kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

add support for creating secureboot signed UEFI images

master
Max Resch 6 years ago committed by Harald Hoyer
parent
705eb4eeb2
commit
5a962b5939
2 changed files with 30 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      dracut.conf.5.asc
  2. 27
      dracut.sh

4
dracut.conf.5.asc
Unescape View File

@ -204,6 +204,10 @@ provide a valid _/etc/fstab_.
_/lib/systemd/boot/efi/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_ _/lib/systemd/boot/efi/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_
or _/usr/lib/gummiboot/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_ or _/usr/lib/gummiboot/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_


*uefi_secureboot_cert=*"_<FILE>_", *uefi_secureboot_key=*"_<FILE>_"::
Specifies a certificate and corresponding key, which are used to sign the created UEFI executable.
Requires both certificate and key need to be specified and _sbsign_ to be installed.

*kernel_image=*"_<FILE>_":: *kernel_image=*"_<FILE>_"::
Specifies the kernel image, which to include in the UEFI executable. The default is Specifies the kernel image, which to include in the UEFI executable. The default is
_/lib/modules/<KERNEL-VERSION>/vmlinuz_ or _/boot/vmlinuz-<KERNEL-VERSION>_ _/lib/modules/<KERNEL-VERSION>/vmlinuz_ or _/boot/vmlinuz-<KERNEL-VERSION>_

27
dracut.sh
Unescape View File

@ -772,6 +772,16 @@ if ! [[ $outfile ]]; then
fi fi


if [[ $uefi == "yes" ]]; then if [[ $uefi == "yes" ]]; then
if [[ -n "$uefi_secureboot_key" && -z "$uefi_secureboot_cert" ]] || [[ -z $uefi_secureboot_key && -n $uefi_secureboot_cert ]]; then
dfatal "Need 'uefi_secureboot_key' and 'uefi_secureboot_cert' both to be set."
exit 1
fi

if [[ -n "$uefi_secureboot_key" && -n "$uefi_secureboot_cert" ]] && !command -v sbsign &>/dev/null; then
dfatal "Need 'sbsign' to create a signed UEFI executable"
exit 1
fi

BUILD_ID=$(cat /etc/os-release /usr/lib/os-release \ BUILD_ID=$(cat /etc/os-release /usr/lib/os-release \
| while read -r line || [[ $line ]]; do \ | while read -r line || [[ $line ]]; do \
[[ $line =~ BUILD_ID\=* ]] && eval "$line" && echo "$BUILD_ID" && break; \ [[ $line =~ BUILD_ID\=* ]] && eval "$line" && echo "$BUILD_ID" && break; \
@ -1942,9 +1952,22 @@ if [[ $uefi = yes ]]; then
--add-section .cmdline="${uefi_outdir}/cmdline.txt" --change-section-vma .cmdline=0x30000 \ --add-section .cmdline="${uefi_outdir}/cmdline.txt" --change-section-vma .cmdline=0x30000 \
--add-section .linux="$kernel_image" --change-section-vma .linux=0x40000 \ --add-section .linux="$kernel_image" --change-section-vma .linux=0x40000 \
--add-section .initrd="${DRACUT_TMPDIR}/initramfs.img" --change-section-vma .initrd=0x3000000 \ --add-section .initrd="${DRACUT_TMPDIR}/initramfs.img" --change-section-vma .initrd=0x3000000 \
"$uefi_stub" "${uefi_outdir}/linux.efi" \ "$uefi_stub" "${uefi_outdir}/linux.efi"; then
&& cp --reflink=auto "${uefi_outdir}/linux.efi" "$outfile"; then if [[ -n "${uefi_secureboot_key}" && -n "${uefi_secureboot_cert}" ]]; then \
if sbsign \
--key "${uefi_secureboot_key}" \
--cert "${uefi_secureboot_cert}" \
--output "$outfile" "${uefi_outdir}/linux.efi"; then
dinfo "*** Creating signed UEFI image file '$outfile' done ***"
else
dfatal "*** Creating signed UEFI image file '$outfile' failed ***"
exit 1
fi
else
if cp --reflink=auto "${uefi_outdir}/linux.efi" "$outfile"; then
dinfo "*** Creating UEFI image file '$outfile' done ***" dinfo "*** Creating UEFI image file '$outfile' done ***"
fi
fi
else else
rm -f -- "$outfile" rm -f -- "$outfile"
dfatal "*** Creating UEFI image file '$outfile' failed ***" dfatal "*** Creating UEFI image file '$outfile' failed ***"

Write Preview
Loading…
Cancel
Save