liveslak: add Secure Boot support to all 64bit ISOs

Read the updates in the README for more background and guidance.

User notice:
  As a one-time action the very first time you boot a Secure Boot enabled
  liveslak ISO, you will have to enroll the liveslak certificate
  (/EFI/BOOT/liveslak.der) with which the Slackware boot-up binaries
  (grub and kernel) were signed into your computer's MOK (Machine Owner Key
  database).
  This enrollment request will show on-screen during initial boot,
  just follow the prompts to 'enroll from disk'. Afterwards the computer
  will reboot and from then on, your liveslak will boot without any
  user intervention on your Secure Boot computer.

Note:
  liveslak uses Fedora's initial boot loader (the 'shim') which
  has been signed by Microsoft. In future we may get our own
  signed shim for liveslak and/or Slackware, but don't hold your breath.

1 files changed, 193 insertions, 2 deletions

diff --git a/make_slackware_live.sh b/make_slackware_live.sh
index 08e8995..eee602c 100755
--- a/make_slackware_live.sh
+++ b/make_slackware_live.sh
@@ -67,6 +67,23 @@ BOOTLOADSIZE=${BOOTLOADSIZE:-4}
 # Therefore we disable 32bit EFI by default. Enable at your own peril:
 EFI32=${EFI32:-"NO"}
 
+# Set to '1' using the "-S" parameter to the script,
+# if the liveslak ISO should support SecureBoot-enabled computers:
+SECUREBOOT=0
+
+# Which shim to download and install?
+# Supported are 'debian' 'fedora' 'opensuse'.
+SHIM_3RDP=${SHIM_3RDP:-"fedora"}
+
+# When enabling SecureBoot support, we need a MOK certificate plus private key,
+# which we use to sign grub and kernel.
+# MOKCERT contains the location of the certificate,
+# to be defined through the '-S' parameter:
+MOKCERT=""
+# MOKPRIVKEY points to the location of the private key,
+# to be defined through the '-S' parameter:
+MOKPRIVKEY=""
+
 # Set to YES if you want to use the SMP kernel on 32bit Slackware:
 SMP32=${SMP32:-"NO"}
 
@@ -892,6 +909,130 @@ EOL
 
 } # End of gen_uefimenu()
 
+
+#
+# Add UEFI SecureBoot support:
+#
+function secureboot() {
+  # Liveslak uses Fedora's shim (for now), which is signed by
+  # 'Microsoft UEFI CA' and contains Fedora's CA certificate.
+  # We sign liveslak's grub and kernel with our own key/certificate pair.
+  # This means that the user of liveslak will have to enroll liveslak's
+  # public certificate via MokManager. This needs to be done only once.
+
+  # Note that we use the generic fallback directory /EFI/BOOT/ for the Live ISO
+  # instead of a custom distro entry for UEFI such as /EFI/BOOT/Slackware/
+  # When shim is booted with  path /EFI/BOOT/bootx64.efi, and there is a
+  # Fallback binary (fbx64.efi) , shim will load that one instead of grub,
+  # so Fallback can create a NVRAM boot entry for a custom distro directory
+  # (which we do not have) causing a reset boot loop.
+  # This is why liveslak does not install fbx64.efi. A regular distro should
+  # install that file in its distro subdirectory!
+
+  SHIM_VENDOR="$1"
+  [ -z "${SHIM_VENDOR}" ] && SHIM_VENDOR="fedora"
+
+  case $SHIM_VENDOR in
+    opensuse)      GRUB_SIGNED="grub.efi"
+                   ;;
+    *)             GRUB_SIGNED="grubx64.efi"
+                   ;;
+  esac
+  mkdir -p ${LIVE_WORK}/shim
+  cd ${LIVE_WORK}/shim
+
+  echo "-- Signing grub+kernel with '${LIVE_STAGING}/EFI/BOOT/liveslak.pem'."
+  # Sign grub:
+  # The Grub EFI image must be renamed appropriately for shim to find it,
+  # since some distros change the default 'grubx64.efi' filename:
+  mv -i ${LIVE_STAGING}/EFI/BOOT/bootx64.efi \
+    ${LIVE_WORK}/shim/grubx64.efi.unsigned
+  sbsign --key ${MOKPRIVKEY} --cert ${MOKCERT} \
+    --output ${LIVE_STAGING}/EFI/BOOT/${GRUB_SIGNED} \
+    ${LIVE_WORK}/shim/grubx64.efi.unsigned 
+  # Sign the kernel:
+  mv ${LIVE_STAGING}/boot/generic ${LIVE_WORK}/shim/generic.unsigned 
+  sbsign --key ${MOKPRIVKEY} --cert ${MOKCERT} \
+    --output ${LIVE_STAGING}/boot/generic \
+    ${LIVE_WORK}/shim/generic.unsigned 
+
+  if [ "${SHIM_VENDOR}" = "fedora" ]; then
+    # The version of Fedora's shim package - always use the latest!
+    SHIM_MAJVER=15.4
+    SHIM_MINVER=5
+    SHIMSRC="https://kojipkgs.fedoraproject.org/packages/shim/${SHIM_MAJVER}/${SHIM_MINVER}/x86_64/shim-x64-${SHIM_MAJVER}-${SHIM_MINVER}.x86_64.rpm"
+    echo "-- Downloading/installing the SecureBoot signed shim from Fedora."
+    wget -q --progress=dot:mega --show-progress ${SHIMSRC} -O - \
+      | rpm2cpio - | cpio -dim
+    echo ""
+    # Install signed efi files into UEFI BOOT directory of the esp partition:
+    # The name of the shim in the ISO, *must* be 'bootx64.efi':
+    install -D -m0644 boot/efi/EFI/fedora/shimx64.efi \
+      ${LIVE_STAGING}/EFI/BOOT/bootx64.efi
+    install -D -m0644 boot/efi/EFI/fedora/mmx64.efi \
+      ${LIVE_STAGING}/EFI/BOOT/mmx64.efi
+    #install -D -m0644 boot/efi/EFI/BOOT/fbx64.efi \
+    #  ${LIVE_STAGING}/EFI/BOOT/fbx64.efi
+  elif [ "${SHIM_VENDOR}" = "opensuse" ]; then
+    SHIM_MAJVER=15.4
+    SHIM_MINVER=4.2
+    SHIMSRC="https://download.opensuse.org/repositories/openSUSE:/Factory/standard/x86_64/shim-${SHIM_MAJVER}-${SHIM_MINVER}.x86_64.rpm"
+    echo "-- Downloading/installing the SecureBoot signed shim from openSUSE."
+    wget -q --progress=dot:mega --show-progress ${SHIMSRC} -O - \
+      | rpm2cpio - | cpio -dim
+    echo ""
+    # Install signed efi files into UEFI BOOT directory of the esp partition:
+    # The name of the shim in the ISO, *must* be 'bootx64.efi':
+    install -D -m0644 usr/share/efi/x86_64/shim-opensuse.efi \
+      ${LIVE_STAGING}/EFI/BOOT/bootx64.efi
+    install -D -m0644 usr/share/efi/x86_64/MokManager.efi \
+      ${LIVE_STAGING}/EFI/BOOT/MokManager.efi
+    #install -D -m0644 usr/share/efi/x86_64/fallback.efi \
+    #  ${LIVE_STAGING}/EFI/BOOT/fallback.efi
+  elif [ "${SHIM_VENDOR}" = "debian" ]; then
+    DEBSHIM_VER=1.38
+    DEBMOKM_VER=1
+    SHIM_MAJVER=15.4
+    SHIM_MINVER=7
+    SHIMSRC="http://ftp.de.debian.org/debian/pool/main/s/shim-signed/shim-signed_${DEBSHIM_VER}+${SHIM_MAJVER}-${SHIM_MINVER}_amd64.deb"
+    MOKMSRC="http://ftp.de.debian.org/debian/pool/main/s/shim-helpers-amd64-signed/shim-helpers-amd64-signed_${DEBMOKM_VER}+${SHIM_MAJVER}+${SHIM_MINVER}_amd64.deb"
+    echo "-- Downloading the SecureBoot signed shim from Debian."
+    wget -q --progress=dot:mega --show-progress ${SHIMSRC}
+    echo ""
+    echo "-- Installing the SecureBoot signed shim to the ESP."
+    # Extract discarding any directory structure:
+    ar p $(basename ${SHIMSRC}) data.tar.xz | tar --xform='s#^.+/##x' -Jxf - \
+      ./usr/lib/shim/shimx64.efi.signed
+    echo "-- Downloading the SecureBoot signed mokmanager from Debian."
+    wget -q  --progress=dot:mega --show-progress ${MOKMSRC}
+    echo ""
+    echo "-- Installing the SecureBoot signed mokmanager to the ESP."
+    # Extract discarding any directory structure:
+    ar p $(basename ${MOKMSRC}) data.tar.xz | tar --xform='s#^.+/##x' -Jxf - \
+      ./usr/lib/shim/fbx64.efi.signed ./usr/lib/shim/mmx64.efi.signed
+    # Install signed efi files into UEFI BOOT directory of the esp partition:
+    # The name of the shim in the ISO, *must* be 'bootx64.efi':
+    install -D -m0644 ./shimx64.efi.signed \
+      ${LIVE_STAGING}/EFI/BOOT/bootx64.efi
+    install -D -m0644 ./mmx64.efi.signed \
+      ${LIVE_STAGING}/EFI/BOOT/mmx64.efi
+    #install -D -m0644 ./fbx64.efi.signed \
+    #  ${LIVE_STAGING}/EFI/BOOT/fbx64.efi
+  else
+    echo ">> A '${SHIM_VENDOR}' shim was requested, but only 'opensuse' 'fedora' or 'debian' shim/mokmanager are supported."
+    echo ">> Expect trouble ahead."
+  fi
+  cd - 1>/dev/null
+
+  ## Write CSV file for the Fallback EFI program so that it knows what to boot:
+  #echo -n "bootx64.efi,SHIM,,SecureBoot UEFI entry for liveslak" \
+  #  | iconv -t UCS-2 > ${LIVE_STAGING}/EFI/BOOT/BOOT.CSV
+
+  # Cleanup:
+  rm -rf ${LIVE_WORK}/shim
+
+} # End of secureboot()
+
 #
 # Create an ISO file from a directory's content:
 #
@@ -1079,7 +1220,7 @@ EOT
 # Action!
 # ---------------------------------------------------------------------------
 
-while getopts "a:c:d:efhl:m:r:s:t:vz:CGH:MO:R:X" Option
+while getopts "a:c:d:efhl:m:r:s:t:vz:CGH:MO:R:S:X" Option
 do
   case $Option in
     h )
@@ -1122,6 +1263,9 @@ do
         echo " -M                 Add multilib (x86_64 only)."
         echo " -O outfile         Custom filename for the ISO."
         echo " -R runlevel        Runlevel to boot into (default: $RUNLEVEL)."
+        echo " -S privkey:cert    Enable SecureBoot support and sign binaries"
+        echo "                    using the full path to colon-separated"
+        echo "                    private key and certificate files"
         echo " -X                 Use xorriso instead of mkisofs/isohybrid."
         exit
         ;;
@@ -1162,6 +1306,12 @@ do
         ;;
     R ) RUNLEVEL=${OPTARG}
         ;;
+    S ) MOKPRIVKEY=$(readlink -f $(echo ${OPTARG} |cut -d: -f1))
+        MOKCERT=$(readlink -f $(echo ${OPTARG} |cut -d: -f2))
+        TEMP_3RDP=$(echo ${OPTARG} |cut -d: -f3)
+        [ -n "${TEMP_3RDP}" ] && SHIM_3RDP=${TEMP_3RDP}
+        unset TEMP_3RDP
+        ;;
     X ) USEXORR="YES"
         ;;
     * ) echo "You passed an illegal switch to the program!"
@@ -1206,6 +1356,16 @@ if [ "$SL_ARCH" != "x86_64" -a "$MULTILIB" = "YES" ]; then
   exit 1
 fi
 
+if [ -n "${MOKPRIVKEY}" ] && [ -n "${MOKCERT}" ]; then
+  if [ -f ${MOKPRIVKEY} ] && [ -f ${MOKCERT} ]; then
+    echo "-- Enabling SecureBoot support (${SHIM_3RDP} shim)."
+    SECUREBOOT=1
+  else
+    echo ">> SecureBoot can not be enabled; MOK key and/or cert not found."
+    exit 1
+  fi
+fi
+
 # Determine which module sequence we have to build:
 case "$LIVEDE" in
   SLACKWARE) MSEQ="${SEQ_SLACKWARE}" ;;
@@ -1282,7 +1442,11 @@ DEF_SL_PATCHROOT=${SL_PATCHROOT}
 # Are all the required add-on tools present?
 [ "$USEXORR" = "NO" ] && ISOGEN="mkisofs isohybrid" || ISOGEN="xorriso"
 PROG_MISSING=""
-for PROGN in mksquashfs unsquashfs grub-mkfont grub-mkimage syslinux $ISOGEN installpkg upgradepkg keytab-lilo rsync mkdosfs ; do
+REQTOOLS="mksquashfs unsquashfs grub-mkfont grub-mkimage syslinux $ISOGEN installpkg upgradepkg keytab-lilo rsync wget mkdosfs"
+if [ $SECUREBOOT -eq 1 ]; then
+   REQTOOLS="${REQTOOLS} openssl sbsign"
+fi
+for PROGN in ${REQTOOLS} ; do
   if ! which $PROGN 1>/dev/null 2>/dev/null ; then
     PROG_MISSING="${PROG_MISSING}--   $PROGN\n"
   fi
@@ -1404,6 +1568,12 @@ RODIRS="${LIVE_BOOT}"
 # Create the verification file for the install_pkgs function:
 echo "${THEDATE} (${BUILDER})" > ${LIVE_BOOT}/${MARKER}
 
+# Do we need to include secureboot module?
+if [ $SECUREBOOT -eq 1 ]; then
+  echo "-- Adding secureboot module."
+  MSEQ="${MSEQ} pkglist:secureboot"
+fi
+
 # Do we need to create/include additional module(s) defined by a pkglist:
 if [ -n "$SEQ_ADDMOD" ]; then
   echo "-- Adding ${SEQ_ADDMOD}."
@@ -3056,6 +3226,10 @@ else
   KVER=$(ls --indicator-style=none ${LIVE_ROOTDIR}/lib/modules/ |grep smp |head -1)
 fi
 
+# Determine Slackware's GRUB version and build (we will use this later):
+GRUBVER=$(find ${DEF_SL_PKGROOT}/../ -name "grub-*.t?z" |rev |cut -d- -f3 |rev)
+GRUBBLD=$(find ${DEF_SL_PKGROOT}/../ -name "grub-*.t?z" |rev |cut -d- -f1 |cut -d. -f2 |rev)
+
 # Create an initrd for the generic kernel, using a modified init script:
 echo "-- Creating initrd for kernel-generic $KVER ..."
 chroot ${LIVE_ROOTDIR} /sbin/mkinitrd -c -w ${WAIT} -l us -o /boot/initrd_${KVER}.img -k ${KVER} -m ${KMODS} -L -C dummy 1>${DBGOUT} 2>${DBGOUT}
@@ -3166,8 +3340,13 @@ cp -a ${LIVE_TOOLDIR}/syslinux ${LIVE_STAGING}/boot/
 # EFI support always for 64bit architecture, but conditional for 32bit.
 if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then
   # Copy the UEFI boot directory structure:
+  rm -rf ${LIVE_STAGING}/EFI/BOOT
   mkdir -p ${LIVE_STAGING}/EFI/BOOT
   cp -a ${LIVE_TOOLDIR}/EFI/BOOT/{grub-embedded.cfg,make-grub.sh,*.txt,theme} ${LIVE_STAGING}/EFI/BOOT/
+  if [ ${SECUREBOOT} -eq 1 ]; then
+    # User needs a DER-encoded copy of the signing cert for MOK enrollment:
+    openssl x509 -outform der -in ${MOKCERT} -out ${LIVE_STAGING}/EFI/BOOT/liveslak.der
+  fi
   if [ "$LIVEDE" = "XFCE" ]; then
     # We do not use the unicode font, so it can be removed to save space:
     rm -f ${LIVE_STAGING}/EFI/BOOT/theme/unicode.pf2
@@ -3188,6 +3367,12 @@ if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then
   # Generate the UEFI grub boot image if needed:
   if [ ! -f ${LIVE_STAGING}/EFI/BOOT/boot${EFISUFF}.efi -o ! -f ${LIVE_STAGING}/boot/syslinux/efiboot.img ]; then
     ( cd ${LIVE_STAGING}/EFI/BOOT
+      # Create a SBAT file 'grub_sbat.csv' to be used by make-grub.sh :
+      cat <<HSBAT > ${LIVE_STAGING}/EFI/BOOT/grub_sbat.csv
+sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
+grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
+grub.liveslak,1,The liveslak project,grub,${GRUBVER}-${GRUBBLD},https://download.liveslak.org/
+HSBAT
       sed -i -e "s/SLACKWARELIVE/${MARKER}/g" grub-embedded.cfg
       sh make-grub.sh EFIFORM=${EFIFORM} EFISUFF=${EFISUFF}
     )
@@ -3195,6 +3380,12 @@ if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then
 
   # Generate the grub configuration for UEFI boot:
   gen_uefimenu ${LIVE_STAGING}/EFI/BOOT
+
+  # Add SecureBoot support if requested:
+  if [ ${SECUREBOOT} -eq 1 ]; then
+    secureboot ${SHIM_3RDP}
+  fi
+
 fi # End EFI support menu.
 
 if [ "$SYSMENU" = "NO" ]; then