Set-up secure-boot signing for Arch Linux
This commit is contained in:
parent
2e84160e65
commit
a5ad7aa16b
12
.github/workflows/release.yml
vendored
12
.github/workflows/release.yml
vendored
|
@ -24,7 +24,17 @@ jobs:
|
||||||
- name: Install build dependencies
|
- name: Install build dependencies
|
||||||
run: |
|
run: |
|
||||||
# Install makepkg deps
|
# Install makepkg deps
|
||||||
pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
|
pacman -Sy sudo binutils fakeroot grep base-devel git sbsigntools --noconfirm
|
||||||
|
|
||||||
|
- name: Setup secureboot certificate
|
||||||
|
env:
|
||||||
|
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
||||||
|
run: |
|
||||||
|
cd pkg
|
||||||
|
|
||||||
|
# Install the surface secureboot certificate
|
||||||
|
echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key
|
||||||
|
cp keys/surface.crt arch/kernel/MOK.crt
|
||||||
|
|
||||||
- name: Build
|
- name: Build
|
||||||
run: |
|
run: |
|
||||||
|
|
|
@ -87,14 +87,24 @@ _package() {
|
||||||
optdepends=('crda: to set the correct wireless channels of your country'
|
optdepends=('crda: to set the correct wireless channels of your country'
|
||||||
'linux-firmware: firmware images needed for some devices')
|
'linux-firmware: firmware images needed for some devices')
|
||||||
|
|
||||||
|
local mok_crt="$PWD/MOK.crt"
|
||||||
|
local mok_key="$PWD/MOK.key"
|
||||||
|
|
||||||
cd $_srcname
|
cd $_srcname
|
||||||
local kernver="$(<version)"
|
local kernver="$(<version)"
|
||||||
local modulesdir="$pkgdir/usr/lib/modules/$kernver"
|
local modulesdir="$pkgdir/usr/lib/modules/$kernver"
|
||||||
|
local image_name="$(make -s image_name)"
|
||||||
|
|
||||||
|
# sign boot image if the prequisites are available
|
||||||
|
if [[ -f "$mok_crt" ]] && [[ -f "$mok_key" ]] && [[ -x "$(command -v sbsign)" ]]; then
|
||||||
|
msg2 "Signing boot image..."
|
||||||
|
sbsign --key "$mok_key" --cert "$mok_crt" --output "$image_name" "$image_name"
|
||||||
|
fi
|
||||||
|
|
||||||
msg2 "Installing boot image..."
|
msg2 "Installing boot image..."
|
||||||
# systemd expects to find the kernel here to allow hibernation
|
# systemd expects to find the kernel here to allow hibernation
|
||||||
# https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
|
# https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
|
||||||
install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
|
install -Dm644 "$image_name" "$modulesdir/vmlinuz"
|
||||||
|
|
||||||
# Used by mkinitcpio to name the kernel
|
# Used by mkinitcpio to name the kernel
|
||||||
echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
|
echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"
|
||||||
|
|
Loading…
Reference in a new issue