kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add support for creating secureboot signed UEFI images

master
Max Resch 2019-06-30 12:16:22 +02:00 committed by Harald Hoyer
parent 705eb4eeb2
commit 5a962b5939
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dracut.conf.5.asc
View File

@ -204,6 +204,10 @@ provide a valid _/etc/fstab_.
_/lib/systemd/boot/efi/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_ _/lib/systemd/boot/efi/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_
or _/usr/lib/gummiboot/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_ or _/usr/lib/gummiboot/linux<EFI-MACHINE-TYPE-NAME>.efi.stub_


*uefi_secureboot_cert=*"_<FILE>_", *uefi_secureboot_key=*"_<FILE>_"::
Specifies a certificate and corresponding key, which are used to sign the created UEFI executable.
Requires both certificate and key need to be specified and _sbsign_ to be installed.

*kernel_image=*"_<FILE>_":: *kernel_image=*"_<FILE>_"::
Specifies the kernel image, which to include in the UEFI executable. The default is Specifies the kernel image, which to include in the UEFI executable. The default is
_/lib/modules/<KERNEL-VERSION>/vmlinuz_ or _/boot/vmlinuz-<KERNEL-VERSION>_ _/lib/modules/<KERNEL-VERSION>/vmlinuz_ or _/boot/vmlinuz-<KERNEL-VERSION>_

27
dracut.sh
View File

@ -772,6 +772,16 @@ if ! [[ $outfile ]]; then
fi fi


if [[ $uefi == "yes" ]]; then if [[ $uefi == "yes" ]]; then
if [[ -n "$uefi_secureboot_key" && -z "$uefi_secureboot_cert" ]] || [[ -z $uefi_secureboot_key && -n $uefi_secureboot_cert ]]; then
dfatal "Need 'uefi_secureboot_key' and 'uefi_secureboot_cert' both to be set."
exit 1
fi

if [[ -n "$uefi_secureboot_key" && -n "$uefi_secureboot_cert" ]] && !command -v sbsign &>/dev/null; then
dfatal "Need 'sbsign' to create a signed UEFI executable"
exit 1
fi

BUILD_ID=$(cat /etc/os-release /usr/lib/os-release \ BUILD_ID=$(cat /etc/os-release /usr/lib/os-release \
| while read -r line || [[ $line ]]; do \ | while read -r line || [[ $line ]]; do \
[[ $line =~ BUILD_ID\=* ]] && eval "$line" && echo "$BUILD_ID" && break; \ [[ $line =~ BUILD_ID\=* ]] && eval "$line" && echo "$BUILD_ID" && break; \
@ -1942,9 +1952,22 @@ if [[ $uefi = yes ]]; then
--add-section .cmdline="${uefi_outdir}/cmdline.txt" --change-section-vma .cmdline=0x30000 \ --add-section .cmdline="${uefi_outdir}/cmdline.txt" --change-section-vma .cmdline=0x30000 \
--add-section .linux="$kernel_image" --change-section-vma .linux=0x40000 \ --add-section .linux="$kernel_image" --change-section-vma .linux=0x40000 \
--add-section .initrd="${DRACUT_TMPDIR}/initramfs.img" --change-section-vma .initrd=0x3000000 \ --add-section .initrd="${DRACUT_TMPDIR}/initramfs.img" --change-section-vma .initrd=0x3000000 \
"$uefi_stub" "${uefi_outdir}/linux.efi" \ "$uefi_stub" "${uefi_outdir}/linux.efi"; then
&& cp --reflink=auto "${uefi_outdir}/linux.efi" "$outfile"; then if [[ -n "${uefi_secureboot_key}" && -n "${uefi_secureboot_cert}" ]]; then \
if sbsign \
--key "${uefi_secureboot_key}" \
--cert "${uefi_secureboot_cert}" \
--output "$outfile" "${uefi_outdir}/linux.efi"; then
dinfo "*** Creating signed UEFI image file '$outfile' done ***"
else
dfatal "*** Creating signed UEFI image file '$outfile' failed ***"
exit 1
fi
else
if cp --reflink=auto "${uefi_outdir}/linux.efi" "$outfile"; then
dinfo "*** Creating UEFI image file '$outfile' done ***" dinfo "*** Creating UEFI image file '$outfile' done ***"
fi
fi
else else
rm -f -- "$outfile" rm -f -- "$outfile"
dfatal "*** Creating UEFI image file '$outfile' failed ***" dfatal "*** Creating UEFI image file '$outfile' failed ***"