Skip to content

Commit

Permalink
Add Secure Boot support
Browse files Browse the repository at this point in the history
  • Loading branch information
picodotdev committed Nov 10, 2023
1 parent 42440f3 commit 8a6264f
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 21 deletions.
6 changes: 4 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -72,15 +72,16 @@ For new features, improvements and bugs, fill an issue in GitHub or make a pull
* **Periodic TRIM** for SSD storage
* Intel and AMD **processors microcode**
* Optional **swap file**
* **VirtualBox guest additions** and **VMware tools** support
* **PipeWire** support
* **Secure Boot** support
* **Kernel compression** and **custom parameters**
* **Users creation** and **add to sudoers**
* **systemd units enable or disable**
* **systemd-homed** support
* **systemd GPT partition automounting** support
* **PipeWire** support
* **Multilib** support
* **Files provision** support
* **VirtualBox guest additions** and **VMware tools** support
* **SSH install** and **cloud-init** support
* Arch Linux custom **packages installation** and **repositories installation**
* Flatpak utility installation and **Flatpak packages installation**
Expand Down Expand Up @@ -324,6 +325,7 @@ https://www.archlinux.org/download/
* https://wiki.archlinux.org/title/Qtile
* https://wiki.archlinux.org/title/REFInd
* https://wiki.archlinux.org/title/Reflector
* https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
* https://wiki.archlinux.org/title/Solid_state_drive/NVMe
* https://wiki.archlinux.org/title/Solid_State_Drives
* https://wiki.archlinux.org/title/Swap
Expand Down
9 changes: 6 additions & 3 deletions alis.conf
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
# Some variables values are preceded by a ! character, this means that the value is ignored.
# Some variables accept a single value others accept multiple values as annotated in the comments.
# Some variables are boolean with a value of true or false.
# Some variables are experimental feature (use it and report in case of errors)
#
# Read the Arch Linux wiki pages to learn more about the variables values.
# https://github.com/picodotdev/alis/blob/master/README.md
Expand Down Expand Up @@ -123,7 +124,7 @@ USER_PASSWORD_RETYPE="ask"
ADDITIONAL_USERS=() # eg. ("user1=password1" "user2=password2")

## systemd-homed
### SYSTEMD_HOMED "true" value requires interactivity to set user password
### SYSTEMD_HOMED (experimental) "true" value requires interactivity to set user password
SYSTEMD_HOMED="false"
SYSTEMD_HOMED_STORAGE="!auto !luks !subvolume directory !fscrypt !cifs"
SYSTEMD_HOMED_STORAGE_LUKS_TYPE="auto !ext4 !btrfs !xfs"
Expand All @@ -133,7 +134,7 @@ SYSTEMD_HOMED_STORAGE_CIFS_SERVICE=""
# mkinitcpio
## HOOKS are the system hooks to execute to build the initial ramdisk.
## MODULES are used to specify the modules to load before anything to execute to build the initial ramdisk.
## UKI generate and use a Unified Kernel Image.
## UKI (experimental) generate and use a Unified Kernel Image.
### Generally, it is not necessary to modify, alis enables or disables some hooks
### taking in account other variables values like bootloader or device encryption.
HOOKS="base !udev !usr !resume !systemd !btrfs autodetect keyboard !keymap !consolefont !sd-vconsole modconf block !net !dmraid !mdadm !mdadm_udev !encrypt !sd-encrypt !lvm2 fsck filesystems"
Expand All @@ -143,7 +144,9 @@ UKI="false"
# bootloader
## BOOTLOADER system boot loader.
### With auto value grub is used for BIOS system, systemd for UEFI system.
## SECURE_BOOT (experimental) use secure boot.
BOOTLOADER="auto !grub !refind !systemd !efistub" # (single)
SECURE_BOOT="false"

# shell
## CUSTOM_SHELL configures an alternative custom shell interpreter.
Expand All @@ -162,7 +165,7 @@ DISPLAY_MANAGER="auto !gdm !sddm !lightdm !lxdm" # (single)
### It is recommended to install packages after base installation and reboot.
PACKAGES_MULTILIB="false"
PACKAGES_INSTALL="false"
PACKAGES_PIPEWIRE="false"
PACKAGES_PIPEWIRE="true"

# provision
## PROVISION provisions the files placed in files directory on the installed system (preserving directory structure). This is useful to copy some configuration files.
Expand Down
63 changes: 47 additions & 16 deletions alis.sh
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ function check_variables() {
check_variables_value "HOOKS" "$HOOKS"
check_variables_boolean "UKI" "$UKI"
check_variables_list "BOOTLOADER" "$BOOTLOADER" "auto grub refind systemd efistub" "true" "true"
check_variables_boolean "SECURE_BOOT" "$SECURE_BOOT"
check_variables_list "CUSTOM_SHELL" "$CUSTOM_SHELL" "bash zsh dash fish" "true" "true"
check_variables_list "DESKTOP_ENVIRONMENT" "$DESKTOP_ENVIRONMENT" "gnome kde xfce mate cinnamon lxde i3-wm i3-gaps deepin budgie bspwm awesome qtile openbox leftwm dusk" "false" "true"
check_variables_list "DISPLAY_MANAGER" "$DISPLAY_MANAGER" "auto gdm sddm lightdm lxdm" "true" "true"
Expand Down Expand Up @@ -316,6 +317,10 @@ function check_facts() {
if [ "$BIOS_TYPE" == "bios" ]; then
check_variables_list "BOOTLOADER" "$BOOTLOADER" "grub" "true" "true"
fi

if [ "$SECURE_BOOT" == "true" ]; then
check_variables_list "BOOTLOADER" "$BOOTLOADER" "grub refind systemd" "true" "true"
fi
}

function prepare() {
Expand Down Expand Up @@ -802,7 +807,7 @@ function mkinitcpio_configuration() {
fi

if [ "$UKI" == "true" ]; then
mkdir -p "${MNT_DIR}$ESP_DIRECTORY/EFI/linux"
mkdir -p "${MNT_DIR}${ESP_DIRECTORY}/EFI/linux"

mkinitcpio_preset "linux"
if [ -n "$KERNELS" ]; then
Expand Down Expand Up @@ -1140,9 +1145,9 @@ ALL_microcode=(/boot/*-ucode.img)
PRESETS=('default' 'fallback')
default_uki="$ESP_DIRECTORY/EFI/linux/archlinux-$KERNEL.efi"
default_uki="${ESP_DIRECTORY}/EFI/linux/archlinux-$KERNEL.efi"
fallback_uki="$ESP_DIRECTORY/EFI/linux/archlinux-$KERNEL-fallback.efi"
fallback_uki="${ESP_DIRECTORY}/EFI/linux/archlinux-$KERNEL-fallback.efi"
fallback_options="-S autodetect"
EOT
}
Expand Down Expand Up @@ -1229,6 +1234,15 @@ function bootloader() {

CMDLINE_LINUX=$(trim_variable "$CMDLINE_LINUX")

if [ "$SECURE_BOOT" == "true" ]; then
curl --output PreLoader.efi https://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi
curl --output HashTool.efi https://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi
md5sum PreLoader.efi > PreLoader.efi.md5
md5sum HashTool.efi > HashTool.efi.md5
echo "4f7a4f566781869d252a09dc84923a82 PreLoader.efi" | md5sum -c -
echo "45639d23aa5f2a394b03a65fc732acf2 HashTool.efi" | md5sum -c -
fi

case "$BOOTLOADER" in
"grub" )
bootloader_grub
Expand Down Expand Up @@ -1265,21 +1279,26 @@ function bootloader_grub() {
echo ""
echo "# alis"
echo "GRUB_DISABLE_SUBMENU=y"
}>> "${MNT_DIR}"/etc/default/grub
}>> "${MNT_DIR}"/etc/default/grub

if [ "$BIOS_TYPE" == "uefi" ]; then
pacman_install "efibootmgr"
arch-chroot "${MNT_DIR}" grub-install --target=x86_64-efi --bootloader-id=grub --efi-directory="$ESP_DIRECTORY" --recheck
#arch-chroot "${MNT_DIR}" efibootmgr --create --disk $DEVICE --part $PARTITION_BOOT_NUMBER --loader /EFI/grub/grubx64.efi --label "GRUB Boot Manager" --verbose
arch-chroot "${MNT_DIR}" grub-install --target=x86_64-efi --bootloader-id=grub --efi-directory="${ESP_DIRECTORY}" --recheck
fi
if [ "$BIOS_TYPE" == "bios" ]; then
arch-chroot "${MNT_DIR}" grub-install --target=i386-pc --recheck "$DEVICE"
fi

arch-chroot "${MNT_DIR}" grub-mkconfig -o "$BOOT_DIRECTORY/grub/grub.cfg"
arch-chroot "${MNT_DIR}" grub-mkconfig -o "${BOOT_DIRECTORY}/grub/grub.cfg"

if [ "$SECURE_BOOT" == "true" ]; then
cp {PreLoader,HashTool}.efi "${MNT_DIR}${ESP_DIRECTORY}/EFI/grub"
cp "${ESP_DIRECTORY}/EFI/grub/grubx64.efi" "${MNT_DIR}${ESP_DIRECTORY}/EFI/systemd/loader.efi"
arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux (PreLoader)" --loader "/EFI/grub/PreLoader.efi"
fi

if [ "$VIRTUALBOX" == "true" ]; then
echo -n "\EFI\grub\grubx64.efi" > "${MNT_DIR}$ESP_DIRECTORY/startup.nsh"
echo -n "\EFI\grub\grubx64.efi" > "${MNT_DIR}${ESP_DIRECTORY}/startup.nsh"
fi
}

Expand All @@ -1288,9 +1307,15 @@ function bootloader_refind() {
arch-chroot "${MNT_DIR}" refind-install

arch-chroot "${MNT_DIR}" rm /boot/refind_linux.conf
arch-chroot "${MNT_DIR}" sed -i 's/^timeout.*/timeout 5/' "$ESP_DIRECTORY/EFI/refind/refind.conf"
arch-chroot "${MNT_DIR}" sed -i 's/^#scan_all_linux_kernels.*/scan_all_linux_kernels false/' "$ESP_DIRECTORY/EFI/refind/refind.conf"
#arch-chroot "${MNT_DIR}" sed -i 's/^#default_selection "+,bzImage,vmlinuz"/default_selection "+,bzImage,vmlinuz"/' "$ESP_DIRECTORY/EFI/refind/refind.conf"
arch-chroot "${MNT_DIR}" sed -i 's/^timeout.*/timeout 5/' "${ESP_DIRECTORY}/EFI/refind/refind.conf"
arch-chroot "${MNT_DIR}" sed -i 's/^#scan_all_linux_kernels.*/scan_all_linux_kernels false/' "${ESP_DIRECTORY}/EFI/refind/refind.conf"
#arch-chroot "${MNT_DIR}" sed -i 's/^#default_selection "+,bzImage,vmlinuz"/default_selection "+,bzImage,vmlinuz"/' "${ESP_DIRECTORY}/EFI/refind/refind.conf"

if [ "$SECURE_BOOT" == "true" ]; then
cp {PreLoader,HashTool}.efi "${ESP_DIRECTORY}/EFI/refind"
cp "${ESP_DIRECTORY}/EFI/refind/refind_x64.efi" "${MNT_DIR}${ESP_DIRECTORY}/EFI/refind/loader.efi"
arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux (PreLoader)" --loader "/EFI/refind/PreLoader.efi"
fi

if [ "$UKI" == "false" ]; then
bootloader_refind_entry "linux"
Expand Down Expand Up @@ -1329,6 +1354,12 @@ When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service
EOT

if [ "$SECURE_BOOT" == "true" ]; then
cp {PreLoader,HashTool}.efi "${ESP_DIRECTORY}/EFI/systemd"
cp "${ESP_DIRECTORY}/EFI/systemd/systemd-bootx64.efi" "${MNT_DIR}${ESP_DIRECTORY}/EFI/systemd/loader.efi"
arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux (PreLoader)" --loader "/EFI/systemd/PreLoader.efi"
fi

if [ "$UKI" == "true" ]; then
cat <<EOT > "${MNT_DIR}${ESP_DIRECTORY}/loader/loader.conf"
# alis
Expand All @@ -1343,7 +1374,7 @@ default archlinux.conf
editor 0
EOT

arch-chroot "${MNT_DIR}" mkdir -p "$ESP_DIRECTORY/loader/entries/"
arch-chroot "${MNT_DIR}" mkdir -p "${ESP_DIRECTORY}/loader/entries/"

bootloader_systemd_entry "linux"
if [ -n "$KERNELS" ]; then
Expand Down Expand Up @@ -1433,15 +1464,15 @@ function bootloader_efistub_entry() {
local MICROCODE=""

if [ "$UKI" == "true" ]; then
arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader "EFI\linux\archlinux-$KERNEL-fallback.efi" --unicode --verbose
arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader "EFI\linux\archlinux-$KERNEL.efi" --unicode --verbose
arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader "EFI\linux\archlinux-$KERNEL-fallback.efi" --unicode --verbose
arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader "EFI\linux\archlinux-$KERNEL.efi" --unicode --verbose
else
if [ -n "$INITRD_MICROCODE" ]; then
local MICROCODE="initrd=\\$INITRD_MICROCODE"
fi

arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL.img" --verbose
arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL-fallback.img" --verbose
arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL.img" --verbose
arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL-fallback.img" --verbose
fi
}

Expand Down

0 comments on commit 8a6264f

Please sign in to comment.