#!/bin/bash # Secure Boot configuration script for football system # This script ensures Secure Boot is properly configured set -e echo "Configuring Secure Boot..." # Check if Secure Boot is supported if [ ! -d /sys/firmware/efi ]; then echo "WARNING: EFI not detected. Secure Boot requires EFI system." echo "This image may need to be deployed on a UEFI system with Secure Boot." fi # Install Secure Boot packages apt-get update apt-get install -y shim-signed grub-efi-amd64-signed # Ensure GRUB is signed echo "GRUB will use signed bootloader (shim-signed)" # Configure kernel for Secure Boot echo "Configuring kernel for Secure Boot..." cat > /etc/default/grub.d/secureboot.cfg << 'EOF' GRUB_DISABLE_OS_PROBER=true GRUB_DISABLE_SUBMENU=y EOF # Lock GRUB to prevent unauthorized modifications echo "Locking GRUB configuration..." cat > /etc/grub.d/40_custom << 'EOF' #!/bin/sh exec tail -n +3 $0 # This file provides an easy way to add custom menu entries. # Lockdown: prevent editing GRUB entries set superusers="football" password_pbkdf2 football grub.pbkdf2.sha512.10000.$(echo -n "secure-boot-password" | grub-mkpasswd-pbkdf2 -s 2>/dev/null | tail -n +3 | sed 's/^.*grub\.pbkdf2\.sha512\.10000\.//') EOF chmod 755 /etc/grub.d/40_custom # Update GRUB update-grub 2>/dev/null || true # Configure kernel command line for lockdown echo "Configuring kernel lockdown mode..." if [ -f /etc/default/grub ]; then sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT=""/GRUB_CMDLINE_LINUX_DEFAULT="lockdown=confidentiality,integrity"/' /etc/default/grub sed -i 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="lockdown=confidentiality,integrity"/' /etc/default/grub fi # Enable UEFI Secure Boot verification in kernel cat >> /etc/modprobe.d/secureboot.conf << 'EOF' options efivarfs mode=0444 EOF # Ensure kernel modules are signed echo "Verifying kernel module signing..." for module in /lib/modules/$(uname -r)/*.ko; do if [ -f "$module" ]; then sig=$(modinfo "$module" 2>/dev/null | grep -i "signature:" | wc -l) if [ "$sig" -eq 0 ]; then echo "WARNING: Module $module is not signed" fi fi done 2>/dev/null || true echo "Secure Boot configuration complete." echo "" echo "IMPORTANT: When deploying to physical hardware:" echo "1. Ensure UEFI Secure Boot is ENABLED in BIOS/UEFI settings" echo "2. Verify that the Microsoft UEFI CA is in the key database" echo "3. The system will only boot with signed kernel and bootloader" echo "4. Any unsigned kernel modules will be rejected" echo ""