From 8a6264f38fa348fcbdcc928d1d0b9772a33fb88f Mon Sep 17 00:00:00 2001
From: "pico.dev" <pico.dev@gmail.com>
Date: Fri, 10 Nov 2023 22:37:11 +0100
Subject: [PATCH] Add Secure Boot support

Fixes #246
---
 README.md |  6 ++++--
 alis.conf |  9 +++++---
 alis.sh   | 63 +++++++++++++++++++++++++++++++++++++++++--------------
 3 files changed, 57 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index d94cbab8..d845bf32 100644
--- a/README.md
+++ b/README.md
@@ -72,15 +72,16 @@ For new features, improvements and bugs, fill an issue in GitHub or make a pull
 * **Periodic TRIM** for SSD storage
 * Intel and AMD **processors microcode**
 * Optional **swap file**
-* **VirtualBox guest additions** and **VMware tools** support
+* **PipeWire** support
+* **Secure Boot** support
 * **Kernel compression** and **custom parameters**
 * **Users creation** and **add to sudoers**
 * **systemd units enable or disable**
 * **systemd-homed** support
 * **systemd GPT partition automounting** support
-* **PipeWire** support
 * **Multilib** support
 * **Files provision** support
+* **VirtualBox guest additions** and **VMware tools** support
 * **SSH install** and **cloud-init** support
 * Arch Linux custom **packages installation** and **repositories installation**
 * Flatpak utility installation and **Flatpak packages installation**
@@ -324,6 +325,7 @@ https://www.archlinux.org/download/
 * https://wiki.archlinux.org/title/Qtile
 * https://wiki.archlinux.org/title/REFInd
 * https://wiki.archlinux.org/title/Reflector
+* https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
 * https://wiki.archlinux.org/title/Solid_state_drive/NVMe
 * https://wiki.archlinux.org/title/Solid_State_Drives
 * https://wiki.archlinux.org/title/Swap
diff --git a/alis.conf b/alis.conf
index 0edf3c0e..0bac6d37 100644
--- a/alis.conf
+++ b/alis.conf
@@ -3,6 +3,7 @@
 # Some variables values are preceded by a ! character, this means that the value is ignored.
 # Some variables accept a single value others accept multiple values as annotated in the comments.
 # Some variables are boolean with a value of true or false.
+# Some variables are experimental feature (use it and report in case of errors)
 #
 # Read the Arch Linux wiki pages to learn more about the variables values.
 # https://github.com/picodotdev/alis/blob/master/README.md
@@ -123,7 +124,7 @@ USER_PASSWORD_RETYPE="ask"
 ADDITIONAL_USERS=() # eg. ("user1=password1" "user2=password2")
 
 ## systemd-homed
-### SYSTEMD_HOMED "true" value requires interactivity to set user password
+### SYSTEMD_HOMED (experimental) "true" value requires interactivity to set user password
 SYSTEMD_HOMED="false"
 SYSTEMD_HOMED_STORAGE="!auto !luks !subvolume directory !fscrypt !cifs"
 SYSTEMD_HOMED_STORAGE_LUKS_TYPE="auto !ext4 !btrfs !xfs"
@@ -133,7 +134,7 @@ SYSTEMD_HOMED_STORAGE_CIFS_SERVICE=""
 # mkinitcpio
 ## HOOKS are the system hooks to execute to build the initial ramdisk.
 ## MODULES are used to specify the modules to load before anything to execute to build the initial ramdisk.
-## UKI generate and use a Unified Kernel Image.
+## UKI (experimental) generate and use a Unified Kernel Image.
 ### Generally, it is not necessary to modify, alis enables or disables some hooks
 ### taking in account other variables values like bootloader or device encryption.
 HOOKS="base !udev !usr !resume !systemd !btrfs autodetect keyboard !keymap !consolefont !sd-vconsole modconf block !net !dmraid !mdadm !mdadm_udev !encrypt !sd-encrypt !lvm2 fsck filesystems"
@@ -143,7 +144,9 @@ UKI="false"
 # bootloader
 ## BOOTLOADER system boot loader.
 ### With auto value grub is used for BIOS system, systemd for UEFI system.
+## SECURE_BOOT (experimental) use secure boot.
 BOOTLOADER="auto !grub !refind !systemd !efistub" # (single)
+SECURE_BOOT="false"
 
 # shell
 ## CUSTOM_SHELL configures an alternative custom shell interpreter.
@@ -162,7 +165,7 @@ DISPLAY_MANAGER="auto !gdm !sddm !lightdm !lxdm" # (single)
 ### It is recommended to install packages after base installation and reboot.
 PACKAGES_MULTILIB="false"
 PACKAGES_INSTALL="false"
-PACKAGES_PIPEWIRE="false"
+PACKAGES_PIPEWIRE="true"
 
 # provision
 ## PROVISION provisions the files placed in files directory on the installed system (preserving directory structure). This is useful to copy some configuration files.
diff --git a/alis.sh b/alis.sh
index 280d0aeb..a5ac03d3 100755
--- a/alis.sh
+++ b/alis.sh
@@ -204,6 +204,7 @@ function check_variables() {
     check_variables_value "HOOKS" "$HOOKS"
     check_variables_boolean "UKI" "$UKI"
     check_variables_list "BOOTLOADER" "$BOOTLOADER" "auto grub refind systemd efistub" "true" "true"
+    check_variables_boolean "SECURE_BOOT" "$SECURE_BOOT"
     check_variables_list "CUSTOM_SHELL" "$CUSTOM_SHELL" "bash zsh dash fish" "true" "true"
     check_variables_list "DESKTOP_ENVIRONMENT" "$DESKTOP_ENVIRONMENT" "gnome kde xfce mate cinnamon lxde i3-wm i3-gaps deepin budgie bspwm awesome qtile openbox leftwm dusk" "false" "true"
     check_variables_list "DISPLAY_MANAGER" "$DISPLAY_MANAGER" "auto gdm sddm lightdm lxdm" "true" "true"
@@ -316,6 +317,10 @@ function check_facts() {
     if [ "$BIOS_TYPE" == "bios" ]; then
         check_variables_list "BOOTLOADER" "$BOOTLOADER" "grub" "true" "true"
     fi
+
+    if [ "$SECURE_BOOT" == "true" ]; then
+        check_variables_list "BOOTLOADER" "$BOOTLOADER" "grub refind systemd" "true" "true"
+    fi
 }
 
 function prepare() {
@@ -802,7 +807,7 @@ function mkinitcpio_configuration() {
     fi
 
     if [ "$UKI" == "true" ]; then
-        mkdir -p "${MNT_DIR}$ESP_DIRECTORY/EFI/linux"
+        mkdir -p "${MNT_DIR}${ESP_DIRECTORY}/EFI/linux"
 
         mkinitcpio_preset "linux"
         if [ -n "$KERNELS" ]; then
@@ -1140,9 +1145,9 @@ ALL_microcode=(/boot/*-ucode.img)
 
 PRESETS=('default' 'fallback')
 
-default_uki="$ESP_DIRECTORY/EFI/linux/archlinux-$KERNEL.efi"
+default_uki="${ESP_DIRECTORY}/EFI/linux/archlinux-$KERNEL.efi"
 
-fallback_uki="$ESP_DIRECTORY/EFI/linux/archlinux-$KERNEL-fallback.efi"
+fallback_uki="${ESP_DIRECTORY}/EFI/linux/archlinux-$KERNEL-fallback.efi"
 fallback_options="-S autodetect"
 EOT
 }
@@ -1229,6 +1234,15 @@ function bootloader() {
 
     CMDLINE_LINUX=$(trim_variable "$CMDLINE_LINUX")
 
+    if [ "$SECURE_BOOT" == "true" ]; then
+        curl --output PreLoader.efi https://blog.hansenpartnership.com/wp-uploads/2013/PreLoader.efi
+        curl --output HashTool.efi https://blog.hansenpartnership.com/wp-uploads/2013/HashTool.efi
+        md5sum PreLoader.efi > PreLoader.efi.md5
+        md5sum HashTool.efi > HashTool.efi.md5
+        echo "4f7a4f566781869d252a09dc84923a82  PreLoader.efi" | md5sum -c -
+        echo "45639d23aa5f2a394b03a65fc732acf2  HashTool.efi" | md5sum -c -
+    fi
+
     case "$BOOTLOADER" in
         "grub" )
             bootloader_grub
@@ -1265,21 +1279,26 @@ function bootloader_grub() {
         echo ""
         echo "# alis"
         echo "GRUB_DISABLE_SUBMENU=y"
-     }>> "${MNT_DIR}"/etc/default/grub
+    }>> "${MNT_DIR}"/etc/default/grub
 
     if [ "$BIOS_TYPE" == "uefi" ]; then
         pacman_install "efibootmgr"
-        arch-chroot "${MNT_DIR}" grub-install --target=x86_64-efi --bootloader-id=grub --efi-directory="$ESP_DIRECTORY" --recheck
-        #arch-chroot "${MNT_DIR}" efibootmgr --create --disk $DEVICE --part $PARTITION_BOOT_NUMBER --loader /EFI/grub/grubx64.efi --label "GRUB Boot Manager" --verbose
+        arch-chroot "${MNT_DIR}" grub-install --target=x86_64-efi --bootloader-id=grub --efi-directory="${ESP_DIRECTORY}" --recheck
     fi
     if [ "$BIOS_TYPE" == "bios" ]; then
         arch-chroot "${MNT_DIR}" grub-install --target=i386-pc --recheck "$DEVICE"
     fi
 
-    arch-chroot "${MNT_DIR}" grub-mkconfig -o "$BOOT_DIRECTORY/grub/grub.cfg"
+    arch-chroot "${MNT_DIR}" grub-mkconfig -o "${BOOT_DIRECTORY}/grub/grub.cfg"
+
+    if [ "$SECURE_BOOT" == "true" ]; then
+        cp {PreLoader,HashTool}.efi "${MNT_DIR}${ESP_DIRECTORY}/EFI/grub"
+        cp "${ESP_DIRECTORY}/EFI/grub/grubx64.efi" "${MNT_DIR}${ESP_DIRECTORY}/EFI/systemd/loader.efi"
+        arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux (PreLoader)" --loader "/EFI/grub/PreLoader.efi"
+    fi
 
     if [ "$VIRTUALBOX" == "true" ]; then
-        echo -n "\EFI\grub\grubx64.efi" > "${MNT_DIR}$ESP_DIRECTORY/startup.nsh"
+        echo -n "\EFI\grub\grubx64.efi" > "${MNT_DIR}${ESP_DIRECTORY}/startup.nsh"
     fi
 }
 
@@ -1288,9 +1307,15 @@ function bootloader_refind() {
     arch-chroot "${MNT_DIR}" refind-install
 
     arch-chroot "${MNT_DIR}" rm /boot/refind_linux.conf
-    arch-chroot "${MNT_DIR}" sed -i 's/^timeout.*/timeout 5/' "$ESP_DIRECTORY/EFI/refind/refind.conf"
-    arch-chroot "${MNT_DIR}" sed -i 's/^#scan_all_linux_kernels.*/scan_all_linux_kernels false/' "$ESP_DIRECTORY/EFI/refind/refind.conf"
-    #arch-chroot "${MNT_DIR}" sed -i 's/^#default_selection "+,bzImage,vmlinuz"/default_selection "+,bzImage,vmlinuz"/' "$ESP_DIRECTORY/EFI/refind/refind.conf"
+    arch-chroot "${MNT_DIR}" sed -i 's/^timeout.*/timeout 5/' "${ESP_DIRECTORY}/EFI/refind/refind.conf"
+    arch-chroot "${MNT_DIR}" sed -i 's/^#scan_all_linux_kernels.*/scan_all_linux_kernels false/' "${ESP_DIRECTORY}/EFI/refind/refind.conf"
+    #arch-chroot "${MNT_DIR}" sed -i 's/^#default_selection "+,bzImage,vmlinuz"/default_selection "+,bzImage,vmlinuz"/' "${ESP_DIRECTORY}/EFI/refind/refind.conf"
+
+    if [ "$SECURE_BOOT" == "true" ]; then
+        cp {PreLoader,HashTool}.efi "${ESP_DIRECTORY}/EFI/refind"
+        cp "${ESP_DIRECTORY}/EFI/refind/refind_x64.efi" "${MNT_DIR}${ESP_DIRECTORY}/EFI/refind/loader.efi"
+        arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux (PreLoader)" --loader "/EFI/refind/PreLoader.efi"
+    fi
 
     if [ "$UKI" == "false" ]; then
         bootloader_refind_entry "linux"
@@ -1329,6 +1354,12 @@ When = PostTransaction
 Exec = /usr/bin/systemctl restart systemd-boot-update.service
 EOT
 
+    if [ "$SECURE_BOOT" == "true" ]; then
+        cp {PreLoader,HashTool}.efi "${ESP_DIRECTORY}/EFI/systemd"
+        cp "${ESP_DIRECTORY}/EFI/systemd/systemd-bootx64.efi" "${MNT_DIR}${ESP_DIRECTORY}/EFI/systemd/loader.efi"
+        arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux (PreLoader)" --loader "/EFI/systemd/PreLoader.efi"
+    fi
+
     if [ "$UKI" == "true" ]; then
         cat <<EOT > "${MNT_DIR}${ESP_DIRECTORY}/loader/loader.conf"
 # alis
@@ -1343,7 +1374,7 @@ default archlinux.conf
 editor 0
 EOT
 
-        arch-chroot "${MNT_DIR}" mkdir -p "$ESP_DIRECTORY/loader/entries/"
+        arch-chroot "${MNT_DIR}" mkdir -p "${ESP_DIRECTORY}/loader/entries/"
 
         bootloader_systemd_entry "linux"
         if [ -n "$KERNELS" ]; then
@@ -1433,15 +1464,15 @@ function bootloader_efistub_entry() {
     local MICROCODE=""
 
     if [ "$UKI" == "true" ]; then
-        arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader "EFI\linux\archlinux-$KERNEL-fallback.efi" --unicode --verbose
-        arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader "EFI\linux\archlinux-$KERNEL.efi" --unicode --verbose
+        arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader "EFI\linux\archlinux-$KERNEL-fallback.efi" --unicode --verbose
+        arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader "EFI\linux\archlinux-$KERNEL.efi" --unicode --verbose
     else
         if [ -n "$INITRD_MICROCODE" ]; then
             local MICROCODE="initrd=\\$INITRD_MICROCODE"
         fi
 
-        arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL.img" --verbose
-        arch-chroot "${MNT_DIR}" efibootmgr --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL-fallback.img" --verbose
+        arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL.img" --verbose
+        arch-chroot "${MNT_DIR}" efibootmgr --unicode --disk "$DEVICE" --part 1 --create --label "Arch Linux ($KERNEL fallback)" --loader /vmlinuz-"$KERNEL" --unicode "$CMDLINE_LINUX $CMDLINE_LINUX_ROOT rw $MICROCODE initrd=\initramfs-$KERNEL-fallback.img" --verbose
     fi
 }