From db4ac8a331e24fb38ae6a1e9acfe749bcba5a239 Mon Sep 17 00:00:00 2001 From: Jane Doe Date: Sun, 2 Mar 2025 18:17:50 +0000 Subject: [PATCH] Add: 'Secureboot Signing' stage: Creating an additional bootloader 'Rescue' entry is supported, for both systemd-boot & Grub Change: Moved some code around ('ask_sign' & 'mkinitcpio_preset' functions) to implement the above Change: 'Systemd-boot': bootloader timeout has been set to 3 sec. Change: Edited mkinitcpio's '${kernel}.preset' drop-in file configuration: Removed 'fallback' entries and incuded 'rescue' entries (when selected) Change: Some prompt editing for better aesthetics --- Amelia.sh | 211 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 137 insertions(+), 74 deletions(-) diff --git a/Amelia.sh b/Amelia.sh index e1244d3..9d06337 100644 --- a/Amelia.sh +++ b/Amelia.sh @@ -2,7 +2,7 @@ # Amelia Installer # Source: https://gitlab.com/prism7/archery -# Version: 8.8.2 +# Version: 8.9.0 set -euo pipefail ################################################################################################### @@ -906,7 +906,7 @@ ${magenta}###${nc}----------------------------------${magenta}[ ${bwhite}System > Select a Submenu: " NC " - [1] Kernel, Bootloader, ESP Mountpoint & Secure Signing + [1] Kernel, Secureboot Signing, Bootloader & ESP Mountpoint [2] Filesystem & Swap Setup @@ -930,9 +930,9 @@ Enter a number: " case "${sysmenu}" in 1) until slct_krnl; do : ; done + until ask_sign; do : ; done until ask_bootldr; do : ; done until slct_espmnt; do : ; done - until ask_sign; do : ; done return 1 ;; 2) until ask_fs; do : ; done @@ -1024,8 +1024,85 @@ Enter a number: " ok } ################################################################################################### +ask_sign() { + + sleep 0.2 + NC " + + +${magenta}###${nc}-----------------------------------${magenta}[ ${bwhite}Secureboot Signing${nc} ${magenta}]${nc}-----------------------------------${magenta}### + " + YELLOW " + + > Sign UKI(s), Kernel & binaries for use with ${nc}Secure Boot ${yellow}? [Y/n]" + BLUE " + + +Enter [Y/n]: " + read -r -p " +==> " sb_sign + + echo + sb_sign="${sb_sign:-y}" + sb_sign="${sb_sign,,}" + + if [[ "${sb_sign}" == "y" ]]; then + local prompt="Secure Boot 'Setup' Mode Verification" + SB_Status="$(bootctl status 2> /dev/null | grep -E 'Secure Boot' | awk "{print \$4}")" + if [[ ${SB_Status} == "(setup)" ]]; then + ok + else + sleep 0.2 + RED " + ----------------------------------------- + ### ${yellow}Secure Boot Not in 'Setup' Mode ${red}### + -----------------------------------------" + failure + fi + sleep 0.2 + YELLOW " + + + ### 'Secure Boot Signing' has been selected + " + sleep 0.2 + YELLOW " + + + > Create an additional bootloader ${nc}Recovery ${yellow}entry (for troubleshooting) ? [Y/n]" + BLUE " + + +Enter [Y/n]: " + read -r -p " +==> " setrescue + + echo + setrescue="${setrescue:-y}" + setrescue="${setrescue,,}" + + if [[ "${setrescue}" == "y" ]]; then + local prompt="Rescue Entry set" + ok + elif [[ "${setrescue}" == "n" ]]; then + skip + else + y_n + return 1 + fi + elif [[ "${sb_sign}" == "n" ]]; then + skip + else + y_n + return 1 + fi + local prompt="Secure Boot Signing setup" + ok +} +################################################################################################### ask_bootldr() { + local prompt="Bootloader Selection" sleep 0.2 NC " @@ -1076,7 +1153,6 @@ Enter a number: " invalid return 1 ;; esac - local prompt="Bootloader Selection" ok } ################################################################################################### @@ -1131,63 +1207,6 @@ Enter a number: " fi } ################################################################################################### -ask_sign() { - - sleep 0.2 - NC " - - -${magenta}###${nc}-------------------------------------${magenta}[ ${bwhite}Secure Signing${nc} ${magenta}]${nc}-------------------------------------${magenta}### - " - if [[ "${bootloader}" == "1" ]]; then - YELLOW " - - > Sign Unified Kernel Image(s) & binaries for use with ${nc}Secure Boot ${nc}${yellow}? [Y/n]" - elif [[ "${bootloader}" == "2" ]]; then - YELLOW " - - > Sign Kernel & binaries for use with ${nc}Secure Boot ${nc}${yellow}? [Y/n]" - fi - BLUE " - - -Enter [Y/n]: " - read -r -p " -==> " sb_sign - - echo - sb_sign="${sb_sign:-y}" - sb_sign="${sb_sign,,}" - - if [[ "${sb_sign}" == "y" ]]; then - local prompt="Secure Boot 'Setup' Mode Verification" - SB_Status="$(bootctl status 2> /dev/null | grep -E 'Secure Boot' | awk "{print \$4}")" - if [[ ${SB_Status} == "(setup)" ]]; then - ok - else - sleep 0.2 - RED " - ----------------------------------------- - ### ${yellow}Secure Boot Not in 'Setup' Mode ${red}### - -----------------------------------------" - failure - fi - sleep 0.2 - YELLOW " - - - ### 'Secure Boot Signing' has been selected - " - elif [[ "${sb_sign}" == "n" ]]; then - skip - else - y_n - return 1 - fi - local prompt="Secure Boot Signing setup" - ok -} -################################################################################################### ask_fs() { local prompt="Filesystem Setup" @@ -1898,7 +1917,7 @@ ${magenta}###${nc}--------------------------------------${magenta}[ ${bwhite}Des [11] Basic Arch Linux (No GUI) - [12] Custom Arch Linux ${red}### ${yellow}EXPERTS ONLY ${red}###${nc} + [12] Custom Arch Linux [13] Cosmic ${red}# ${yellow}Alpha ${red}# " BLUE " @@ -3919,12 +3938,12 @@ instl() { fi if [[ -z "${kernelnmbr}" ]]; then - local stage_prompt="Kernel, Bootloader, ESP Mountpoint & Secure Signing" + local stage_prompt="Kernel, Secureboot Signing, Bootloader & ESP Mountpoint" completion_err until slct_krnl; do : ; done + until ask_sign; do : ; done until ask_bootldr; do : ; done until slct_espmnt; do : ; done - until ask_sign; do : ; done fi if [[ -z "${fs}" ]]; then @@ -4910,9 +4929,9 @@ revise() { vgaconf="n" fi until slct_krnl; do : ; done + until ask_sign; do : ; done until ask_bootldr; do : ; done until slct_espmnt; do : ; done - until ask_sign; do : ; done until ask_fs; do : ; done until ask_swap; do : ; done if [[ "${hypervisor}" == "none" ]]; then @@ -5562,6 +5581,7 @@ btldrcfg() { if [[ "${xbootloader}" == "no" ]]; then if arch-chroot /mnt <<-BOOTCTL > /dev/null 2>&1 2> amelia_log.txt ; then bootctl install || exit + sed -i "/^#timeout 3/s/^#//" ${btldr_esp_mount}/loader/loader.conf || exit systemctl enable systemd-boot-update || exit BOOTCTL stage_ok @@ -5571,6 +5591,7 @@ BOOTCTL elif [[ "${xbootloader}" == "yes" ]]; then if arch-chroot /mnt <<-XBOOTCTL > /dev/null 2>&1 2> amelia_log.txt ; then bootctl --esp-path=/efi --boot-path=/boot install || exit + sed -i "/^#timeout 3/s/^#//" ${btldr_esp_mount}/loader/loader.conf || exit systemctl enable systemd-boot-update || exit XBOOTCTL stage_ok @@ -5751,9 +5772,9 @@ mkinitcpio_preset() { echo "rw ${boot_opts[*]}" | tee /etc/cmdline.d/cmdlined.conf || exit cp /etc/mkinitcpio.d/${kernel}.preset /etc/mkinitcpio.d/${kernel}.preset.bak || exit cat <<-MKINITPRESET > /etc/mkinitcpio.d/${kernel}.preset || exit + ALL_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf" ALL_kver="/boot/vmlinuz-${kernel}" PRESETS=('default') - default_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf" default_uki="${btldr_esp_mount}/EFI/Linux/arch-${kernel}.efi" MKINITPRESET mkinitcpio -P || exit @@ -5774,12 +5795,10 @@ UKI if arch-chroot /mnt <<-NOUKI > /dev/null 2>&1 2> amelia_log.txt ; then cp /etc/mkinitcpio.d/${kernel}.preset /etc/mkinitcpio.d/${kernel}.preset.bak || exit cat <<-MKINITPRESET > /etc/mkinitcpio.d/${kernel}.preset || exit + ALL_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf" ALL_kver="/boot/vmlinuz-${kernel}" - PRESETS=('default' 'fallback') - default_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf" + PRESETS=('default') default_image="/boot/initramfs-${kernel}.img" - fallback_image="/boot/initramfs-${kernel}-fallback.img" - fallback_options="-S autodetect" MKINITPRESET mkinitcpio -P || exit NOUKI @@ -5792,6 +5811,40 @@ NOUKI ################################################################################################### var_opts() { + if [[ "${setrescue}" == "y" ]]; then + local stage_prompt="Rescue Entry Creation" + if [[ "${bootloader}" == "1" ]]; then + if arch-chroot /mnt <<-RESCUE > /dev/null 2>&1 2> amelia_log.txt ; then + echo "systemd.unit=rescue.target rw ${boot_opts[*]}" | tee /etc/cmdline.d/rescue.conf || exit + cat <<-PRESET > /etc/mkinitcpio.d/${kernel}.preset || exit + ALL_config="/etc/mkinitcpio.conf.d/mkinitcpiod.conf" + ALL_kver="/boot/vmlinuz-${kernel}" + PRESETS=('default' 'rescue') + default_uki="${btldr_esp_mount}/EFI/Linux/arch-${kernel}.efi" + default_options="--cmdline /etc/cmdline.d/cmdlined.conf" + rescue_uki="${btldr_esp_mount}/EFI/Linux/rescue.efi" + rescue_options="--cmdline /etc/cmdline.d/rescue.conf" +PRESET + mkinitcpio -P || exit +RESCUE + stage_ok + else + stage_fail + fi + elif [[ "${bootloader}" == "2" ]]; then + if arch-chroot /mnt <<-RESCUE > /dev/null 2>&1 2> amelia_log.txt ; then + touch /boot/grub/custom.cfg + grep -E -A 11 "'Arch Linux'" /boot/grub/grub.cfg > /boot/grub/custom.cfg || exit + sed -i 's/Arch Linux/Rescue Environment/' /boot/grub/custom.cfg || exit + sed -i '/vmlinuz/ s/$/ systemd.unit=rescue.target/' /boot/grub/custom.cfg || exit +RESCUE + stage_ok + else + stage_fail + fi + fi + fi + if [[ "${multilib}" == "y" ]]; then local stage_prompt="Multilib Configuration" if arch-chroot /mnt <<-MULTILIB > /dev/null 2>&1 2> amelia_log.txt ; then @@ -5861,6 +5914,16 @@ SECSIGN else stage_fail fi + if [[ ${setrescue} == "y" ]]; then + local stage_prompt="Rescue Entry Secure-Boot Signing" + if arch-chroot /mnt <<-SECSIGN > /dev/null 2>&1 2> amelia_log.txt ; then + sbctl sign -s ${btldr_esp_mount}/EFI/Linux/rescue.efi || exit +SECSIGN + stage_ok + else + stage_fail + fi + fi elif [[ ${bootloader} == "2" ]]; then if arch-chroot /mnt <<-SECSIGN > /dev/null 2>&1 2> amelia_log.txt ; then pacman -S --noconfirm sbctl || exit @@ -6152,8 +6215,8 @@ NETWORK vm_serv zramcfg nvidia_hook - var_opts mkinitcpio_preset + var_opts secboot_sign completion installation="ok" @@ -6211,8 +6274,8 @@ CUSTOMSERV vm_serv zramcfg nvidia_hook - var_opts mkinitcpio_preset + var_opts secboot_sign completion installation="ok" @@ -6380,8 +6443,8 @@ OPTIMIZED btldrcfg zramcfg nvidia_hook - var_opts mkinitcpio_preset + var_opts secboot_sign completion installation="ok" @@ -6397,7 +6460,7 @@ OPTIMIZED tty="$(tty)" disks="$(lsblk --nodeps --paths --noheadings --output=name,size,model | cat --number)" trg="" - vars=(LOCALESET="" SETLOCALE="" lcl_slct="" USERNAME="" kernelnmbr="" fs="" vgapkgs="" vgacount="" vgacard="" intelcount="" intelcards="" nvidiacount="" nvidiacards="" amdcount="" amdcards="" vgaconf="" vga_conf="" vga_setup="" vendor="" vendor1="" vendor2="" vendor3="" vendor_slct="" packages="" efi_entr_del="" wrlss_rgd="" sanity="" install="" bootldr_pkgs="" devel="" REGDOM="" vga_bootopts="" btrfs_bootopts="" trim="" swapmode="" homecrypt="" greeter="" revision="" greeternmbr="" cust_bootopts="" bluetooth="" vmpkgs="" vm_services="" perf_stream="" displaymanager="" wireless_reg="" bitness="" bootloader="" vga_slct="" espsize="" autoroot="" autoesp="" autoxboot="" autohome="" autoswap="" rootprt="" espprt="" xbootprt="" homeprt="" swapprt="" partok="" use_manpreset="" instl_drive="" sgdsk_nmbr="" part_mode="" preset="" capacity="" cap_gib="" rootsize="" sgdrive="" cgdrive="" smartpart="" presetpart="" prcnt="" roottype="" stage_prompt="" zram="" zram_bootopts="" xbootloader="" multibooting="" hypervisor="" mkinitcpio_mods="" uki="" ukify="" slct_autoprt="" cng_espmnt="" sep_home="" encr_swap_bootopts="" uefimode="" luks_encrypt="" nrg_plc="" multilib="" nvname="" nogsp="" luks_root="" luks_swap="" luks_home="" installation="" kill_watchdog="" oomd="") + vars=(LOCALESET="" SETLOCALE="" lcl_slct="" USERNAME="" kernelnmbr="" fs="" vgapkgs="" vgacount="" vgacard="" intelcount="" intelcards="" nvidiacount="" nvidiacards="" amdcount="" amdcards="" vgaconf="" vga_conf="" vga_setup="" vendor="" vendor1="" vendor2="" vendor3="" vendor_slct="" packages="" efi_entr_del="" wrlss_rgd="" sanity="" install="" bootldr_pkgs="" devel="" REGDOM="" vga_bootopts="" btrfs_bootopts="" trim="" swapmode="" homecrypt="" greeter="" revision="" greeternmbr="" cust_bootopts="" bluetooth="" vmpkgs="" vm_services="" perf_stream="" displaymanager="" wireless_reg="" bitness="" bootloader="" vga_slct="" espsize="" autoroot="" autoesp="" autoxboot="" autohome="" autoswap="" rootprt="" espprt="" xbootprt="" homeprt="" swapprt="" partok="" use_manpreset="" instl_drive="" sgdsk_nmbr="" part_mode="" preset="" capacity="" cap_gib="" rootsize="" sgdrive="" cgdrive="" smartpart="" presetpart="" prcnt="" roottype="" stage_prompt="" zram="" zram_bootopts="" xbootloader="" multibooting="" hypervisor="" mkinitcpio_mods="" uki="" ukify="" slct_autoprt="" cng_espmnt="" sep_home="" encr_swap_bootopts="" uefimode="" luks_encrypt="" nrg_plc="" multilib="" nvname="" nogsp="" luks_root="" luks_swap="" luks_home="" installation="" kill_watchdog="" oomd="" setrescue="") export "${vars[@]}" clear first_check