Forked from heri16/90-mkinitcpio-install.hook.patch
Last active
July 13, 2022 08:54
-
-
Save devovh/2b8f549863f5ad03a8f942838e64ae99 to your computer and use it in GitHub Desktop.
Enable Linux Secure Boot with TPM 2.0 (Archlinux) - rEFInd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- /usr/bin/refind-install 2020-04-23 14:10:32.000000000 +0800 | |
| +++ ./refind-install 2020-06-12 13:48:27.371630998 +0800 | |
| @@ -23,6 +23,7 @@ | |
| # only under Linux. | |
| # "--preloader" is synonymous with "--shim". Valid only under Linux. | |
| # "--encryptkeys" password-protects the Secure Boot private key. | |
| +# "--engine" engine that protects the Secure Boot private key. | |
| # "--localkeys" to re-sign x86-64 binaries with a locally-generated key. | |
| # Valid only under Linux. | |
| # "--keepname" to keep refind_x64.efi name as such even when using shim. | |
| @@ -156,6 +157,9 @@ | |
| ;; | |
| --encryptkeys) EncryptKeys=1 | |
| ;; | |
| + --engine) Engine="$2" | |
| + shift | |
| + ;; | |
| --shim | --preloader) ShimSource="$2" | |
| ShimType=`basename $ShimSource` | |
| shift | |
| @@ -171,7 +175,7 @@ | |
| * ) echo "Usage: $0 [--notesp | --usedefault {device-file} | --root {dir} |" | |
| echo " --ownhfs {device-file} ] [--keepname]" | |
| echo " [--nodrivers | --alldrivers] [--shim {shimfile}]" | |
| - echo " [--localkeys [--encryptkeys]] [--keepname] [--yes]" | |
| + echo " [--localkeys [--encryptkeys] [--engine {engine}]] [--keepname] [--yes]" | |
| exit 1 | |
| esac | |
| shift | |
| @@ -216,6 +220,10 @@ | |
| echo "The --encryptkeys option requires the use of --localkeys! Aborting!" | |
| exit 1 | |
| fi | |
| + if [[ $Engine && "$LocalKeys" == 0 ]] ; then | |
| + echo "The --engine option requires the use of --localkeys! Aborting!" | |
| + exit 1 | |
| + fi | |
| RLConfFile="$RootDir/boot/refind_linux.conf" | |
| EtcKeysDir="$RootDir/etc/refind.d/keys" | |
| } # GetParams() | |
| @@ -1079,12 +1087,44 @@ | |
| cp -f "$DerKey" "$DerKey.backup" 2> /dev/null | |
| fi | |
| if [[ $EncryptKeys == 1 ]]; then | |
| + ReadKeyPassphrase | |
| KeyEncryptionArgument="" | |
| else | |
| KeyEncryptionArgument="-nodes" | |
| fi | |
| - "$OpenSSL" req -new -x509 -newkey rsa:2048 -keyout "$PrivateKey" -out "$CertKey" \ | |
| + if [[ ! $Engine ]]; then | |
| + if [[ $EncryptKeys == 1 ]]; then | |
| + echo "$KeyPassphrase" | | |
| + "$OpenSSL" req -new -x509 -newkey rsa:2048 -keyout "$PrivateKey" -out "$CertKey" \ | |
| + $KeyEncryptionArgument -days 3650 -subj "/CN=Locally-generated rEFInd key/" -passout stdin | |
| + echo -e "$KeyPassphrase\n$KeyPassphrase" | | |
| + "$OpenSSL" pkcs8 -topk8 -iter 1000000 -in "$PrivateKey" -out "${PrivateKey}~" -passin stdin -passout stdin | |
| + mv "${PrivateKey}~" "$PrivateKey" | |
| + else | |
| + "$OpenSSL" req -new -x509 -newkey rsa:2048 -keyout "$PrivateKey" -out "$CertKey" \ | |
| $KeyEncryptionArgument -days 3650 -subj "/CN=Locally-generated rEFInd key/" | |
| + fi | |
| + else | |
| + EngineName=$("$OpenSSL" engine "$Engine" | cut -d ' ' -f 2) | |
| + if [[ "$Engine" == "tpm2tss" ]]; then | |
| + if [[ $EncryptKeys == 1 ]]; then | |
| + tpm2tss-genkey -a rsa -p "$KeyPassphrase" "$PrivateKey" | |
| + else | |
| + tpm2tss-genkey -a rsa "$PrivateKey" | |
| + fi | |
| + KeyReqArguments=(-engine "$Engine" -keyform engine -key "$PrivateKey") | |
| + else | |
| + KeyReqArguments=(-keygen_engine "$Engine" -newkey rsa:2048 -keyout "$PrivateKey") | |
| + fi | |
| + if [[ $EncryptKeys == 1 ]]; then | |
| + echo "$KeyPassphrase" | | |
| + "$OpenSSL" req -new -x509 ${KeyReqArguments[@]} -out "$CertKey" \ | |
| + $KeyEncryptionArgument -days 3650 -subj "/CN=${EngineName}-generated rEFInd key/" -passin stdin | |
| + else | |
| + "$OpenSSL" req -new -x509 ${KeyReqArguments[@]} -out "$CertKey" \ | |
| + $KeyEncryptionArgument -days 3650 -subj "/CN=${EngineName}-generated rEFInd key/" | |
| + fi | |
| + fi | |
| "$OpenSSL" x509 -in "$CertKey" -out "$DerKey" -outform DER | |
| chmod 0600 "$PrivateKey" | |
| else | |
| @@ -1100,16 +1140,25 @@ | |
| SignOneBinary() { | |
| ReadKeyPassphrase --no-confirm | |
| if [[ "$EncryptKeys" == 1 ]] ; then | |
| - SbSignCommand=$(printf "%q " "$SBSign" --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1") | |
| + if [[ ! $Engine ]]; then | |
| + SbSignCommand=$(printf "%q " "$SBSign" --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1") | |
| + else | |
| + SbSignCommand=$(printf "%q " "$SBSign" --engine "$Engine" --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1") | |
| + fi | |
| echo "$KeyPassphrase" | | |
| script -qefc "$SbSignCommand" --force /dev/null 2>&1 | ( \ | |
| head -n 2 >/dev/null # Skip the first two lines (incl. passphrase). | |
| grep -v "data remaining.*gaps between PE/COFF sections" | |
| ) | |
| - local status="${PIPESTATUS[1]}" | |
| + local status="${PIPESTATUS[1]}" | |
| else | |
| - "$SBSign" --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1" 2>&1 >/dev/null | \ | |
| + if [[ ! $Engine ]]; then | |
| + "$SBSign" --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1" 2>&1 >/dev/null | \ | |
| + grep -v "data remaining.*gaps between PE/COFF sections" | |
| + else | |
| + "$SBSign" --engine "$Engine" --key "$PrivateKey" --cert "$CertKey" --output "$2" "$1" 2>&1 >/dev/null | \ | |
| grep -v "data remaining.*gaps between PE/COFF sections" | |
| + fi | |
| local status="${PIPESTATUS[0]}" | |
| fi | |
| if [[ "$status" != 0 ]] ; then |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment