Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -0,0 +1,144 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2026-06-04; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
|
||||
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
|
||||
# SPDX-PackageName: CISS.debian.live.builder
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
# shellcheck disable=SC2154,SC2312
|
||||
|
||||
guard_sourcing || return "${ERR_GUARD_SRCE}"
|
||||
|
||||
#######################################
|
||||
# Guard against accidental inclusion of CISS Secure Boot private keys.
|
||||
# Globals:
|
||||
# ERR_UNCRITICAL
|
||||
# VAR_HANDLER_BUILD_DIR
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
# ERR_UNCRITICAL: on failure
|
||||
#######################################
|
||||
secureboot_profile_guard_private_keys() {
|
||||
declare -a guard_roots=(
|
||||
"${VAR_HANDLER_BUILD_DIR}/binary"
|
||||
"${VAR_HANDLER_BUILD_DIR}/chroot"
|
||||
"${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
|
||||
"${VAR_HANDLER_BUILD_DIR}/config/includes.chroot"
|
||||
"${VAR_HANDLER_BUILD_DIR}/config/includes.installer"
|
||||
)
|
||||
declare guard_root=""
|
||||
declare private_file=""
|
||||
|
||||
for guard_root in "${guard_roots[@]}"; do
|
||||
|
||||
if [[ ! -d "${guard_root}" ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
while IFS= read -r -d '' private_file; do
|
||||
|
||||
printf "\e[91m❌ Refusing private Secure Boot key inside build artifact path: '%s'. \e[0m\n" "${private_file}" >&2
|
||||
return "${ERR_UNCRITICAL}"
|
||||
|
||||
done < <(find "${guard_root}" -xdev -type f \( -name "ciss-efi-image.key" -o -name "ciss-module-signing.key" \) -print0)
|
||||
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f secureboot_profile_guard_private_keys
|
||||
|
||||
#######################################
|
||||
# Apply the selected Secure Boot profile after repository files were copied into the live-build config.
|
||||
# Globals:
|
||||
# BASH_SOURCE
|
||||
# ERR_ARG_MSMTCH
|
||||
# ERR_UNCRITICAL
|
||||
# VAR_ARCHITECTURE
|
||||
# VAR_CISS_SECUREBOOT_PROFILE
|
||||
# VAR_HANDLER_BUILD_DIR
|
||||
# VAR_WORKDIR
|
||||
# Arguments:
|
||||
# None
|
||||
# Returns:
|
||||
# 0: on success
|
||||
#######################################
|
||||
secureboot_profile_apply() {
|
||||
declare profile="${VAR_CISS_SECUREBOOT_PROFILE,,}"
|
||||
declare hooks_dir="${VAR_HANDLER_BUILD_DIR}/config/hooks/live"
|
||||
declare build_uki_hook="${hooks_dir}/zzzz_ciss_build_uki.hook.binary"
|
||||
declare install_uki_hook="${hooks_dir}/9910-ciss-install-uki-into-efi-img.hook.binary"
|
||||
declare secureboot_dir="${VAR_WORKDIR}/ciss.secureboot"
|
||||
declare secureboot_key="${secureboot_dir}/private/ciss-efi-image.key"
|
||||
declare secureboot_cert="${secureboot_dir}/public/ciss-efi-image.crt"
|
||||
|
||||
printf "\e[95m🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
case "${profile}" in
|
||||
debian-shim | ciss-uki)
|
||||
;;
|
||||
*)
|
||||
printf "\e[91m❌ Unsupported Secure Boot profile: '%s'. \e[0m\n" "${profile}" >&2
|
||||
return "${ERR_ARG_MSMTCH}"
|
||||
;;
|
||||
esac
|
||||
|
||||
declare -gx VAR_CISS_SECUREBOOT_PROFILE="${profile}"
|
||||
declare -gx VAR_CISS_SECUREBOOT_DIR="${secureboot_dir}"
|
||||
declare -gx VAR_CISS_SECUREBOOT_EFI_KEY="${secureboot_key}"
|
||||
declare -gx VAR_CISS_SECUREBOOT_EFI_CERT="${secureboot_cert}"
|
||||
|
||||
if [[ "${profile}" == "debian-shim" ]]; then
|
||||
|
||||
rm -f -- "${build_uki_hook}" "${install_uki_hook}"
|
||||
printf "\e[92m✅ Secure Boot profile: debian-shim. Custom CISS UKI hooks disabled. \e[0m\n"
|
||||
printf "\e[92m✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
return 0
|
||||
|
||||
fi
|
||||
|
||||
if [[ "${VAR_ARCHITECTURE,,}" != "amd64" ]]; then
|
||||
|
||||
printf "\e[91m❌ Secure Boot profile 'ciss-uki' currently targets amd64/BOOTX64.EFI only. Got: '%s'. \e[0m\n" "${VAR_ARCHITECTURE}" >&2
|
||||
return "${ERR_ARG_MSMTCH}"
|
||||
|
||||
fi
|
||||
|
||||
install -d -m 0755 "${secureboot_dir}/public" "${secureboot_dir}/manifests" "${secureboot_dir}/uki"
|
||||
install -d -m 0700 "${secureboot_dir}/private"
|
||||
|
||||
if [[ ! -f "${secureboot_key}" ]]; then
|
||||
|
||||
printf "\e[91m❌ Missing CISS Secure Boot EFI signing key: '%s'. \e[0m\n" "${secureboot_key}" >&2
|
||||
return "${ERR_UNCRITICAL}"
|
||||
|
||||
fi
|
||||
|
||||
if [[ ! -f "${secureboot_cert}" ]]; then
|
||||
|
||||
printf "\e[91m❌ Missing CISS Secure Boot EFI signing certificate: '%s'. \e[0m\n" "${secureboot_cert}" >&2
|
||||
return "${ERR_UNCRITICAL}"
|
||||
|
||||
fi
|
||||
|
||||
secureboot_profile_guard_private_keys
|
||||
|
||||
chmod 0755 "${build_uki_hook}" "${install_uki_hook}"
|
||||
|
||||
printf "\e[92m❌ Secure Boot profile: ciss-uki. Custom UKI hooks enabled. \e[0m\n"
|
||||
printf "\e[92m❌ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
|
||||
|
||||
return 0
|
||||
}
|
||||
### Prevents accidental 'unset -f'.
|
||||
# shellcheck disable=SC2034
|
||||
readonly -f secureboot_profile_apply
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
|
||||
Reference in New Issue
Block a user