KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9eb08c9fde9b64f14b94fe268e78a2d9b5a718c
football/config/secureboot.sh
Charles N Wyble 17dcee7e52 feat: add minimal Debian image build system with WireGuard-only networking 
Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00

75 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Secure Boot configuration script for football system
# This script ensures Secure Boot is properly configured
set -e
echo "Configuring Secure Boot..."
# Check if Secure Boot is supported
if [ ! -d /sys/firmware/efi ]; then
echo "WARNING: EFI not detected. Secure Boot requires EFI system."
echo "This image may need to be deployed on a UEFI system with Secure Boot."
fi
# Install Secure Boot packages
apt-get update
apt-get install -y shim-signed grub-efi-amd64-signed
# Ensure GRUB is signed
echo "GRUB will use signed bootloader (shim-signed)"
# Configure kernel for Secure Boot
echo "Configuring kernel for Secure Boot..."
cat > /etc/default/grub.d/secureboot.cfg << 'EOF'
GRUB_DISABLE_OS_PROBER=true
GRUB_DISABLE_SUBMENU=y
EOF
# Lock GRUB to prevent unauthorized modifications
echo "Locking GRUB configuration..."
cat > /etc/grub.d/40_custom << 'EOF'
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.
# Lockdown: prevent editing GRUB entries
set superusers="football"
password_pbkdf2 football grub.pbkdf2.sha512.10000.$(echo -n "secure-boot-password" | grub-mkpasswd-pbkdf2 -s 2>/dev/null | tail -n +3 | sed 's/^.*grub\.pbkdf2\.sha512\.10000\.//')
EOF
chmod 755 /etc/grub.d/40_custom
# Update GRUB
update-grub 2>/dev/null || true
# Configure kernel command line for lockdown
echo "Configuring kernel lockdown mode..."
if [ -f /etc/default/grub ]; then
sed -i 's/^GRUB_CMDLINE_LINUX_DEFAULT=""/GRUB_CMDLINE_LINUX_DEFAULT="lockdown=confidentiality,integrity"/' /etc/default/grub
sed -i 's/^GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="lockdown=confidentiality,integrity"/' /etc/default/grub
fi
# Enable UEFI Secure Boot verification in kernel
cat >> /etc/modprobe.d/secureboot.conf << 'EOF'
options efivarfs mode=0444
EOF
# Ensure kernel modules are signed
echo "Verifying kernel module signing..."
for module in /lib/modules/$(uname -r)/*.ko; do
if [ -f "$module" ]; then
sig=$(modinfo "$module" 2>/dev/null | grep -i "signature:" | wc -l)
if [ "$sig" -eq 0 ]; then
echo "WARNING: Module $module is not signed"
fi
fi
done 2>/dev/null || true
echo "Secure Boot configuration complete."
echo ""
echo "IMPORTANT: When deploying to physical hardware:"
echo "1. Ensure UEFI Secure Boot is ENABLED in BIOS/UEFI settings"
echo "2. Verify that the Microsoft UEFI CA is in the key database"
echo "3. The system will only boot with signed kernel and bootloader"
echo "4. Any unsigned kernel modules will be rejected"
echo ""
Reference in New Issue View Git Blame Copy Permalink