HackingGate · April 29, 2025 01:46 · HackingGate · Apr 29, 2025
diff --git a/enable-secureboot-shim.sh b/enable-secureboot-shim.sh
 #!/usr/bin/env bash
 set -euo pipefail

 # Script to install Ubuntu Secure Boot shim and optionally install and deploy rEFInd
 # Usage: share this on GitHub Gist, then run:
 #   curl -sL <gist-url> | bash

 # 1. Update package lists
 echo "Updating package lists..."
 sudo apt update

 # 2. Install shim-signed package
 echo "Installing shim-signed..."
 sudo apt install -y shim-signed

 # 3. Install or redeploy rEFInd (if desired)
 if ! command -v refind-install >/dev/null 2>&1; then
    echo "rEFInd not detected. Installing rEFInd..."
    sudo apt install -y refind
 fi

 echo "Deploying rEFInd with updated shim and generating MOK keys..."
 sudo refind-install --shim /usr/lib/shim/shimx64.efi.signed --localkeys

 # ────────────────────────────────────────────────────────────────────────
 # NEW: Enroll your Machine-Owner Key so the shim will trust it on boot
 echo "Enrolling Machine-Owner Key for Secure Boot…"
 sudo update-secureboot-policy --enroll-key

 # NEW: Regenerate initramfs for all installed kernels (so signed modules are included)
 echo "Updating initramfs for all installed kernels…"
 sudo update-initramfs -k all -u
 # ────────────────────────────────────────────────────────────────────────

 # 4. Enroll rEFInd MOK public key
 KEY_CER="/boot/efi/EFI/refind/keys/refind_local.cer"
 if [ -f "$KEY_CER" ]; then
    echo "Importing rEFInd MOK key: $KEY_CER"
    sudo mokutil --import "$KEY_CER"
    echo "
 A password prompt will follow. Enter a temporary password to enroll the key on next boot."
 else
    echo "WARNING: MOK key not found at $KEY_CER"
 fi

 # 5. Prompt for reboot
 echo -e "\n✅ Shim installation, rEFInd deployment, MOK enrollment, and initramfs update are done."
 echo "Please reboot your machine to complete MOK enrollment and enable Secure Boot in the firmware settings."
	#!/usr/bin/env bash
	set -euo pipefail

	# Script to install Ubuntu Secure Boot shim and optionally install and deploy rEFInd
	# Usage: share this on GitHub Gist, then run:
	# curl -sL <gist-url> \| bash

	# 1. Update package lists
	echo "Updating package lists..."
	sudo apt update

	# 2. Install shim-signed package
	echo "Installing shim-signed..."
	sudo apt install -y shim-signed

	# 3. Install or redeploy rEFInd (if desired)
	if ! command -v refind-install >/dev/null 2>&1; then
	echo "rEFInd not detected. Installing rEFInd..."
	sudo apt install -y refind
	fi

	echo "Deploying rEFInd with updated shim and generating MOK keys..."
	sudo refind-install --shim /usr/lib/shim/shimx64.efi.signed --localkeys

	# ────────────────────────────────────────────────────────────────────────
	# NEW: Enroll your Machine-Owner Key so the shim will trust it on boot
	echo "Enrolling Machine-Owner Key for Secure Boot…"
	sudo update-secureboot-policy --enroll-key

	# NEW: Regenerate initramfs for all installed kernels (so signed modules are included)
	echo "Updating initramfs for all installed kernels…"
	sudo update-initramfs -k all -u
	# ────────────────────────────────────────────────────────────────────────

	# 4. Enroll rEFInd MOK public key
	KEY_CER="/boot/efi/EFI/refind/keys/refind_local.cer"
	if [ -f "$KEY_CER" ]; then
	echo "Importing rEFInd MOK key: $KEY_CER"
	sudo mokutil --import "$KEY_CER"
	echo "
	A password prompt will follow. Enter a temporary password to enroll the key on next boot."
	else
	echo "WARNING: MOK key not found at $KEY_CER"
	fi

	# 5. Prompt for reboot
	echo -e "\n✅ Shim installation, rEFInd deployment, MOK enrollment, and initramfs update are done."
	echo "Please reboot your machine to complete MOK enrollment and enable Secure Boot in the firmware settings."