Compare commits
5 commits
e2ddbe0e2d
...
72f9e883eb
Author | SHA1 | Date | |
---|---|---|---|
72f9e883eb | |||
9df1a22a10 | |||
6289e86c3e | |||
0a4b73c5dd | |||
6280d8ade4 |
8
.gitignore
vendored
8
.gitignore
vendored
|
@ -6,11 +6,11 @@ mkosi.output/*
|
|||
mkosi.builddir/*
|
||||
|
||||
# Build version of the image
|
||||
/mkosi.version
|
||||
*.version
|
||||
|
||||
# Root password for the image
|
||||
/mkosi.rootpw
|
||||
*.rootpw
|
||||
|
||||
# SecureBoot keys for the image
|
||||
/mkosi.key
|
||||
/mkosi.crt
|
||||
*.key
|
||||
*.crt
|
||||
|
|
69
mkosi.conf
69
mkosi.conf
|
@ -3,74 +3,13 @@ Distribution=arch
|
|||
Architecture=x86-64
|
||||
CacheOnly=true
|
||||
|
||||
[Output]
|
||||
Format=disk
|
||||
SplitArtifacts=true
|
||||
ManifestFormat=json,changelog
|
||||
ImageId=rafeOS
|
||||
SectorSize=4096
|
||||
#CompressOutput=xz
|
||||
# For Reproducible Builds
|
||||
Seed=834dd70f55be43cc9934b20fc0b7f7be
|
||||
|
||||
[Content]
|
||||
Bootable=yes
|
||||
SourceDateEpoch=0
|
||||
Packages=
|
||||
# Minimal package set to define a basic Arch Linux installation
|
||||
base
|
||||
# system and service manager
|
||||
systemd
|
||||
# systemd: show QR codes
|
||||
qrencode
|
||||
# systemd: unlocking LUKS2 volumes with FIDO2 token
|
||||
libfido2
|
||||
# systemd: unlocking LUKS2 volumes with TPM2
|
||||
tpm2-tss
|
||||
# The Linux kernel and modules
|
||||
linux
|
||||
# linux: firmware images needed for some devices
|
||||
linux-firmware
|
||||
# linux: to set the correct wireless channels of your country
|
||||
wireless-regdb
|
||||
# Microcode update image for AMD CPUs
|
||||
amd-ucode
|
||||
# Microcode update image for Intel CPUs
|
||||
intel-ucode
|
||||
# Userspace utilities for linux-erofs file system
|
||||
#erofs-utils
|
||||
# Btrfs filesystem utilities
|
||||
btrfs-progs
|
||||
# Ext2/3/4 filesystem utilities
|
||||
e2fsprogs
|
||||
|
||||
RemoveFiles=
|
||||
/usr/include
|
||||
/usr/local
|
||||
/usr/src
|
||||
/usr/lib/cmake
|
||||
/usr/lib/pkgconfig
|
||||
|
||||
KernelCommandLine=
|
||||
# prevents access to a shell if boot fails
|
||||
rd.shell=0
|
||||
# prevents access to a shell if the root is corrupt
|
||||
rd.emergency=reboot
|
||||
# reboots system 30 seconds after a kernel panic
|
||||
panic=30
|
||||
# loglevel=8
|
||||
|
||||
[Validation]
|
||||
SecureBoot=true
|
||||
SecureBootKey=mkosi.key
|
||||
SecureBootCertificate=mkosi.crt
|
||||
#SecureBootKey=/usr/share/secureboot/keys/db/db.key
|
||||
#SecureBootCertificate=/usr/share/secureboot/keys/db/db.pem
|
||||
SecureBootKey=signing-keys/rafeOS_mok.key
|
||||
SecureBootCertificate=signing-keys/rafeOS_mok.crt
|
||||
SignExpectedPcr=true
|
||||
VerityKey=mkosi.key
|
||||
VerityCertificate=mkosi.crt
|
||||
#VerityKey=/usr/share/secureboot/keys/db/db.key
|
||||
#VerityCertificate=/usr/share/secureboot/keys/db/db.pem
|
||||
VerityKey=signing-keys/rafeOS_mok.key
|
||||
VerityCertificate=signing-keys/rafeOS_mok.crt
|
||||
Checksum=true
|
||||
|
||||
[Host]
|
||||
|
|
7
mkosi.conf.d/90-remove-files.conf
Normal file
7
mkosi.conf.d/90-remove-files.conf
Normal file
|
@ -0,0 +1,7 @@
|
|||
[Content]
|
||||
RemoveFiles=
|
||||
/usr/include
|
||||
/usr/local
|
||||
/usr/src
|
||||
/usr/lib/cmake
|
||||
/usr/lib/pkgconfig
|
17
mkosi.crt
17
mkosi.crt
|
@ -1,17 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIICuzCCAaMCFEjGk1dAn3d720+09bprtDG+mRgWMA0GCSqGSIb3DQEBCwUAMBox
|
||||
GDAWBgNVBAMMD21rb3NpIG9mIHRvYmlhczAeFw0yMzEyMDkyMjQ4NDVaFw0yNTEy
|
||||
MDgyMjQ4NDVaMBoxGDAWBgNVBAMMD21rb3NpIG9mIHRvYmlhczCCASIwDQYJKoZI
|
||||
hvcNAQEBBQADggEPADCCAQoCggEBAKCve5Z3mAM0GHV1JYJ8In7OW4p0xx+UfNpA
|
||||
hya+V0FrbeoFYJZK4+xL90hiFkfbS5YvQQ+92JZDdYYEKJOEn0IaXied5UlfMys/
|
||||
7YvZzJMcXGVR4Tux/IDoPp7xrmUqfQfQqmJykyV+XpCY9neG2fS48aWu7Jc2Ztim
|
||||
tQvG65A9FK3byBAFbNNqrn1dtpOFKLuYzDTSla0t7F+MNzCabOf1n6fIJpVef/2x
|
||||
K0T09l/0sv89a+WSOKdZuUg97kvCBjXzKtufIzjTaWWQl8Io6FmMGU8Dl9GyWfMw
|
||||
gCfehwmysJ128G4R+b4rBvVUT60lXXZvJGIRGC1rH+/Mn9uXOIcCAwEAATANBgkq
|
||||
hkiG9w0BAQsFAAOCAQEAjPJIAQ90/MbDC9REWUaAf5eowBELKx5PHg/DFxflskyi
|
||||
E9+6w+P3wdUBVGgsJF3dsdIat2oEadgzLRne5YBTfRJcbP2ObeV8uynG1Ay1m53b
|
||||
TgjN1vGyTJoVa2+wFx9lsnF5jGFAEHVp1X3DWEcirq3HHUDxJLvNi6Ub0RvSVY9M
|
||||
Fw0RyZqmLfjvePVtXYFSbFZbgE0xH+kmXc+cZMiza9LxFNXLdRJikXslJEfl14ni
|
||||
XsbDQ77ePyViIpU8oB8WUjtnxNAg10618W0CLgSR62gtnhoz2sniDeRJ6ipxTpJq
|
||||
u3ItsPcBD8jFpTlUQrAmTehleZ1vD5dmY3txHFVzcQ==
|
||||
-----END CERTIFICATE-----
|
53
mkosi.images/base/mkosi.conf
Normal file
53
mkosi.images/base/mkosi.conf
Normal file
|
@ -0,0 +1,53 @@
|
|||
[Output]
|
||||
Format=directory
|
||||
|
||||
[Content]
|
||||
Bootable=no
|
||||
CleanPackageMetadata=no
|
||||
|
||||
Packages=
|
||||
# Minimal package set to define a basic Arch Linux installation
|
||||
base
|
||||
# Modular initramfs image creation utility
|
||||
mkinitcpio
|
||||
# system and service manager
|
||||
systemd
|
||||
# systemd: show QR codes
|
||||
qrencode
|
||||
# systemd: unlocking LUKS2 volumes with FIDO2 token
|
||||
libfido2
|
||||
# systemd: unlocking LUKS2 volumes with TPM2
|
||||
tpm2-tss
|
||||
# The Linux kernel and modules
|
||||
linux
|
||||
# linux: firmware images needed for some devices
|
||||
linux-firmware
|
||||
# linux: to set the correct wireless channels of your country
|
||||
wireless-regdb
|
||||
# Microcode update image for AMD CPUs
|
||||
amd-ucode
|
||||
# Microcode update image for Intel CPUs
|
||||
intel-ucode
|
||||
# Firmware updates
|
||||
# gnome-control-center: device security panel
|
||||
fwupd
|
||||
# Userspace utilities for linux-erofs file system
|
||||
erofs-utils
|
||||
# Btrfs filesystem utilities
|
||||
btrfs-progs
|
||||
# Ext2/3/4 filesystem utilities
|
||||
e2fsprogs
|
||||
# Userspace components of the audit framework
|
||||
audit
|
||||
# Mandatory Access Control (MAC) using Linux Security Module (LSM)
|
||||
apparmor
|
||||
# Give certain users the ability to run some commands as root
|
||||
sudo
|
||||
# command line tool and library for transferring data with URLs
|
||||
curl
|
||||
# the fast distributed version control system
|
||||
git
|
||||
# Programmable completion for the bash shell
|
||||
bash-completion
|
||||
# Fork of Vim aiming to improve user experience, plugins, and GUIs
|
||||
neovim
|
|
@ -0,0 +1 @@
|
|||
enable apparmor.service
|
|
@ -0,0 +1,3 @@
|
|||
# Enable IPv6 Privacy Extensions
|
||||
net.ipv6.conf.all.use_tempaddr = 2
|
||||
net.ipv6.conf.default.use_tempaddr = 2
|
35
mkosi.images/server/mkosi.conf
Normal file
35
mkosi.images/server/mkosi.conf
Normal file
|
@ -0,0 +1,35 @@
|
|||
[Config]
|
||||
Dependencies=base
|
||||
|
||||
[Output]
|
||||
Format=disk
|
||||
Output=rafeOS-server
|
||||
ManifestFormat=json,changelog
|
||||
ImageId=rafeOS
|
||||
SectorSize=4096
|
||||
CompressOutput=xz
|
||||
# For Reproducible Builds
|
||||
Seed=834dd70f55be43cc9934b20fc0b7f7be
|
||||
|
||||
[Content]
|
||||
Bootable=yes
|
||||
SourceDateEpoch=0
|
||||
Autologin=yes
|
||||
BaseTrees=../../mkosi.output/base/
|
||||
Packages=
|
||||
# Control and monitor S.M.A.R.T. enabled ATA and SCSI Hard Drives
|
||||
smartmontools
|
||||
# Pack, ship and run any application as a lightweight container
|
||||
docker
|
||||
|
||||
KernelCommandLine=
|
||||
# Output fewer messages during boot. Errors will not be suppressed.
|
||||
quiet
|
||||
# prevents access to a shell if boot fails
|
||||
rd.shell=0
|
||||
# prevents access to a shell if the root is corrupt
|
||||
rd.emergency=reboot
|
||||
# reboots system 30 seconds after a kernel panic
|
||||
panic=30
|
||||
# enable apparmor
|
||||
lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256
|
|
@ -0,0 +1,2 @@
|
|||
[Network]
|
||||
IPv6PrivacyExtensions=yes
|
|
@ -0,0 +1,5 @@
|
|||
[Match]
|
||||
Name=en*
|
||||
|
||||
[Network]
|
||||
DHCP=yes
|
|
@ -0,0 +1 @@
|
|||
enable docker.service
|
6
mkosi.images/server/mkosi.postinst.chroot
Executable file
6
mkosi.images/server/mkosi.postinst.chroot
Executable file
|
@ -0,0 +1,6 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "VARIANT_ID=server" >> /etc/os-release
|
||||
|
||||
# Use systemd-resolved as dns backend for NetworkManager (auto-detected)
|
||||
ln -sl /run/systemd/resolve/stub-resolve.conf /etc/resolv.conf
|
206
mkosi.images/workstation/mkosi.conf
Normal file
206
mkosi.images/workstation/mkosi.conf
Normal file
|
@ -0,0 +1,206 @@
|
|||
[Config]
|
||||
Dependencies=base
|
||||
|
||||
[Output]
|
||||
Format=disk
|
||||
Output=rafeOS-workstation
|
||||
ManifestFormat=json,changelog
|
||||
ImageId=rafeOS
|
||||
SectorSize=4096
|
||||
CompressOutput=xz
|
||||
# For Reproducible Builds
|
||||
Seed=834dd70f55be43cc9934b20fc0b7f7be
|
||||
|
||||
[Content]
|
||||
Bootable=yes
|
||||
SourceDateEpoch=0
|
||||
Autologin=yes
|
||||
BaseTrees=../../mkosi.output/base/
|
||||
Packages=
|
||||
# A utility for reading man pages
|
||||
man-db
|
||||
# Linux man pages
|
||||
man-pages
|
||||
# Splash screena at boot
|
||||
plymouth
|
||||
|
||||
# Additional File systems
|
||||
dosfstools
|
||||
ntfs-3g
|
||||
exfatprogs
|
||||
sshfs
|
||||
|
||||
# OpenPrinting CUPS - daemon package
|
||||
cups
|
||||
# cups: to browse the network for remote CUPS queues and IPP network printers
|
||||
cups-browsed
|
||||
# Library that provides generic access to USB devices
|
||||
# cups: for usb printer backend
|
||||
libusb
|
||||
# Scanner Access Now Easy
|
||||
sane
|
||||
# sane: SANE backend for AirScan (eSCL) and WSD document scanners
|
||||
sane-airscan
|
||||
# cups, sane-airscan: allows to send HTTP requests via a USB connection on devices without Ethernet or WiFi connections
|
||||
ipp-usb
|
||||
|
||||
# Daemons for the bluetooth protocol stack
|
||||
bluez
|
||||
|
||||
# Low-latency audio/video router and processor
|
||||
pipewire
|
||||
# PulseAudio replacement
|
||||
pipewire-pulse
|
||||
# JACK replacement
|
||||
pipewire-jack
|
||||
# gnome-shell: Screen recording
|
||||
gst-plugin-pipewire
|
||||
|
||||
# Manage user directories like ~/Desktop and ~/Music
|
||||
xdg-user-dirs
|
||||
# Creates user dirs and asks to relocalize them
|
||||
xdg-user-dirs-gtk
|
||||
# Command line tools that assist applications with a variety of desktop integration tasks
|
||||
xdg-utils
|
||||
# Desktop integration portals for sandboxed apps
|
||||
xdg-desktop-portal
|
||||
# A backend implementation for xdg-desktop-portal for the GNOME desktop environment
|
||||
xdg-desktop-portal-gnome
|
||||
|
||||
# Spell checker and morphological analyzer library and program
|
||||
hunspell
|
||||
hunspell-de
|
||||
hunspell-en_gb
|
||||
hunspell-en_us
|
||||
|
||||
# Command-line copy/paste utilities for Wayland
|
||||
wl-clipboard
|
||||
# wl-clipboard: for type inference in wl-paste
|
||||
mailcap
|
||||
|
||||
# Fallback font with huge coverage and colored emojis
|
||||
noto-fonts
|
||||
noto-fonts-extra # additional variants (condensed, semi-bold, extra-light)
|
||||
noto-fonts-cjk # CJK characters
|
||||
noto-fonts-emoji # Emoji characters
|
||||
|
||||
# Font family which aims at metric compatibility with Arial, Times New Roman, and Courier New
|
||||
ttf-liberation
|
||||
|
||||
## GNOME
|
||||
# Display manager and login screen
|
||||
gdm
|
||||
# D-Bus service to access fingerprint readers
|
||||
# gdm: fingerprint authentication
|
||||
fprintd
|
||||
# Next generation desktop shell
|
||||
gnome-shell
|
||||
# Extensions for GNOME shell
|
||||
gnome-shell-extensions
|
||||
# AppIndicator/KStatusNotifierItem support for GNOME Shell
|
||||
gnome-shell-extension-appindicator
|
||||
# gnome-shell-extension-appindicator: support GTK+3 applications
|
||||
libappindicator-gtk3
|
||||
# Extension for GNOME Shell to disable screensaver and auto suspend
|
||||
gnome-shell-extension-caffeine
|
||||
# Helps you to set up your OS when you boot for the first time
|
||||
gnome-initial-setup
|
||||
# Stores passwords and encryption keys
|
||||
gnome-keyring
|
||||
# Credential manager
|
||||
seahorse
|
||||
# GNOME's main interface to configure various aspects of the desktop
|
||||
gnome-control-center
|
||||
# View current processes and monitor system state
|
||||
gnome-system-monitor
|
||||
# gnome-control-center: screen sharing
|
||||
gnome-remote-desktop
|
||||
# gnome-control-center: network settings
|
||||
networkmanager
|
||||
# networkmanager: firewall support
|
||||
firewalld
|
||||
# DNS-SD, mostly for printers, i.e. CUPS. Service discovery is
|
||||
# handled by Avahi, name resolution by systemd-resolved.
|
||||
avahi
|
||||
# gnome-control-center: remote login
|
||||
openssh
|
||||
# gnome-control-center: power profiles
|
||||
power-profiles-daemon
|
||||
# gnome-control-center: printer settings
|
||||
system-config-printer
|
||||
# Software framework for implementing USB device authorization policies
|
||||
# gnome-settings-daemon: USB protection support
|
||||
usbguard
|
||||
# Default file manager for GNOME
|
||||
nautilus
|
||||
# gnome-online-accounts (e.g. NextCloud) support
|
||||
gvfs-goa
|
||||
# gphoto2 (PTP camera/MTP media player) support
|
||||
gvfs-gphoto2
|
||||
# MTP device support
|
||||
gvfs-mtp
|
||||
# NFS support
|
||||
gvfs-nfs
|
||||
# SMB/CIFS (Windows client) support
|
||||
gvfs-smb
|
||||
# Filesystem indexer and metadata extractor
|
||||
# nautilus: Full text search and metadata-based renaming
|
||||
tracker3-miners
|
||||
# Create and modify archives
|
||||
file-roller
|
||||
# file-roller: lrzip archive support
|
||||
lrzip
|
||||
# file-roller: 7z, arj, exe and encrypted zip files support
|
||||
p7zip
|
||||
# Basic applications
|
||||
gnome-backgrounds
|
||||
gnome-themes-extra # For adwaita-dark
|
||||
gnome-characters
|
||||
gnome-screenshot
|
||||
gnome-maps
|
||||
gnome-clocks
|
||||
gnome-weather
|
||||
gnome-calendar
|
||||
gnome-contacts
|
||||
gnome-console
|
||||
gnome-disk-utility
|
||||
gnome-calculator
|
||||
gnome-text-editor
|
||||
gnome-firmware
|
||||
gnome-logs
|
||||
gnome-software # for flatpak management
|
||||
gnome-tweaks
|
||||
# Help viewer, i.e. Mallard, DocBook, man, info, and HTML documents
|
||||
yelp
|
||||
# Document viewer
|
||||
# xdg-desktop-portal-gnome: Print previews
|
||||
evince
|
||||
# Image viewer
|
||||
loupe
|
||||
# Simple scanning utility
|
||||
simple-scan
|
||||
# A graphical directory tree analyzer
|
||||
baobab
|
||||
# Take pictures and videos
|
||||
snapshot
|
||||
# Video player
|
||||
totem
|
||||
|
||||
flatpak
|
||||
|
||||
KernelCommandLine=
|
||||
# Output fewer messages during boot. Errors will not be suppressed.
|
||||
quiet
|
||||
# prevents access to a shell if boot fails
|
||||
rd.shell=0
|
||||
# prevents access to a shell if the root is corrupt
|
||||
rd.emergency=reboot
|
||||
# reboots system 30 seconds after a kernel panic
|
||||
panic=30
|
||||
# enable apparmor
|
||||
lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256
|
||||
|
||||
RemoveFiles=
|
||||
/usr/share/xsessions/
|
||||
/usr/share/glib-2.0/schemas/org.gnome.shell.extensions.apps-menu.gschema.xml
|
||||
/usr/share/gnome-shell/extensions/apps-menu@gnome-shell-extensions.gcampax.github.com/
|
|
@ -0,0 +1,2 @@
|
|||
[connection]
|
||||
ipv6.ip6-privacy=2
|
|
@ -0,0 +1,2 @@
|
|||
[connection]
|
||||
ipv6.dhcp-duid=stable-uuid
|
|
@ -0,0 +1,7 @@
|
|||
[connection]
|
||||
# Enable mDNS resolving (1) on all interfaces by default, but do not enable
|
||||
# mDNS responding, i.e. do not register an mDNS hostname for this connection (2)
|
||||
#
|
||||
# We use systemd-resolved only for resolution because responding is handled by
|
||||
# Avahi for proper discovery.
|
||||
connection.mdns=1
|
|
@ -0,0 +1,3 @@
|
|||
[Resolve]
|
||||
# Resolve mDNS hostnames via resolved, but leave the rest to Avahi
|
||||
MulticastDNS=resolve
|
|
@ -0,0 +1,3 @@
|
|||
[Resolve]
|
||||
# Enable and enforce DNSSEC
|
||||
DNSSEC=allow-downgrade
|
|
@ -0,0 +1,3 @@
|
|||
disable systemd-networkd.service
|
||||
enable NetworkManager.service
|
||||
enable gdm.service
|
9
mkosi.images/workstation/mkosi.postinst.chroot
Executable file
9
mkosi.images/workstation/mkosi.postinst.chroot
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "VARIANT_ID=workstation" >> /etc/os-release
|
||||
|
||||
# Reconfigure wireless drivers to respect the regulatory domain of Germany
|
||||
# See: https://wiki.archlinux.org/title/Network_configuration/Wireless#Respecting_the_regulatory_domain
|
||||
sed -i 's/^#\(WIRELESS_REGDOM="DE"\)/\1/' /etc/conf.d/wireless-regdom
|
||||
|
||||
plymouth-set-default-theme bgrt
|
28
mkosi.key
28
mkosi.key
|
@ -1,28 +0,0 @@
|
|||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgr3uWd5gDNBh1
|
||||
dSWCfCJ+zluKdMcflHzaQIcmvldBa23qBWCWSuPsS/dIYhZH20uWL0EPvdiWQ3WG
|
||||
BCiThJ9CGl4nneVJXzMrP+2L2cyTHFxlUeE7sfyA6D6e8a5lKn0H0KpicpMlfl6Q
|
||||
mPZ3htn0uPGlruyXNmbYprULxuuQPRSt28gQBWzTaq59XbaThSi7mMw00pWtLexf
|
||||
jDcwmmzn9Z+nyCaVXn/9sStE9PZf9LL/PWvlkjinWblIPe5LwgY18yrbnyM402ll
|
||||
kJfCKOhZjBlPA5fRslnzMIAn3ocJsrCddvBuEfm+Kwb1VE+tJV12byRiERgtax/v
|
||||
zJ/blziHAgMBAAECggEAOWkpb4PQWMiquoC+A6aFjqf9NfVuVb6wcyxd/X5BX7rZ
|
||||
/SSps1kToVAtDHwbONZF5eWBSfYLJfj5SwY+VyKp4izYmjAEhZgRiLDhFzgcqy0V
|
||||
aA/+uNzpekdAZHq2VCf/nySzU9Ra9aj2cZRtbxxL0G+pywg6OPazfVHm2svaS2Cu
|
||||
iyNX15uNhzE3PW1Z40r30ucG7+KpNKp/h2uP0vLLQEJnHNCHNr5BPb0lzD4supN1
|
||||
FWXTYXf+LBzq1w9yZu7M33dBf4VJxVQSePyRESZcvmy8hQdUdHslX61BLN6BDuE1
|
||||
pnlBVddB86Rl7a0ckwNm163wipUZEycefl5mFd2RXQKBgQDNTjBh2pl10Yc/4/Yh
|
||||
NkFlZPepCD+nwFThhiMaEXwYHYVUDO7zlmqpieCcy1DJpyhhLey0E5lsRlj1jmIB
|
||||
4mGG9/dkhd8tmTZjMi/gcngC6PnQSOEvx3Jac0EaH3ZSH4oNwNEMXu14CekTzYm7
|
||||
RlwnlOsDR3B4rwPR0tob8eU3VQKBgQDIXMSgkFBUlclRyLBEgLdfPOfocueHA/Jm
|
||||
MHaKzPNlOlR9I7z0I7hj2+W6TnTfqfGWlPYIJYzOiuAIKTJnQsPc82iYlqwCV7nC
|
||||
FRqldf7LZlrVg8Fh3tb2JghC/GljZE82cvBFCH6O2LtELE/IpKUOjeXjn1igwl2w
|
||||
IePjNPS4awKBgQCMjaH77A8xpN+mMue3NxCwXN5cf4Qs0TSLLSzs1NmTHOrBbxVL
|
||||
+EdPiFAYp+zIEUNIvIsXgW+Au+x9OBwK1DQWlb5tuGThL8oXQS2byGI3A8669JoN
|
||||
/spf+BWyz6VOdb8qyT2U7Yw/qPFDmGxZpMLEamQ2W3s5c//2bxbZGNLm/QKBgCB2
|
||||
Nz00ZG9v3TAs7bILkKoTehdFFpHfZ9R6oZoXXo/WBX5I3gJID0XOiMfIklLye7vD
|
||||
4qCrRMbp5SYtVoc4X/daUGX4c2HlyKjTNn/8QA3ARZM2R4yNyBIVU11W+9QomlTe
|
||||
BmOI3shSAPUooLyHQF69SrO4S2mwU/GHbB6Ro9yFAoGAYL0gbjGDsDIDkS4GEfFf
|
||||
+2LiWgFEj9rJ61q1HqlyCexmvq4cFVqiU0qqQYepT6LsI2u7U9tyJm6x7neFkCJV
|
||||
Whq+L+w88PKg99U3nCK4q0ZlYzUolapz3qAqs65nMKTmtQx5doUUijwRdwQxmfF3
|
||||
JGsX7imrsv154qC2E244mdU=
|
||||
-----END PRIVATE KEY-----
|
|
@ -1,6 +1,6 @@
|
|||
[Partition]
|
||||
Type=usr
|
||||
Label=%M_%A
|
||||
Label=%M-%W_%A
|
||||
SizeMinBytes=3G
|
||||
SizeMaxBytes=3G
|
||||
Minimize=best
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
[Partition]
|
||||
Type=usr-verity
|
||||
Label=%M_%A
|
||||
Label=%M-%W_%A
|
||||
SizeMinBytes=256M
|
||||
SizeMaxBytes=256M
|
||||
Minimize=best
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
[Partition]
|
||||
Type=usr-verity-sig
|
||||
Label=%M_%A
|
||||
Label=%M-%W_%A
|
||||
Verity=signature
|
||||
VerityMatchKey=usr
|
78
signing-keys/genkeys.sh
Executable file
78
signing-keys/genkeys.sh
Executable file
|
@ -0,0 +1,78 @@
|
|||
#!/bin/sh
|
||||
# Automates the generation of keys in the context of Secure Boot.
|
||||
# The script utilizes the elliptic curve algorithm with the NIST
|
||||
# P-384 curve (prime384v1) for key generation.
|
||||
#
|
||||
# UEFI Specification: https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html#firmware-os-crypto-algorithm-exchange
|
||||
|
||||
set -eu
|
||||
|
||||
IMAGE_ID="rafeOS"
|
||||
|
||||
generate_key_pair() {
|
||||
# Parameters
|
||||
FILENAME_PREFIX="$1"
|
||||
SUBJECT="$2"
|
||||
|
||||
# Check if parameters are provided
|
||||
if [ -z "$FILENAME_PREFIX" ] || [ -z "$SUBJECT" ]; then
|
||||
echo "Usage: generate_key_pair <filename_prefix> <subject>"
|
||||
exit 2
|
||||
fi
|
||||
|
||||
# Default filenames
|
||||
PRIVATE_KEY_FILE="${IMAGE_ID}_${FILENAME_PREFIX}.key"
|
||||
CERTIFICATE_FILE="${IMAGE_ID}_${FILENAME_PREFIX}.crt"
|
||||
|
||||
# Period of validity (in days) for the created certificate.
|
||||
# Defaults to 3650, i.e. 10 years.
|
||||
CERT_VALIDITY_DAYS=3650
|
||||
|
||||
# Check if both private key and certificate files exist
|
||||
if [ -e "$PRIVATE_KEY_FILE" ] && [ -e "$CERTIFICATE_FILE" ]; then
|
||||
echo "$FILENAME_PREFIX: Both private key and certificate files exist."
|
||||
elif [ -e "$PRIVATE_KEY_FILE" ]; then
|
||||
# Only private key exists, generate certificate
|
||||
openssl req -new -key "$PRIVATE_KEY_FILE" -out "$CERTIFICATE_FILE" \
|
||||
-subj "$SUBJECT" -sha256 -days "$CERT_VALIDITY_DAYS"
|
||||
echo "$FILENAME_PREFIX: Certificate generated for $PRIVATE_KEY_FILE."
|
||||
|
||||
# Set permissions for the new files
|
||||
chmod 0400 "$PRIVATE_KEY_FILE" "$CERTIFICATE_FILE"
|
||||
else
|
||||
# Neither private key nor certificate exists, generate both
|
||||
openssl req -newkey ec \
|
||||
-pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve \
|
||||
-noenc -keyout "$PRIVATE_KEY_FILE" \
|
||||
-new -x509 -sha256 \
|
||||
-days "$CERT_VALIDITY_DAYS" \
|
||||
-subj "$SUBJECT" \
|
||||
-out "$CERTIFICATE_FILE"
|
||||
echo "$FILENAME_PREFIX: Private key and certificate generated with filenames: $PRIVATE_KEY_FILE, $CERTIFICATE_FILE."
|
||||
|
||||
# Set permissions for the new files
|
||||
chmod 0400 "$PRIVATE_KEY_FILE" "$CERTIFICATE_FILE"
|
||||
fi
|
||||
}
|
||||
|
||||
generate_mok_keys() {
|
||||
generate_key_pair "mok" "/CN=$IMAGE_ID MOK"
|
||||
}
|
||||
|
||||
if [ "$#" -ne 1 ]; then
|
||||
echo "Usage: $0 <mok|all>"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
case "$1" in
|
||||
"mok")
|
||||
generate_mok_keys
|
||||
;;
|
||||
"all")
|
||||
generate_mok_keys
|
||||
;;
|
||||
*)
|
||||
echo "Error: Invalid value for <mok|all>."
|
||||
exit 1
|
||||
;;
|
||||
esac
|
Loading…
Reference in a new issue