KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b98a20cae82d8b4af567ffbbb61be9199f195985
football/config/secureboot.sh
Charles N Wyble 1339705f9d progress snapshot
2026-01-21 08:33:09 -05:00

75 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Secure Boot configuration script for football system
# This script ensures Secure Boot is properly configured
set -euo pipefail
echo "Configuring Secure Boot..."
# Check if Secure Boot is supported
if [ ! -d /sys/firmware/efi ]; then
echo "WARNING: EFI not detected. Secure Boot requires EFI system."
echo "This image may need to be deployed on a UEFI system with Secure Boot."
fi
# Install Secure Boot packages
apt-get update
apt-get install -y shim-signed grub-efi-amd64-signed
# Ensure GRUB is signed
echo "GRUB will use signed bootloader (shim-signed)"
# Configure kernel for Secure Boot
echo "Configuring kernel for Secure Boot..."
cat > /etc/default/grub.d/secureboot.cfg << 'EOF'
GRUB_DISABLE_OS_PROBER=true
GRUB_DISABLE_SUBMENU=y
EOF
# Lock GRUB to prevent unauthorized modifications
echo "Locking GRUB configuration..."
cat > /etc/grub.d/40_custom << 'EOF'
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.
# Lockdown: prevent editing GRUB entries
set superusers="football"
password_pbkdf2 football grub.pbkdf2.sha512.10000.$(echo -n "secure-boot-password" | grub-mkpasswd-pbkdf2 -s 2>/dev/null | tail -n +3 | sed 's/^.*grub\.pbkdf2\.sha512\.10000\.//')
EOF
chmod 755 /etc/grub.d/40_custom
# Update GRUB
update-grub 2>/dev/null || true
# Configure kernel command line for lockdown
echo "Configuring kernel lockdown mode..."
if [ -f /etc/default/grub ]; then
sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT=""/GRUB_CMDLINE_LINUX_DEFAULT="lockdown=confidentiality,integrity"/' /etc/default/grub
sed -i 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="lockdown=confidentiality,integrity"/' /etc/default/grub
fi
# Enable UEFI Secure Boot verification in kernel
cat >> /etc/modprobe.d/secureboot.conf << 'EOF'
options efivarfs mode=0444
EOF
# Ensure kernel modules are signed
echo "Verifying kernel module signing..."
for module in "/lib/modules/$(uname -r)"/*.ko; do
if [ -f "$module" ]; then
sig=$(modinfo "$module" 2>/dev/null | grep -ci "signature:")
if [ "$sig" -eq 0 ]; then
echo "WARNING: Module $module is not signed"
fi
fi
done 2>/dev/null || true
echo "Secure Boot configuration complete."
echo ""
echo "IMPORTANT: When deploying to physical hardware:"
echo "1. Ensure UEFI Secure Boot is ENABLED in BIOS/UEFI settings"
echo "2. Verify that the Microsoft UEFI CA is in the key database"
echo "3. The system will only boot with signed kernel and bootloader"
echo "4. Any unsigned kernel modules will be rejected"
echo ""
Reference in New Issue View Git Blame Copy Permalink