mirrors/aports
3
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2025-05-05 23:54:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
aports/main/secureboot-hook/secureboot.hook
Sertonix 3a23f07bba main/secureboot-hook: use PATH to find binaries 
Not hardcoding the paths to binaries avoids issues when these are moved.
2025-03-16 18:37:31 +00:00

114 lines
3 KiB
Bash
Raw Permalink Blame History

#!/bin/ash
# vim: set ts=4:
set -euo pipefail
readonly HOOK_NAME='secureboot'
# Defaults
cmdline=
signing_cert='/etc/uefi-keys/db.crt'
signing_key='/etc/uefi-keys/db.key'
signing_disabled=no
openssl_engine=
microcode=
splash_image='/dev/null'
output_dir='/boot/efi/Alpine'
output_name='linux-{flavor}.efi'
backup_old=yes
skip_flavors=
efistub_file='/usr/lib/gummiboot/linux{march}.efi.stub'
die() {
printf "$HOOK_NAME: %s\n" "$2" >&2
exit $1
}
if [ $# -lt 2 ]; then
echo "Usage: $0 <flavor> <new-version> <old-version>" >&2
exit 1
fi
readonly FLAVOR=$1
readonly NEW_VERSION=$2
readonly OLD_VERSION=${3:-}
case "$(cat /etc/apk/arch)" in
aarch64) readonly MARCH="aa64";;
arm*) readonly MARCH="arm";;
riscv64) readonly MARCH="riscv64";;
x86) readonly MARCH="ia32";;
x86_64) readonly MARCH="x64";;
esac
# Hook triggered for the kernel removal, nothing to do here.
[ "$NEW_VERSION" ] || exit 0
. /etc/kernel-hooks.d/secureboot.conf
[ "$skip_flavors" ] && for flavor in $skip_flavors; do
[ "$flavor" = "$FLAVOR" ] \
&& die 0 "==> skipping UEFI image creation for $FLAVOR kernel"
done
[ "$cmdline" ] \
|| die 0 "cmdline is not specified in /etc/kernel-hooks.d/$HOOK_NAME.conf, skipping hook!"
if [ "$signing_disabled" != yes ]; then
[ -r "$signing_cert" ] \
|| die 2 "ERROR: signing cert '$signing_cert' does not exist or not readable!"
[ -r "$signing_key" ] \
|| die 2 "ERROR: signing key '$signing_key' does not exist or not readable!"
fi
vmlinuz="/boot/vmlinuz-$FLAVOR"
output_name=$(echo "$output_name" \
| sed "s/{flavor}/$FLAVOR/; s/{version}/$NEW_VERSION/")
output="$output_dir/$output_name"
efistub_file=$(echo "$efistub_file" | sed "s/{march}/$MARCH/")
[ "$microcode" ] || for path in /boot/intel-ucode.img /boot/amd-ucode.img; do
[ -f "$path" ] && microcode="$path"
done
tmpdir=$(mktemp -dt "$HOOK_NAME.XXXXXX")
trap "rm -f '$tmpdir'/*; rmdir '$tmpdir'" EXIT HUP INT TERM
if [ "$backup_old" = yes ] && [ -f "$output" ]; then
cp -a "$output" "$output.bak"
fi
mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"
echo "==> $HOOK_NAME: creating UEFI Unified Kernel Image with $vmlinuz"
efi-mkuki \
-c "$cmdline" \
-s "$splash_image" \
-S "$efistub_file" \
-o "$tmpdir"/unsigned.efi \
"$vmlinuz" $microcode "$tmpdir"/initramfs
mkdir -p "$output_dir"
if [ "$signing_disabled" = yes ]; then
echo "==> $HOOK_NAME: writing *unsigned* UEFI image to $output (signing is disabled!)"
mv "$tmpdir"/unsigned.efi "$output"
else
echo "==> $HOOK_NAME: signing UEFI image and writing to $output"
sbsign \
--cert "$signing_cert" \
--key "$signing_key" \
--output "$output" \
${openssl_engine:+--engine $openssl_engine} \
"$tmpdir"/unsigned.efi \
2>&1 | { grep -Fv -e ' gaps between PE/COFF ' -e 'Signing Unsigned ' ||:; } >&2
# this is not an issue ^
fi
# Just a simple sanity check.
dir="/${output_dir#/}"
while [ "$dir" ]; do
mount -t vfat | grep -Fq " on $dir type vfat " && exit 0
dir=${dir%/*}
done
die 0 "WARNING: $output_dir is not on UEFI System Partition as it should be!"
Reference in a new issue View git blame Copy permalink