secure-boot.sh - pub/scm/linux/kernel/git/jarkko/sysdarch - Git at Google

 #!/usr/bin/env sh

 set -e

 ESP="${ESP:-/efi}"
 SYSTEMD_BOOT_EFI="$ESP/EFI/systemd/systemd-bootx64.efi"
 BOOT_EFI="$ESP/EFI/BOOT/BOOTX64.EFI"
 UKI_DIR="$ESP/EFI/Linux"
 CRYPTROOT_DEV="${CRYPTROOT_DEV:-/dev/disk/by-partlabel/cryptroot}"

 ENABLE_SB=0
 for arg in "$@"; do
   case "$arg" in
     --sb) ENABLE_SB=1 ;;
   esac
 done

 TPM2_STATUS="skipped"

 sign_efi() {
   local path="$1"
   [ -f "$path" ] || return
   echo "Signing '$path'"
   sbctl sign -s "$path"
 }

 setup_secure_boot() {
   echo "Setting up secure boot..."

   if command -v pacman >/dev/null 2>&1; then
     pacman -S --needed --noconfirm sbctl
   fi

   if ! command -v sbctl >/dev/null 2>&1; then
     >&2 echo "'sbctl' not found."
     exit 1
   fi

   if [ ! -d "$UKI_DIR" ]; then
     >&2 echo "'$UKI_DIR' not found."
     exit 1
   fi

   sbctl create-keys || true
   sbctl enroll-keys --microsoft || true

   sign_efi "$SYSTEMD_BOOT_EFI"
   sign_efi "$BOOT_EFI"

   if [ -d "$UKI_DIR" ]; then
     for f in "$UKI_DIR"/*.efi; do
       [ -e "$f" ] || continue
       sign_efi "$f"
     done
   fi

   echo "Verifying boot chain..."
   sbctl verify || true

   cat <<EOF
 Secure boot has been successfully completed.

 Check the secure boot status after reboot with:
   bootctl status | grep 'Secure Boot'
 EOF
 }

 setup_tpm2_cryptroot() {
   if ! command -v systemd-cryptenroll >/dev/null 2>&1; then
     >&2 echo "'systemd-cryptenroll' not found."
     exit 1
   fi

   if ! command -v cryptsetup >/dev/null 2>&1; then
     >&2 echo "'cryptsetup' not found."
     exit 1
   fi

   if [ ! -b "$CRYPTROOT_DEV" ]; then
     >&2 echo "'$CRYPTROOT_DEV' not found."
     exit 1
   fi

   if ! cryptsetup isLuks "$CRYPTROOT_DEV" >/dev/null 2>&1; then
     >&2 echo "'$CRYPTROOT_DEV' not a LUKS volume."
     exit 1
   fi

   if ! systemd-cryptenroll "$CRYPTROOT_DEV" \
         --tpm2-device=auto \
         --tpm2-pcrs=7 \
         --wipe-slot=tpm2; then
     >&2 echo "'systemd-cryptenroll' failed."
     exit 1
   fi
 }

 main() {
   if [ "$(id -u)" -ne 0 ]; then
     >&2 echo "This script must be run as root."
     exit 1
   fi

   if [ "$ENABLE_SB" -eq 1 ]; then
     setup_secure_boot
   fi

   setup_tpm2_cryptroot
 }

 main "$@"
	#!/usr/bin/env sh

	set -e

	ESP="${ESP:-/efi}"
	SYSTEMD_BOOT_EFI="$ESP/EFI/systemd/systemd-bootx64.efi"
	BOOT_EFI="$ESP/EFI/BOOT/BOOTX64.EFI"
	UKI_DIR="$ESP/EFI/Linux"
	CRYPTROOT_DEV="${CRYPTROOT_DEV:-/dev/disk/by-partlabel/cryptroot}"

	ENABLE_SB=0
	for arg in "$@"; do
	case "$arg" in
	--sb) ENABLE_SB=1 ;;
	esac
	done

	TPM2_STATUS="skipped"

	sign_efi() {
	local path="$1"
	[ -f "$path" ] \|\| return
	echo "Signing '$path'"
	sbctl sign -s "$path"
	}

	setup_secure_boot() {
	echo "Setting up secure boot..."

	if command -v pacman >/dev/null 2>&1; then
	pacman -S --needed --noconfirm sbctl
	fi

	if ! command -v sbctl >/dev/null 2>&1; then
	>&2 echo "'sbctl' not found."
	exit 1
	fi

	if [ ! -d "$UKI_DIR" ]; then
	>&2 echo "'$UKI_DIR' not found."
	exit 1
	fi

	sbctl create-keys \|\| true
	sbctl enroll-keys --microsoft \|\| true

	sign_efi "$SYSTEMD_BOOT_EFI"
	sign_efi "$BOOT_EFI"

	if [ -d "$UKI_DIR" ]; then
	for f in "$UKI_DIR"/*.efi; do
	[ -e "$f" ] \|\| continue
	sign_efi "$f"
	done
	fi

	echo "Verifying boot chain..."
	sbctl verify \|\| true

	cat <<EOF
	Secure boot has been successfully completed.

	Check the secure boot status after reboot with:
	bootctl status \| grep 'Secure Boot'
	EOF
	}

	setup_tpm2_cryptroot() {
	if ! command -v systemd-cryptenroll >/dev/null 2>&1; then
	>&2 echo "'systemd-cryptenroll' not found."
	exit 1
	fi

	if ! command -v cryptsetup >/dev/null 2>&1; then
	>&2 echo "'cryptsetup' not found."
	exit 1
	fi

	if [ ! -b "$CRYPTROOT_DEV" ]; then
	>&2 echo "'$CRYPTROOT_DEV' not found."
	exit 1
	fi

	if ! cryptsetup isLuks "$CRYPTROOT_DEV" >/dev/null 2>&1; then
	>&2 echo "'$CRYPTROOT_DEV' not a LUKS volume."
	exit 1
	fi

	if ! systemd-cryptenroll "$CRYPTROOT_DEV" \
	--tpm2-device=auto \
	--tpm2-pcrs=7 \
	--wipe-slot=tpm2; then
	>&2 echo "'systemd-cryptenroll' failed."
	exit 1
	fi
	}

	main() {
	if [ "$(id -u)" -ne 0 ]; then
	>&2 echo "This script must be run as root."
	exit 1
	fi

	if [ "$ENABLE_SB" -eq 1 ]; then
	setup_secure_boot
	fi

	setup_tpm2_cryptroot
	}

	main "$@"