EFI/BOOT/BOOTx64.EFI
+        install -m 0644 -- "${pacstrap_dir}/usr/share/shim-signed/shimx64.efi" "${isofs_dir}/EFI/BOOT/BOOTx64.EFI"
+        mcopy -i "${efibootimg}" \
+            "${pacstrap_dir}/usr/share/shim-signed/mmx64.efi" ::/EFI/BOOT/mmx64.efi
+        install -m 0644 -- "${pacstrap_dir}/usr/share/shim-signed/mmx64.efi" "${isofs_dir}/EFI/BOOT/mmx64.efi"
+        # Copy systemd-boot EFI binary as grubx64.efi chainloaded by shimx64.efi
+        mcopy -i "${efibootimg}" \
+            "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${target_arch,,}.efi" ::/EFI/BOOT/grubx64.efi
+        install -m 0644 -- "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${target_arch,,}.efi" \
+            "${isofs_dir}/EFI/BOOT/grubx64.efi"
+    else
+        # Copy systemd-boot EFI binary to the default/fallback boot path
+        mcopy -i "${efibootimg}" \
+            "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${target_arch,,}.efi" "::/EFI/BOOT/BOOT${target_arch}.EFI"
+        install -m 0644 -- "${pacstrap_dir}/usr/lib/systemd/boot/efi/systemd-boot${target_arch,,}.efi" \
+            "${isofs_dir}/EFI/BOOT/BOOT${target_arch}.EFI"
+    fi

     # edk2-shell based UEFI shell
     # shell*.efi is picked up automatically when on /
@@ -853,6 +904,10 @@
                     "${pacstrap_dir}/boot/vmlinuz-"*
                     "${pacstrap_dir}/boot/initramfs-"*".img"
                     "${_available_ucodes[@]}")
+    if [[ "$arch" == 'x86_64' ]]; then
+        efiboot_files+=("${pacstrap_dir}/usr/share/shim-signed/shimx64.efi"
+                        "${pacstrap_dir}/usr/share/shim-signed/mmx64.efi")
+    fi

     # Files specific to x86_64: IA32 UEFI binaries for mixed mode booting, memtest86+
     if [[ "$arch" == 'x86_64' ]]; then
@@ -861,6 +916,9 @@
                         "${pacstrap_dir}/boot/memtest86+/memtest.efi"
                         "${pacstrap_dir}/usr/share/licenses/spdx/GPL-2.0-only.txt")
     fi
+    if [[ -f MOK.cer ]] ;then
+        efiboot_files+=(MOK.cer)
+    fi
     # Create a FAT image for the EFI system partition
     _make_efibootimg

@@ -880,6 +938,12 @@
         _make_common_bootmode_uefi.systemd-boot_copy_files 'IA32'
     fi

+    # Copy MOK certificate
+    if [[ -f MOK.cer ]] ;then
+        mcopy -o -i "${efibootimg}" MOK.cer ::/EFI/MOK.cer
+        install -m 0644 -- "MOK.cer" "${isofs_dir}/EFI/MOK.cer"
+    fi
+
     # Copy kernel and initramfs to FAT image.
     # systemd-boot can only access files from the EFI system partition it was launched from.
     _run_once _make_boot_on_fat