#!/bin/sh set -e if [ "$#" != "2" ]; then echo "incorrect number of arguments" echo "arg1 target device" echo "arg2 root pass" exit 1 fi DEV_ID=$1 PASS=$2 PART_ID_EFI=1 PART_ID_LUKS=3 BTRFS_FALLBACK_SNAPSHOT="root_00000000T000000--fallback" KERNEL_FILENAME="vmlinuz-linux" KERNEL_VERSION=$(file -bL /boot/${KERNEL_FILENAME} | sed 's/.*version //;s/ .*//') ROOT_UUID=$(blkid /dev/${DEV_ID}${PART_ID_LUKS} -s UUID -o value) URI_EFI_STUB="https://aur.archlinux.org/cgit/aur.git/snapshot/aur-efistub-standalone.tar.gz" # chroot #artix-chroot /mnt # timezone ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime hwclock --systohc # locale sudo sed -i "/^#en_US.UTF-8 UTF-8/c\en_US.UTF-8 UTF-8" /etc/locale.gen sudo locale-gen echo "LANG=en_US.UTF-8" > /etc/locale.conf # keymap echo "KEYMAP=us" > /etc/vconsole.conf # /etc/pacman.d/mirrorlist # surpress libalpm pacman hooks mkdir /etc/pacman.d/hooks cat < /etc/pacman.d/hooks/90-mkinitcpio-install.hook [Trigger] Type = Path Operation = Install Operation = Upgrade Target = usr/lib/modules/*/vmlinuz Target = usr/lib/initcpio/* [Action] Description = forget the hookers.. When = PostTransaction Exec = /usr/bin/sh -c "echo o_O" NeedsTargets EOF # network - networkmanager, connman, dhcpcd, wpa_supplicant, iwd #pacman -S --noconfirm connman-runit #ln -s /etc/runit/sv/connmand /etc/runit/runsvdir/default #pacman -S --noconfirm connman-dinit #ln -s /etc/dinit.d/connmand /etc/dinit.d/boot.d/ #udevadm trigger --verbose --subsystem-match=net --action=add cat < /etc/udev/rules.d/10-network.rules SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="aa:bb:cc:dd:ee:ff", NAME="net0" EOF cat < /etc/rc.local ip link set dev net0 up ip addr add 192.168.1.100/20 dev net0 ip route add default via 192.168.1.0 echo "nameserver 192.168.1.0" > /etc/resolv.conf echo "nameserver 9.9.9.9" >> /etc/resolv.conf echo "nameserver 1.1.1.1" >> /etc/resolv.conf EOF chmod 744 /etc/rc.local cat < /etc/resolv.conf EOF # hostname echo "artix" > /etc/hostname # /etc/hosts echo -e "# inserted 127.0.0.1\tlocalhost ::1\t\tlocalhost" > /etc/hosts # add root password echo "root:${PASS}" | chpasswd # clear tty before login prompt #sudo sed -i "/GETTY_ARGS=/c\ GETTY_ARGS=\"--noissue --nonewline\"" /etc/runit/sv/agetty-tty1/conf # install wget pacman -S --noconfirm wget # install btrfs-progs pacman -S --noconfirm btrfs-progs # install text editor pacman -S --noconfirm vim ln -s /usr/bin/vim /usr/bin/vi grub_setup () { # install bootloader pacman -S --noconfirm grub # /etc/default/grub #sudo sed -i "/GRUB_CMDLINE_LINUX=/c\GRUB_CMDLINE_LINUX=\"cryptdevice=UUID=${ROOT_UUID}:cryptroot\"" /etc/default/grub #sudo sed -i "/#GRUB_ENABLE_CRYPTODISK=/c\GRUB_ENABLE_CRYPTODISK=y" /etc/default/grub # for BIOS systems #grub-install --recheck /dev/vda # for UEFI systems # --bootloader-id=grub --target=x86_64-efi #grub-install --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi # compile grub config #grub-mkconfig -o /boot/grub/grub.cfg #grub-mkconfig -o /boot/efi/EFI/artix/grub.cfg } # end grub_setup #grub_setup efi_stub_setup () { pacman -S --noconfirm efibootmgr # compile kernel - mkinitcpio mkdir -p /efi/EFI/artix mv /boot/${KERNEL_FILENAME} /boot/${KERNEL_FILENAME}_${KERNEL_VERSION} #mv /boot/initramfs-linux.img /boot/initramfs-linux_${KERNEL_VERSION}.img #mv /boot/initramfs-linux-fallback.img /boot/initramfs-linux-fallback_${KERNEL_VERSION}.img mkdir /etc/kernel echo -e "cryptdevice=UUID=${ROOT_UUID}:cryptroot root=/dev/mapper/cryptroot rootfstype=btrfs rootflags=subvol=@ rw quiet loglevel=3 udev.log_level=0 sysctl.vm.swappiness=10 kernel.nmi_watchdog=0 nowatchdog zswap.enabled=1 audit=0 ipv6.disable=1" > /etc/kernel/cmdline echo -e "cryptdevice=UUID=${ROOT_UUID}:cryptroot root=/dev/mapper/cryptroot rootfstype=btrfs rootflags=subvol=@snapshots/${BTRFS_FALLBACK_SNAPSHOT} rw quiet loglevel=3 udev.log_level=0 sysctl.vm.swappiness=10 kernel.nmi_watchdog=0 nowatchdog zswap.enabled=1 audit=0 ipv6.disable=1" > /etc/kernel/cmdline_fallback echo -e " # mkinitcpio preset file for the 'linux' package #ALL_config=\"/etc/mkinitcpio.conf\" ALL_kver=\"/boot/${KERNEL_FILENAME}_${KERNEL_VERSION}\" ALL_microcode=(/boot/*-ucode.img) PRESETS=('default' 'fallback') #default_config=\"/etc/mkinitcpio.conf\" #default_image=\"/boot/initramfs-artix.img\" default_uki=\"/efi/EFI/artix/${KERNEL_FILENAME}_${KERNEL_VERSION}.efi\" #default_options=\"--splash /usr/share/systemd/bootctl/splash-arch.bmp\" #fallback_config=\"/etc/mkinitcpio.conf\" #fallback_image=\"/boot/initramfs-artix-fallback.img\" fallback_uki=\"/efi/EFI/artix/${KERNEL_FILENAME}_${KERNEL_VERSION}-fallback.efi\" fallback_options=\"-S autodetect --cmdline /etc/kernel/cmdline_fallback\" " > /etc/mkinitcpio.d/artix.preset #lsinitcpio -a sudo sed -i "/^HOOKS=/c\HOOKS=(base udev autodetect keyboard modconf block encrypt filesystems fsck)" /etc/mkinitcpio.conf # install linuxx64.efi.stub wget ${URI_EFI_STUB} tar xf aur-efistub-standalone.tar.gz -C /tmp rm aur-efistub-standalone.tar.gz mkdir -p /usr/lib/boot/efi mv /tmp/aur-efistub-standalone/linuxx64.efi.stub /usr/lib/boot/efi ln -s /usr/lib /usr/lib/systemd btrfs sub snap / /.btrfs/snapshots/${BTRFS_FALLBACK_SNAPSHOT} sudo sh -c "mkinitcpio -v --preset artix" efibootmgr --verbose \ --disk /dev/${DEV_ID} --part ${PART_ID_EFI} \ --create --label Artix-fallback \ --loader "EFI\artix\\`echo $KERNEL_FILENAME`_${KERNEL_VERSION}-fallback.efi" efibootmgr --verbose \ --disk /dev/${DEV_ID} --part ${PART_ID_EFI} \ --create --label Artix \ --loader "EFI\artix\\`echo $KERNEL_FILENAME`_${KERNEL_VERSION}.efi" # efibootmgr -v # efibootmgr --bootnum 2 --delete-bootnum 2 | efibootmgr -b 9 -B 9 efibootmgr --unicode cat < /efi/create.sh LABEL=Distro DISTRO=distro LOADER_FILE=vmlinuz-linux_6.3.7-arch1-1.efi INITRD_FILE=initramfs-linux.img DEV_ROOT_PART=/dev/vda2 efibootmgr --verbose \ --disk /dev/vda1 --part 1 \ --create --label \${LABEL} \ --loader "EFI\\${DISTRO}\\${LOADER_FILE}" \ --unicode "initrd=EFI\\${DISTRO}\\${INITRD_FILE} root=\${DEV_ROOT_PART} rootfstype=ext4 rw quiet loglevel=4 udev.log_level=0 sysctl.vm.swappiness=10 kernel.nmi_watchdog=0 nowatchdog zswap.enabled=1 audit=0 ipv6.disable=1" EOF } # end efi_stub_setup efi_stub_setup efi_keys_setup () { pacman -S efitools # 6 0 0 0 0 -- booted without SecureBoot # 6 0 0 0 1 -- booted with SecureBoot #od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot-* # Backup current varables efi-readvar -v PK -o old_PK.esl efi-readvar -v KEK -o old_KEK.esl efi-readvar -v db -o old_db.esl efi-readvar -v dbx -o old_dbx.esl # SecureBoot is in Setup Mode when the Platform Key is removed # Creating keys mkdir /etc/efikeys GUID=$(uuidgen --random) echo ${GUID} > /etc/efikeys/GUID openssl req -new -x509 -newkey rsa:4096 -nodes -sha256 -days 7 -subj "/CN=8007 Platform Key/" -keyout PK.key -out PK.crt openssl req -new -x509 -newkey rsa:4096 -nodes -sha256 -days 7 -subj "/CN=8007 Key Exchange Key/" -keyout KEK.key -out KEK.crt openssl req -new -x509 -newkey rsa:4096 -nodes -sha256 -days 7 -subj "/CN=8007 Signature Database key/" -keyout db.key -out db.crt openssl x509 -outform DER -in PK.crt -out PK.cer openssl x509 -outform DER -in KEK.crt -out KEK.cer openssl x509 -outform DER -in db.crt -out db.cer # cert to esl cert-to-efi-sig-list -g "${GUID}" PK.crt PK.esl cert-to-efi-sig-list -g "${GUID}" KEK.crt KEK.esl cert-to-efi-sig-list -g "${GUID}" db.crt db.esl sign-efi-sig-list -g "${GUID}" -k PK.key -c PK.crt PK PK.esl PK.auth sign-efi-sig-list -g "${GUID}" -k PK.key -c PK.crt KEK KEK.esl KEK.auth sign-efi-sig-list -g "${GUID}" -k KEK.key -c KEK.crt db db.esl db.auth # Updating keys # Once Secure Boot is in "User Mode" any changes to KEK, db and dbx need to be signed with a higher level key # 1. Create the new key, # 2. Convert it to EFI Signature List, # 3. Sign the EFI Signature List, # 4. Enroll the signed certificate update file. openssl req -new -x509 -newkey rsa:4096 -nodes -sha256 -days 7 -subj "/CN=8007 Signature Database key/" -keyout new_db.key -out new_db.crt cert-to-efi-sig-list -g "$(< /etc/efikeys/GUID)" new_db.crt new_db.esl # replace sign-efi-sig-list -g "$(< /etc/efikeys/GUID)" -k KEK.key -c KEK.crt db new_db.esl new_db.auth # add sign-efi-sig-list -a -g "$(< /etc/efikeys/GUID)" -k KEK.key -c KEK.crt db new_db.esl new_db.auth # Enrolling Platform Key sets Secure Boot in "User Mode", leaving "Setup Mode", so it should be enrolled last in sequence. mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK} mv /etc/efikeys/PK.auth /etc/secureboot/keys/PK mv /etc/efikeys/KEK.auth /etc/secureboot/keys/KEK mv /etc/efikeys/db.auth /etc/secureboot/keys/db sbkeysync --verbose sbkeysync --verbose --pk # Sign kernel sbsign --key db.key --cert db.crt --output /boot/vmlinuz-linux /boot/vmlinuz-linux } # end efi_keys_setup efi_keys_setup # unmount & reboot #exit #sudo umount -R /mnt #sudo reboot