Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/configs/baseline
diff options
context:
space:
mode:
authornl6720 <nl6720@gmail.com>2022-08-08 16:31:12 +0300
committernl6720 <nl6720@gmail.com>2022-08-19 10:22:40 +0300
commit7bc4c5424516c9be29b460b4fa043aa76b1c69e3 (patch)
tree102805f1afd622d4d05522b2c5f6a0abaa284db8 /configs/baseline
parentb13e5e3379c41b9f3b124476dc2160766554bf99 (diff)
mkarchiso: preload more GRUB modules and disable shim_lock verifier
--disable-shim-lock is required to support Secure Boot with custom signatures without using shim. Otherwise GRUB will trow an error when trying to boot a kernel: error: shim_lock protocol not found. error: you need to load the kernel first. The modules GRUB will use need to be preloaded otherwise the EFI binaries cannot be signed and used for Secure Boot. See https://bugs.archlinux.org/task/71382. GRUB will trow en error: error: verification requested but nobody cares These changes are done to support Secure Boot using custom keys (not shim) by simply extracting the boot loader (BOOTx64.EFI and BOOTIA32.EFI), kernel, UEFI shell, signing them and then repacking the ISO. For example. Extract the files: $ osirrox -indev archlinux-YYYY.MM.DD-x86_64.iso \ -extract_boot_images ./ \ -extract /EFI/BOOT/BOOTx64.EFI BOOTx64.EFI \ -extract /EFI/BOOT/BOOTIA32.EFI BOOTIA32.EFI \ -extract /shellx64.efi shellx64.efi \ -extract /shellia32.efi shellia32.efi \ -extract /arch/boot/x86_64/vmlinuz-linux vmlinuz-linux Make the files writable: $ chmod +w BOOTx64.EFI BOOTIA32.EFI shellx64.efi shellia32.efi vmlinuz-linux Sign the files: $ sbsign --key db.key --cert db.crt --output BOOTx64.EFI BOOTx64.EFI $ sbsign --key db.key --cert db.crt --output BOOTIA32.EFI BOOTIA32.EFI $ sbsign --key db.key --cert db.crt --output shellx64.efi shellx64.efi $ sbsign --key db.key --cert db.crt --output shellia32.efi shellia32.efi $ sbsign --key db.key --cert db.crt --output vmlinuz-linux vmlinuz-linux Copy the boot loader and UEFI shell to the EFI system partition image: $ mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI BOOTIA32.EFI ::/EFI/BOOT/ $ mcopy -D oO -i eltorito_img2_uefi.img shellx64.efi shellia32.efi ::/ Repack the ISO using the modified El Torito UEFI boot image and add the signed boot loader files, UEFI shell and kernel to ISO9660: $ xorriso -indev archlinux-YYYY.MM.DD-x86_64.iso \ -outdev archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso \ -boot_image any replay \ -append_partition 2 0xef eltorito_img2_uefi.img \ -map BOOTx64.EFI /EFI/BOOT/BOOTx64.EFI \ -map BOOTIA32.EFI /EFI/BOOT/BOOTIA32.EFI \ -map shellx64.efi /shellx64.efi \ -map shellia32.efi /shellia32.efi \ -map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux Boot the resulting archlinux-YYYY.MM.DD-x86_64-Secure_Boot.iso.
Diffstat (limited to 'configs/baseline')
0 files changed, 0 insertions, 0 deletions