x/archery
1
0
Fork 0
mirror of https://gitlab.com/prism7/archery.git synced 2026-04-28 01:17:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add: 'Secureboot Signing' stage: Creating an additional bootloader 'Rescue' entry is supported, for both systemd-boot & Grub

Browse Source 
Change: Moved some code around ('ask_sign' & 'mkinitcpio_preset' functions) to implement the above
Change: 'Systemd-boot': bootloader timeout has been set to 3 sec.
Change: Edited mkinitcpio's '${kernel}.preset' drop-in file configuration: Removed 'fallback' entries and incuded 'rescue' entries (when selected)
Change: Some prompt editing for better aesthetics
This commit is contained in:
Jane Doe
2025-03-02 18:17:50 +00:00
parent 106c69f642
commit db4ac8a331
1 changed files with 137 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Amelia.sh
+137 -74
View File
@@ -2,7 +2,7 @@
# Amelia Installer
# Source: https://gitlab.com/prism7/archery
# Version: 8.8.2
# Version: 8.9.0
set -euo pipefail
###################################################################################################
@@ -906,7 +906,7 @@ ${magenta}###${nc}----------------------------------${magenta}[ ${bwhite}System
> Select a Submenu: "
NC "
[1] Kernel, Bootloader, ESP Mountpoint & Secure Signing
[1] Kernel, Secureboot Signing, Bootloader & ESP Mountpoint
[2] Filesystem & Swap Setup
@@ -930,9 +930,9 @@ Enter a number: "
case "${sysmenu}" in
1)
until slct_krnl; do : ; done
until ask_sign; do : ; done
until ask_bootldr; do : ; done
until slct_espmnt; do : ; done
until ask_sign; do : ; done
return 1 ;;
2)
until ask_fs; do : ; done
@@ -1024,8 +1024,85 @@ Enter a number: "
ok
}
###################################################################################################
ask_sign() {
sleep 0.2
NC "
${magenta}###${nc}-----------------------------------${magenta}[ ${bwhite}Secureboot Signing${nc} ${magenta}]${nc}-----------------------------------${magenta}###
"
YELLOW "
> Sign UKI(s), Kernel & binaries for use with ${nc}Secure Boot ${yellow}? [Y/n]"
BLUE "
Enter [Y/n]: "
read -r -p "
==> " sb_sign
echo
sb_sign="${sb_sign:-y}"
sb_sign="${sb_sign,,}"
if [[ "${sb_sign}" == "y" ]]; then
local prompt="Secure Boot 'Setup' Mode Verification"
SB_Status="$(bootctl status 2> /dev/null | grep -E 'Secure Boot' | awk "{print \$4}")"
if [[ ${SB_Status} == "(setup)" ]]; then
ok
else
sleep 0.2
RED "
-----------------------------------------
### ${yellow}Secure Boot Not in 'Setup' Mode ${red}###
-----------------------------------------"
failure
fi
sleep 0.2
YELLOW "
### 'Secure Boot Signing' has been selected
"
sleep 0.2
YELLOW "
> Create an additional bootloader ${nc}Recovery ${yellow}entry (for troubleshooting) ? [Y/n]"
BLUE "
Enter [Y/n]: "
read -r -p "
==> " setrescue
echo
setrescue="${setrescue:-y}"
setrescue="${setrescue,,}"
if [[ "${setrescue}" == "y" ]]; then
local prompt="Rescue Entry set"
ok
elif [[ "${setrescue}" == "n" ]]; then
skip
else
y_n
return 1
fi
elif [[ "${sb_sign}" == "n" ]]; then
skip
else
y_n
return 1
fi
local prompt="Secure Boot Signing setup"
ok
}
###################################################################################################
ask_bootldr() {
local prompt="Bootloader Selection"
sleep 0.2
NC "
@@ -1076,7 +1153,6 @@ Enter a number: "
invalid
return 1 ;;
esac
local prompt="Bootloader Selection"
ok
}
###################################################################################################
@@ -1131,63 +1207,6 @@ Enter a number: "
fi
}
###################################################################################################
ask_sign() {
sleep 0.2
NC "
${magenta}###${nc}-------------------------------------${magenta}[ ${bwhite}Secure Signing${nc} ${magenta}]${nc}-------------------------------------${magenta}###
"
if [[ "${bootloader}" == "1" ]]; then
YELLOW "
> Sign Unified Kernel Image(s) & binaries for use with ${nc}Secure Boot ${nc}${yellow}? [Y/n]"
elif [[ "${bootloader}" == "2" ]]; then
YELLOW "
> Sign Kernel & binaries for use with ${nc}Secure Boot ${nc}${yellow}? [Y/n]"
fi
BLUE "
Enter [Y/n]: "
read -r -p "
==> " sb_sign
echo
sb_sign="${sb_sign:-y}"
sb_sign="${sb_sign,,}"
if [[ "${sb_sign}" == "y" ]]; then
local prompt="Secure Boot 'Setup' Mode Verification"
SB_Status="$(bootctl status 2> /dev/null | grep -E 'Secure Boot' | awk "{print \$4}")"
if [[ ${SB_Status} == "(setup)" ]]; then
ok
else
sleep 0.2
RED "
-----------------------------------------
### ${yellow}Secure Boot Not in 'Setup' Mode ${red}###
-----------------------------------------"
failure
fi
sleep 0.2
YELLOW "
### 'Secure Boot Signing' has been selected
"
elif [[ "${sb_sign}" == "n" ]]; then
skip
else
y_n
return 1
fi
local prompt="Secure Boot Signing setup"
ok
}
###################################################################################################
ask_fs() {
local prompt="Filesystem Setup"
@@ -1898,7 +1917,7 @@ ${magenta}###${nc}--------------------------------------${magenta}[ ${bwhite}Des
[11] Basic Arch Linux (No GUI)
[12] Custom Arch Linux ${red}### ${yellow}EXPERTS ONLY ${red}###${nc}
[12] Custom Arch Linux
[13] Cosmic ${red}# ${yellow}Alpha ${red}# "
BLUE "
@@ -3919,12 +3938,12 @@ instl() {
fi
if [[ -z "${kernelnmbr}" ]]; then
local stage_prompt="Kernel, Bootloader, ESP Mountpoint & Secure Signing"
local stage_prompt="Kernel, Secureboot Signing, Bootloader & ESP Mountpoint"
completion_err
until slct_krnl; do : ; done
until ask_sign; do : ; done
until ask_bootldr; do : ; done
until slct_espmnt; do : ; done
until ask_sign; do : ; done
fi
if [[ -z "${fs}" ]]; then
@@ -4910,9 +4929,9 @@ revise() {
vgaconf="n"
fi
until slct_krnl; do : ; done
until ask_sign; do : ; done
until ask_bootldr; do : ; done
until slct_espmnt; do : ; done
until ask_sign; do : ; done
until ask_fs; do : ; done
until ask_swap; do : ; done
if [[ "${hypervisor}" == "none" ]]; then
@@ -5562,6 +5581,7 @@ btldrcfg() {
if [[ "${xbootloader}" == "no" ]]; then
if arch-chroot /mnt <<-BOOTCTL > /dev/null 2>&1 2> amelia_log.txt ; then
bootctl install || exit
sed -i "/^#timeout 3/s/^#//" ${btldr_esp_mount}/loader/loader.conf || exit
systemctl enable systemd-boot-update || exit
BOOTCTL
stage_ok
@@ -5571,6 +5591,7 @@ BOOTCTL
elif [[ "${xbootloader}" == "yes" ]]; then
if arch-chroot /mnt <<-XBOOTCTL > /dev/null 2>&1 2> amelia_log.txt ; then
bootctl --esp-path=/efi --boot-path=/boot install || exit
sed -i "/^#timeout 3/s/^#//" ${btldr_esp_mount}/loader/loader.conf || exit
systemctl enable systemd-boot-update || exit
XBOOTCTL
stage_ok
@@ -5751,9 +5772,9 @@ mkinitcpio_preset() {
echo "rw ${boot_opts[*]}" | tee /etc/cmdline.d/cmdlined.conf || exit
cp /etc/mkinitcpio.d/${kernel}.preset /etc/mkinitcpio.d/${kernel}.preset.bak || exit
cat <<-MKINITPRESET > /etc/mkinitcpio.d/${kernel}.preset || exit
ALL_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf"
ALL_kver="/boot/vmlinuz-${kernel}"
PRESETS=('default')
default_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf"
default_uki="${btldr_esp_mount}/EFI/Linux/arch-${kernel}.efi"
MKINITPRESET
mkinitcpio -P || exit
@@ -5774,12 +5795,10 @@ UKI
if arch-chroot /mnt <<-NOUKI > /dev/null 2>&1 2> amelia_log.txt ; then
cp /etc/mkinitcpio.d/${kernel}.preset /etc/mkinitcpio.d/${kernel}.preset.bak || exit
cat <<-MKINITPRESET > /etc/mkinitcpio.d/${kernel}.preset || exit
ALL_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf"
ALL_kver="/boot/vmlinuz-${kernel}"
PRESETS=('default' 'fallback')
default_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf"
PRESETS=('default')
default_image="/boot/initramfs-${kernel}.img"
fallback_image="/boot/initramfs-${kernel}-fallback.img"
fallback_options="-S autodetect"
MKINITPRESET
mkinitcpio -P || exit
NOUKI
@@ -5792,6 +5811,40 @@ NOUKI
###################################################################################################
var_opts() {
if [[ "${setrescue}" == "y" ]]; then
local stage_prompt="Rescue Entry Creation"
if [[ "${bootloader}" == "1" ]]; then
if arch-chroot /mnt <<-RESCUE > /dev/null 2>&1 2> amelia_log.txt ; then
echo "systemd.unit=rescue.target rw ${boot_opts[*]}" | tee /etc/cmdline.d/rescue.conf || exit
cat <<-PRESET > /etc/mkinitcpio.d/${kernel}.preset || exit
ALL_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf"
ALL_kver="/boot/vmlinuz-${kernel}"
PRESETS=('default' 'rescue')
default_uki="${btldr_esp_mount}/EFI/Linux/arch-${kernel}.efi"
default_options="--cmdline /etc/cmdline.d/cmdlined.conf"
rescue_uki="${btldr_esp_mount}/EFI/Linux/rescue.efi"
rescue_options="--cmdline /etc/cmdline.d/rescue.conf"
PRESET
mkinitcpio -P || exit
RESCUE
stage_ok
else
stage_fail
fi
elif [[ "${bootloader}" == "2" ]]; then
if arch-chroot /mnt <<-RESCUE > /dev/null 2>&1 2> amelia_log.txt ; then
touch /boot/grub/custom.cfg
grep -E -A 11 "'Arch Linux'" /boot/grub/grub.cfg > /boot/grub/custom.cfg || exit
sed -i 's/Arch Linux/Rescue Environment/' /boot/grub/custom.cfg || exit
sed -i '/vmlinuz/ s/$/ systemd.unit=rescue.target/' /boot/grub/custom.cfg || exit
RESCUE
stage_ok
else
stage_fail
fi
fi
fi
if [[ "${multilib}" == "y" ]]; then
local stage_prompt="Multilib Configuration"
if arch-chroot /mnt <<-MULTILIB > /dev/null 2>&1 2> amelia_log.txt ; then
@@ -5861,6 +5914,16 @@ SECSIGN
else
stage_fail
fi
if [[ ${setrescue} == "y" ]]; then
local stage_prompt="Rescue Entry Secure-Boot Signing"
if arch-chroot /mnt <<-SECSIGN > /dev/null 2>&1 2> amelia_log.txt ; then
sbctl sign -s ${btldr_esp_mount}/EFI/Linux/rescue.efi || exit
SECSIGN
stage_ok
else
stage_fail
fi
fi
elif [[ ${bootloader} == "2" ]]; then
if arch-chroot /mnt <<-SECSIGN > /dev/null 2>&1 2> amelia_log.txt ; then
pacman -S --noconfirm sbctl || exit
@@ -6152,8 +6215,8 @@ NETWORK
vm_serv
zramcfg
nvidia_hook
var_opts
mkinitcpio_preset
var_opts
secboot_sign
completion
installation="ok"
@@ -6211,8 +6274,8 @@ CUSTOMSERV
vm_serv
zramcfg
nvidia_hook
var_opts
mkinitcpio_preset
var_opts
secboot_sign
completion
installation="ok"
@@ -6380,8 +6443,8 @@ OPTIMIZED
btldrcfg
zramcfg
nvidia_hook
var_opts
mkinitcpio_preset
var_opts
secboot_sign
completion
installation="ok"
@@ -6397,7 +6460,7 @@ OPTIMIZED
tty="$(tty)"
disks="$(lsblk --nodeps --paths --noheadings --output=name,size,model | cat --number)"
trg=""
vars=(LOCALESET="" SETLOCALE="" lcl_slct="" USERNAME="" kernelnmbr="" fs="" vgapkgs="" vgacount="" vgacard="" intelcount="" intelcards="" nvidiacount="" nvidiacards="" amdcount="" amdcards="" vgaconf="" vga_conf="" vga_setup="" vendor="" vendor1="" vendor2="" vendor3="" vendor_slct="" packages="" efi_entr_del="" wrlss_rgd="" sanity="" install="" bootldr_pkgs="" devel="" REGDOM="" vga_bootopts="" btrfs_bootopts="" trim="" swapmode="" homecrypt="" greeter="" revision="" greeternmbr="" cust_bootopts="" bluetooth="" vmpkgs="" vm_services="" perf_stream="" displaymanager="" wireless_reg="" bitness="" bootloader="" vga_slct="" espsize="" autoroot="" autoesp="" autoxboot="" autohome="" autoswap="" rootprt="" espprt="" xbootprt="" homeprt="" swapprt="" partok="" use_manpreset="" instl_drive="" sgdsk_nmbr="" part_mode="" preset="" capacity="" cap_gib="" rootsize="" sgdrive="" cgdrive="" smartpart="" presetpart="" prcnt="" roottype="" stage_prompt="" zram="" zram_bootopts="" xbootloader="" multibooting="" hypervisor="" mkinitcpio_mods="" uki="" ukify="" slct_autoprt="" cng_espmnt="" sep_home="" encr_swap_bootopts="" uefimode="" luks_encrypt="" nrg_plc="" multilib="" nvname="" nogsp="" luks_root="" luks_swap="" luks_home="" installation="" kill_watchdog="" oomd="")
vars=(LOCALESET="" SETLOCALE="" lcl_slct="" USERNAME="" kernelnmbr="" fs="" vgapkgs="" vgacount="" vgacard="" intelcount="" intelcards="" nvidiacount="" nvidiacards="" amdcount="" amdcards="" vgaconf="" vga_conf="" vga_setup="" vendor="" vendor1="" vendor2="" vendor3="" vendor_slct="" packages="" efi_entr_del="" wrlss_rgd="" sanity="" install="" bootldr_pkgs="" devel="" REGDOM="" vga_bootopts="" btrfs_bootopts="" trim="" swapmode="" homecrypt="" greeter="" revision="" greeternmbr="" cust_bootopts="" bluetooth="" vmpkgs="" vm_services="" perf_stream="" displaymanager="" wireless_reg="" bitness="" bootloader="" vga_slct="" espsize="" autoroot="" autoesp="" autoxboot="" autohome="" autoswap="" rootprt="" espprt="" xbootprt="" homeprt="" swapprt="" partok="" use_manpreset="" instl_drive="" sgdsk_nmbr="" part_mode="" preset="" capacity="" cap_gib="" rootsize="" sgdrive="" cgdrive="" smartpart="" presetpart="" prcnt="" roottype="" stage_prompt="" zram="" zram_bootopts="" xbootloader="" multibooting="" hypervisor="" mkinitcpio_mods="" uki="" ukify="" slct_autoprt="" cng_espmnt="" sep_home="" encr_swap_bootopts="" uefimode="" luks_encrypt="" nrg_plc="" multilib="" nvname="" nogsp="" luks_root="" luks_swap="" luks_home="" installation="" kill_watchdog="" oomd="" setrescue="")
export "${vars[@]}"
clear
first_check