From 8512ebc5401cbfbef7f22a1b5686dabe388542f8 Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Thu, 22 Feb 2024 13:51:05 -0800 Subject: [PATCH 1/4] chore: First pass of adding secure boot key enrollment --- Makefile | 1 + lorax_templates/secure_boot_key.tmpl.in | 7 +++++++ xorriso/enroll-secureboot-key.sh.in | 19 +++++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 lorax_templates/secure_boot_key.tmpl.in create mode 100644 xorriso/enroll-secureboot-key.sh.in diff --git a/Makefile b/Makefile index 09e90a81..5329d190 100644 --- a/Makefile +++ b/Makefile @@ -55,6 +55,7 @@ boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades. --repo /etc/yum.repos.d/fedora-updates.repo \ --add-template $(_BASE_DIR)/lorax_templates/set_installer.tmpl \ --add-template $(_BASE_DIR)/lorax_templates/configure_upgrades.tmpl \ + --add-template $(_BASE_DIR)/lorax_templates/secure_boot_key.tmpl \ $(_BASE_DIR)/results/ mv $(_BASE_DIR)/results/images/boot.iso $(_BASE_DIR)/ diff --git a/lorax_templates/secure_boot_key.tmpl.in b/lorax_templates/secure_boot_key.tmpl.in new file mode 100644 index 00000000..20d45d7f --- /dev/null +++ b/lorax_templates/secure_boot_key.tmpl.in @@ -0,0 +1,7 @@ +append usr/share/anaconda/interactive-defaults.ks "%post --erroronfail" +append usr/share/anaconda/interactive-defaults.ks "sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/@IMAGE_REPO_ESCAPED@\/@IMAGE_NAME@:@IMAGE_TAG@/' /ostree/deploy/default/deploy/*.origin" +append usr/share/anaconda/interactive-defaults.ks "%end" + +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --erroronfail" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/@IMAGE_REPO_ESCAPED@\/@IMAGE_NAME@:@IMAGE_TAG@/' /ostree/deploy/default/deploy/*.origin" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end" \ No newline at end of file diff --git a/xorriso/enroll-secureboot-key.sh.in b/xorriso/enroll-secureboot-key.sh.in new file mode 100644 index 00000000..1547eac0 --- /dev/null +++ b/xorriso/enroll-secureboot-key.sh.in @@ -0,0 +1,19 @@ +#!/bin/sh + +set -oue pipefail + +readonly SECUREBOOT_KEY="$1" +readonly ENROLLMENT_PASSWORD="$2" + +if [[ ! -d "/sys/firmware/efi" ]]; then + echo "EFI mode not detected. Skipping key enrollment." + exit 0 +fi + +if [[ ! -f "${SECUREBOOT_KEY}" ]]; then + echo "Secure boot key not found: ${SECUREBOOT_KEY}" + exit 1 +fi + +mokutil --timeout -1 ||: +echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" ||: From d133611d0cccbf7cb5a405d1c4505874366e9bfc Mon Sep 17 00:00:00 2001 From: Noel Miller Date: Thu, 22 Feb 2024 23:40:15 -0600 Subject: [PATCH 2/4] feat: Add secure boot support --- ...ureboot-key.sh.in => enroll-secureboot-key.sh | 12 ++++++------ lorax_templates/secure_boot_key.tmpl | 9 +++++++++ lorax_templates/secure_boot_key.tmpl.in | 7 ------- post-install.sh | 7 +++++++ ublue-os-akmods-public-key.der | Bin 0 -> 1548 bytes ublue-os-env-vars | 3 +++ xorriso/gen_input.sh.in | 9 ++++++++- 7 files changed, 33 insertions(+), 14 deletions(-) rename xorriso/enroll-secureboot-key.sh.in => enroll-secureboot-key.sh (55%) mode change 100644 => 100755 create mode 100644 lorax_templates/secure_boot_key.tmpl delete mode 100644 lorax_templates/secure_boot_key.tmpl.in create mode 100755 post-install.sh create mode 100644 ublue-os-akmods-public-key.der create mode 100644 ublue-os-env-vars diff --git a/xorriso/enroll-secureboot-key.sh.in b/enroll-secureboot-key.sh old mode 100644 new mode 100755 similarity index 55% rename from xorriso/enroll-secureboot-key.sh.in rename to enroll-secureboot-key.sh index 1547eac0..d2848c4a --- a/xorriso/enroll-secureboot-key.sh.in +++ b/enroll-secureboot-key.sh @@ -6,14 +6,14 @@ readonly SECUREBOOT_KEY="$1" readonly ENROLLMENT_PASSWORD="$2" if [[ ! -d "/sys/firmware/efi" ]]; then - echo "EFI mode not detected. Skipping key enrollment." - exit 0 + echo "EFI mode not detected. Skipping key enrollment." + exit 0 fi if [[ ! -f "${SECUREBOOT_KEY}" ]]; then - echo "Secure boot key not found: ${SECUREBOOT_KEY}" - exit 1 + echo "Secure boot key not found: ${SECUREBOOT_KEY}" + exit 1 fi -mokutil --timeout -1 ||: -echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" ||: +mokutil --timeout -1 || : +echo -e "${ENROLLMENT_PASSWORD}\n${ENROLLMENT_PASSWORD}" | mokutil --import "${SECUREBOOT_KEY}" || : diff --git a/lorax_templates/secure_boot_key.tmpl b/lorax_templates/secure_boot_key.tmpl new file mode 100644 index 00000000..aaf52479 --- /dev/null +++ b/lorax_templates/secure_boot_key.tmpl @@ -0,0 +1,9 @@ +append usr/share/anaconda/interactive-defaults.ks "%post --erroronfail --nochroot" +append usr/share/anaconda/interactive-defaults.ks "set -m" +append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/post-install.sh" +append usr/share/anaconda/interactive-defaults.ks "%end" + +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --erroronfail --nochroot" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/post-install.sh" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end" diff --git a/lorax_templates/secure_boot_key.tmpl.in b/lorax_templates/secure_boot_key.tmpl.in deleted file mode 100644 index 20d45d7f..00000000 --- a/lorax_templates/secure_boot_key.tmpl.in +++ /dev/null @@ -1,7 +0,0 @@ -append usr/share/anaconda/interactive-defaults.ks "%post --erroronfail" -append usr/share/anaconda/interactive-defaults.ks "sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/@IMAGE_REPO_ESCAPED@\/@IMAGE_NAME@:@IMAGE_TAG@/' /ostree/deploy/default/deploy/*.origin" -append usr/share/anaconda/interactive-defaults.ks "%end" - -append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --erroronfail" -append usr/share/anaconda/post-scripts/secure_boot_key.ks "sed -i 's/container-image-reference=.*/container-image-reference=ostree-image-signed:docker:\/\/@IMAGE_REPO_ESCAPED@\/@IMAGE_NAME@:@IMAGE_TAG@/' /ostree/deploy/default/deploy/*.origin" -append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end" \ No newline at end of file diff --git a/post-install.sh b/post-install.sh new file mode 100755 index 00000000..b0752a98 --- /dev/null +++ b/post-install.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +set -oue pipefail + +source /run/install/repo/ublue-os-env-vars + +/run/install/repo/enroll-secureboot-key.sh "${SECUREBOOT_KEY}" "${ENROLLMENT_PASSWORD}" diff --git a/ublue-os-akmods-public-key.der b/ublue-os-akmods-public-key.der new file mode 100644 index 0000000000000000000000000000000000000000..a2ee4477b594f1a9670b00cd4d4944e20bbfdc47 GIT binary patch literal 1548 zcmXqLV&gDqV*apznTe5!NyL#SS6w*FGqmjfi-jdimMH1X;F@T_%f_kI=F#?@mywa1 zmBFBKo}svbC>wJq3l|SxXkKPnYEf}wj)GH8X{sSVP%%(~n};niJ2yY2*ih9#8Lpd? zQA{i=zbHLbFFCQeq$uAZJvT8kM=v=)*O1qM8>Ek&hs7^HFBQh+fO5GFI6<;(!b}kn zh6)C9APzH+IK&Etocv^<^~IU#d6{|X3eJuOa^k#3#s;Q_=7y%m2FAuw;=INnt_hSo z_&w0Xq=X#kjI0dIO-%d@22D&{OifIT43~Pv7p!VTOHIM=vs&{$)_@Ts&@#q2fin`-9cgn$xsp+dcoFinO^$FBsk^^LrZoz9;_QDcjA4 zZ8~;mJl^+An*PGj{PD*9ZoZ$_tP;65+lSTWnq9uFu3e20N4Uk-$!@nRt@S3Ie6wr9 z&kK9%4=XXUHr4lwZ}6S2mGJ^`s6s;|&&15gz_{4P zz{-FJm=$D&85#exFc~m_^N=h*3kx$7dxL>2NQ#d|j78-A^cgapU;pp8Sdsc*1H)G7 z$W!*l$mt81se$Q>kzvbK8^;6{H|OdLk4v9avWjONPk8rARF@;-altGf1+&@Z+kIIN zt~+qbk8w?2;L|r2CCiI!ejZ;T$i)1EIe*SS$7%D9d{USC`{lZTMyu(nDK2g=at^cV zZ}_FGsx?2J)7o_AmBlfMThilstUqe;I`=c4czExeYrdl*Px$k-LR0zmsk*b06imss1nHe9_C5W4z4HU5&qFf0|T>xU|lfdCl{W&bb<$+dpmDztS_Z z*UilL3fp~eebXe~u61}#$Al#>M3hf0bb0N5-*RGLM*4Gw{XE~b`fmHhIbM#|v2|X1 z{PG^b*OOf)3ja@D;`q|AYx!;Al~=CHy*9nI%;%<7^|r4u8_#~MT^hfa?NG+cHIGgz z&Qm(R?x)6_vcPKB^fZZ0+uFPIE93SRyZ(A@yLjF7YZ;s6VpPlbZmw7v^yKa=OX<4i z*PbQS?F_;kw%#exh`d=UE@Z5>f?Atbb^^0W2V=QN~ig$3F nR@r~? Date: Fri, 23 Feb 2024 00:56:19 -0600 Subject: [PATCH 3/4] feat: Removed Test this media grub entry and set default to install --- Makefile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Makefile b/Makefile index 5329d190..56de4cce 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,11 @@ lorax_templates/%.tmpl: lorax_templates/%.tmpl.in # Step 2: Build boot.iso using Lorax boot.iso: lorax_templates/set_installer.tmpl lorax_templates/configure_upgrades.tmpl rm -Rf $(_BASE_DIR)/results + sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg + sed -i '/menuentry '\''Test this media & install @PRODUCT@ @VERSION@'\'' --class fedora --class gnu-linux --class gnu --class os {/,/}/d' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg + sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-bios.cfg + sed -i 's/set default="1"/set default="0"/' /usr/share/lorax/templates.d/99-generic/config_files/x86/grub2-efi.cfg + lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \ --isfinal --buildarch=$(ARCH) --volid=$(_VOLID) \ $(_LORAX_ARGS) \ From 423edd016ab16548d49a2bb7543af5fe009a6c07 Mon Sep 17 00:00:00 2001 From: Noel Miller Date: Fri, 23 Feb 2024 11:15:05 -0600 Subject: [PATCH 4/4] fix: simplify secureboot scripts --- lorax_templates/secure_boot_key.tmpl | 8 ++++---- post-install.sh | 7 ------- .../enroll-secureboot-key.sh | 4 ++-- .../ublue-os-akmods-public-key.der | Bin ublue-os-env-vars | 3 --- xorriso/gen_input.sh.in | 8 ++------ 6 files changed, 8 insertions(+), 22 deletions(-) delete mode 100755 post-install.sh rename enroll-secureboot-key.sh => scripts/enroll-secureboot-key.sh (76%) rename ublue-os-akmods-public-key.der => scripts/ublue-os-akmods-public-key.der (100%) delete mode 100644 ublue-os-env-vars diff --git a/lorax_templates/secure_boot_key.tmpl b/lorax_templates/secure_boot_key.tmpl index aaf52479..e0c9809a 100644 --- a/lorax_templates/secure_boot_key.tmpl +++ b/lorax_templates/secure_boot_key.tmpl @@ -1,9 +1,9 @@ -append usr/share/anaconda/interactive-defaults.ks "%post --erroronfail --nochroot" +append usr/share/anaconda/interactive-defaults.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot" append usr/share/anaconda/interactive-defaults.ks "set -m" -append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/post-install.sh" +append usr/share/anaconda/interactive-defaults.ks "/run/install/repo/enroll-secureboot-key.sh" append usr/share/anaconda/interactive-defaults.ks "%end" -append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --erroronfail --nochroot" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "%post --logfile=/root/ks-post.log --erroronfail --nochroot" append usr/share/anaconda/post-scripts/secure_boot_key.ks "set -m" -append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/post-install.sh" +append usr/share/anaconda/post-scripts/secure_boot_key.ks "/run/install/repo/enroll-secureboot-key.sh" append usr/share/anaconda/post-scripts/secure_boot_key.ks "%end" diff --git a/post-install.sh b/post-install.sh deleted file mode 100755 index b0752a98..00000000 --- a/post-install.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh - -set -oue pipefail - -source /run/install/repo/ublue-os-env-vars - -/run/install/repo/enroll-secureboot-key.sh "${SECUREBOOT_KEY}" "${ENROLLMENT_PASSWORD}" diff --git a/enroll-secureboot-key.sh b/scripts/enroll-secureboot-key.sh similarity index 76% rename from enroll-secureboot-key.sh rename to scripts/enroll-secureboot-key.sh index d2848c4a..1e74f402 100755 --- a/enroll-secureboot-key.sh +++ b/scripts/enroll-secureboot-key.sh @@ -2,8 +2,8 @@ set -oue pipefail -readonly SECUREBOOT_KEY="$1" -readonly ENROLLMENT_PASSWORD="$2" +readonly SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der" +readonly ENROLLMENT_PASSWORD="ublue-os" if [[ ! -d "/sys/firmware/efi" ]]; then echo "EFI mode not detected. Skipping key enrollment." diff --git a/ublue-os-akmods-public-key.der b/scripts/ublue-os-akmods-public-key.der similarity index 100% rename from ublue-os-akmods-public-key.der rename to scripts/ublue-os-akmods-public-key.der diff --git a/ublue-os-env-vars b/ublue-os-env-vars deleted file mode 100644 index c72ae9e0..00000000 --- a/ublue-os-env-vars +++ /dev/null @@ -1,3 +0,0 @@ -SECUREBOOT_KEY="/run/install/repo/ublue-os-akmods-public-key.der" -# Not a secure password, but needed for scripted key enrollment -ENROLLMENT_PASSWORD="ublue-os" diff --git a/xorriso/gen_input.sh.in b/xorriso/gen_input.sh.in index f5bffeae..917675b3 100644 --- a/xorriso/gen_input.sh.in +++ b/xorriso/gen_input.sh.in @@ -5,14 +5,10 @@ echo "-outdev $(pwd)/output/@IMAGE_NAME@-@IMAGE_TAG@.iso" echo "-boot_image any replay" echo "-joliet on" echo "-compliance joliet_long_names" -echo "-map $(pwd)/ublue-os-akmods-public-key.der ublue-os-akmods-public-key.der" +echo "-map $(pwd)/scripts/ublue-os-akmods-public-key.der ublue-os-akmods-public-key.der" echo "-chmod 0444 /ublue-os-akmods-public-key.der" -echo "-map $(pwd)/ublue-os-env-vars ublue-os-env-vars" -echo "-chmod 0444 /ublue-os-env-vars" -echo "-map $(pwd)/enroll-secureboot-key.sh enroll-secureboot-key.sh" +echo "-map $(pwd)/scripts/enroll-secureboot-key.sh enroll-secureboot-key.sh" echo "-chmod 0777 enroll-secureboot-key.sh" -echo "-map $(pwd)/post-install.sh post-install.sh" -echo "-chmod 0777 post-install.sh" cd container for file in $(find @IMAGE_NAME@-@IMAGE_TAG@); do echo "-map $(pwd)/${file} ${file}"