Nightshift

.gitignore

@@ -6,11 +6,11 @@ mkosi.output/*
 mkosi.builddir/*
 
 # Build version of the image
-/mkosi.version
+*.version
 
 # Root password for the image
-/mkosi.rootpw
+*.rootpw
 
 # SecureBoot keys for the image
-/mkosi.key
-/mkosi.crt
+*.key
+*.crt

mkosi.conf

@@ -3,74 +3,13 @@ Distribution=arch
 Architecture=x86-64
 CacheOnly=true
 
-[Output]
-Format=disk
-SplitArtifacts=true
-ManifestFormat=json,changelog
-ImageId=rafeOS
-SectorSize=4096
-#CompressOutput=xz
-# For Reproducible Builds
-Seed=834dd70f55be43cc9934b20fc0b7f7be
-
-[Content]
-Bootable=yes
-SourceDateEpoch=0
-Packages=
-	# Minimal package set to define a basic Arch Linux installation
-	base
-	# system and service manager
-	systemd
-	# systemd: show QR codes
-	qrencode
-	# systemd: unlocking LUKS2 volumes with FIDO2 token
-	libfido2
-	# systemd: unlocking LUKS2 volumes with TPM2
-	tpm2-tss
-	# The Linux kernel and modules
-	linux
-	# linux: firmware images needed for some devices
-	linux-firmware
-	# linux: to set the correct wireless channels of your country
-	wireless-regdb
-	# Microcode update image for AMD CPUs
-	amd-ucode
-	# Microcode update image for Intel CPUs
-	intel-ucode
-	# Userspace utilities for linux-erofs file system
-	#erofs-utils
-	# Btrfs filesystem utilities
-	btrfs-progs
-	# Ext2/3/4 filesystem utilities
-	e2fsprogs
-
-RemoveFiles=
-    /usr/include
-    /usr/local
-    /usr/src
-    /usr/lib/cmake
-    /usr/lib/pkgconfig
-
-KernelCommandLine=
-	# prevents access to a shell if boot fails
-	rd.shell=0
-	# prevents access to a shell if the root is corrupt
-	rd.emergency=reboot
-	# reboots system 30 seconds after a kernel panic
-	panic=30
-#	loglevel=8
-
 [Validation]
 SecureBoot=true
-SecureBootKey=mkosi.key
-SecureBootCertificate=mkosi.crt
-#SecureBootKey=/usr/share/secureboot/keys/db/db.key
-#SecureBootCertificate=/usr/share/secureboot/keys/db/db.pem
+SecureBootKey=signing-keys/rafeOS_mok.key
+SecureBootCertificate=signing-keys/rafeOS_mok.crt
 SignExpectedPcr=true
-VerityKey=mkosi.key
-VerityCertificate=mkosi.crt
-#VerityKey=/usr/share/secureboot/keys/db/db.key
-#VerityCertificate=/usr/share/secureboot/keys/db/db.pem
+VerityKey=signing-keys/rafeOS_mok.key
+VerityCertificate=signing-keys/rafeOS_mok.crt
 Checksum=true
 
 [Host]

mkosi.conf.d/90-remove-files.conf

@@ -0,0 +1,7 @@
+[Content]
+RemoveFiles=
+    /usr/include
+    /usr/local
+    /usr/src
+    /usr/lib/cmake
+    /usr/lib/pkgconfig

mkosi.crt

@@ -1,17 +0,0 @@
------BEGIN CERTIFICATE-----
-MIICuzCCAaMCFEjGk1dAn3d720+09bprtDG+mRgWMA0GCSqGSIb3DQEBCwUAMBox
-GDAWBgNVBAMMD21rb3NpIG9mIHRvYmlhczAeFw0yMzEyMDkyMjQ4NDVaFw0yNTEy
-MDgyMjQ4NDVaMBoxGDAWBgNVBAMMD21rb3NpIG9mIHRvYmlhczCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAKCve5Z3mAM0GHV1JYJ8In7OW4p0xx+UfNpA
-hya+V0FrbeoFYJZK4+xL90hiFkfbS5YvQQ+92JZDdYYEKJOEn0IaXied5UlfMys/
-7YvZzJMcXGVR4Tux/IDoPp7xrmUqfQfQqmJykyV+XpCY9neG2fS48aWu7Jc2Ztim
-tQvG65A9FK3byBAFbNNqrn1dtpOFKLuYzDTSla0t7F+MNzCabOf1n6fIJpVef/2x
-K0T09l/0sv89a+WSOKdZuUg97kvCBjXzKtufIzjTaWWQl8Io6FmMGU8Dl9GyWfMw
-gCfehwmysJ128G4R+b4rBvVUT60lXXZvJGIRGC1rH+/Mn9uXOIcCAwEAATANBgkq
-hkiG9w0BAQsFAAOCAQEAjPJIAQ90/MbDC9REWUaAf5eowBELKx5PHg/DFxflskyi
-E9+6w+P3wdUBVGgsJF3dsdIat2oEadgzLRne5YBTfRJcbP2ObeV8uynG1Ay1m53b
-TgjN1vGyTJoVa2+wFx9lsnF5jGFAEHVp1X3DWEcirq3HHUDxJLvNi6Ub0RvSVY9M
-Fw0RyZqmLfjvePVtXYFSbFZbgE0xH+kmXc+cZMiza9LxFNXLdRJikXslJEfl14ni
-XsbDQ77ePyViIpU8oB8WUjtnxNAg10618W0CLgSR62gtnhoz2sniDeRJ6ipxTpJq
-u3ItsPcBD8jFpTlUQrAmTehleZ1vD5dmY3txHFVzcQ==
------END CERTIFICATE-----

mkosi.images/base/mkosi.conf

@@ -0,0 +1,53 @@
+[Output]
+Format=directory
+
+[Content]
+Bootable=no
+CleanPackageMetadata=no
+
+Packages=
+	# Minimal package set to define a basic Arch Linux installation
+	base
+	# Modular initramfs image creation utility
+	mkinitcpio
+	# system and service manager
+	systemd
+	# systemd: show QR codes
+	qrencode
+	# systemd: unlocking LUKS2 volumes with FIDO2 token
+	libfido2
+	# systemd: unlocking LUKS2 volumes with TPM2
+	tpm2-tss
+	# The Linux kernel and modules
+	linux
+	# linux: firmware images needed for some devices
+	linux-firmware
+	# linux: to set the correct wireless channels of your country
+	wireless-regdb
+	# Microcode update image for AMD CPUs
+	amd-ucode
+	# Microcode update image for Intel CPUs
+	intel-ucode
+	# Firmware updates
+	# gnome-control-center: device security panel
+	fwupd
+	# Userspace utilities for linux-erofs file system
+	erofs-utils
+	# Btrfs filesystem utilities
+	btrfs-progs
+	# Ext2/3/4 filesystem utilities
+	e2fsprogs
+	# Userspace components of the audit framework
+	audit
+	# Mandatory Access Control (MAC) using Linux Security Module (LSM)
+	apparmor
+	# Give certain users the ability to run some commands as root
+	sudo
+	# command line tool and library for transferring data with URLs
+	curl
+	# the fast distributed version control system
+	git
+	# Programmable completion for the bash shell
+	bash-completion
+	# Fork of Vim aiming to improve user experience, plugins, and GUIs
+	neovim

mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/50-rafeos-base.preset

@@ -0,0 +1 @@
+enable apparmor.service

mkosi.images/base/mkosi.extra/usr/lib/systemd/system-preset/sysctl.d/40-ipv6-privacy.conf

@@ -0,0 +1,3 @@
+# Enable IPv6 Privacy Extensions
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2

mkosi.images/server/mkosi.conf

@@ -0,0 +1,35 @@
+[Config]
+Dependencies=base
+
+[Output]
+Format=disk
+Output=rafeOS-server
+ManifestFormat=json,changelog
+ImageId=rafeOS
+SectorSize=4096
+CompressOutput=xz
+# For Reproducible Builds
+Seed=834dd70f55be43cc9934b20fc0b7f7be
+
+[Content]
+Bootable=yes
+SourceDateEpoch=0
+Autologin=yes
+BaseTrees=../../mkosi.output/base/
+Packages=
+  	# Control and monitor S.M.A.R.T. enabled ATA and SCSI Hard Drives
+  	smartmontools
+	# Pack, ship and run any application as a lightweight container
+	docker
+
+KernelCommandLine=
+	# Output fewer messages during boot. Errors will not be suppressed.
+	quiet
+	# prevents access to a shell if boot fails
+	rd.shell=0
+	# prevents access to a shell if the root is corrupt
+	rd.emergency=reboot
+	# reboots system 30 seconds after a kernel panic
+	panic=30
+	# enable apparmor
+	lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256

mkosi.images/server/mkosi.extra/usr/lib/systemd/network/50-ipv6-privacy-extensions.conf

@@ -0,0 +1,2 @@
+[Network]
+IPv6PrivacyExtensions=yes

mkosi.images/server/mkosi.extra/usr/lib/systemd/network/90-wired.network

@@ -0,0 +1,5 @@
+[Match]
+Name=en*
+
+[Network]
+DHCP=yes

mkosi.images/server/mkosi.extra/usr/lib/systemd/system-preset/60-rafeos-server.preset

@@ -0,0 +1 @@
+enable docker.service

mkosi.images/server/mkosi.postinst.chroot

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+echo "VARIANT_ID=server" >> /etc/os-release
+
+# Use systemd-resolved as dns backend for NetworkManager (auto-detected)
+ln -sl /run/systemd/resolve/stub-resolve.conf /etc/resolv.conf

mkosi.images/workstation/mkosi.conf

@@ -0,0 +1,206 @@
+[Config]
+Dependencies=base
+
+[Output]
+Format=disk
+Output=rafeOS-workstation
+ManifestFormat=json,changelog
+ImageId=rafeOS
+SectorSize=4096
+CompressOutput=xz
+# For Reproducible Builds
+Seed=834dd70f55be43cc9934b20fc0b7f7be
+
+[Content]
+Bootable=yes
+SourceDateEpoch=0
+Autologin=yes
+BaseTrees=../../mkosi.output/base/
+Packages=
+	# A utility for reading man pages
+	man-db
+	# Linux man pages
+	man-pages
+	# Splash screena at boot
+	plymouth
+
+	# Additional File systems
+	dosfstools
+    ntfs-3g
+    exfatprogs
+	sshfs
+
+	# OpenPrinting CUPS - daemon package
+	cups
+	# cups: to browse the network for remote CUPS queues and IPP network printers
+	cups-browsed
+	# Library that provides generic access to USB devices
+	# cups: for usb printer backend
+	libusb
+	# Scanner Access Now Easy
+    sane
+	# sane: SANE backend for AirScan (eSCL) and WSD document scanners
+	sane-airscan
+	# cups, sane-airscan: allows to send HTTP requests via a USB connection on devices without Ethernet or WiFi connections
+	ipp-usb
+	
+	# Daemons for the bluetooth protocol stack
+    bluez
+
+	# Low-latency audio/video router and processor
+	pipewire
+	# PulseAudio replacement
+    pipewire-pulse
+	# JACK replacement
+	pipewire-jack
+	# gnome-shell: Screen recording
+	gst-plugin-pipewire
+
+    # Manage user directories like ~/Desktop and ~/Music
+    xdg-user-dirs
+	# Creates user dirs and asks to relocalize them
+	xdg-user-dirs-gtk
+	# Command line tools that assist applications with a variety of desktop integration tasks
+    xdg-utils
+	# Desktop integration portals for sandboxed apps
+    xdg-desktop-portal
+	# A backend implementation for xdg-desktop-portal for the GNOME desktop environment
+    xdg-desktop-portal-gnome
+
+    # Spell checker and morphological analyzer library and program
+    hunspell
+    hunspell-de
+    hunspell-en_gb
+    hunspell-en_us
+
+	# Command-line copy/paste utilities for Wayland
+    wl-clipboard
+	# wl-clipboard: for type inference in wl-paste
+	mailcap
+
+    # Fallback font with huge coverage and colored emojis
+    noto-fonts
+    noto-fonts-extra # additional variants (condensed, semi-bold, extra-light)
+    noto-fonts-cjk   # CJK characters
+    noto-fonts-emoji # Emoji characters
+	
+	# Font family which aims at metric compatibility with Arial, Times New Roman, and Courier New
+    ttf-liberation
+
+	## GNOME
+	# Display manager and login screen
+    gdm
+	# D-Bus service to access fingerprint readers
+	# gdm: fingerprint authentication
+	fprintd
+	# Next generation desktop shell
+	gnome-shell
+	# Extensions for GNOME shell
+    gnome-shell-extensions
+	# AppIndicator/KStatusNotifierItem support for GNOME Shell
+    gnome-shell-extension-appindicator
+	# gnome-shell-extension-appindicator: support GTK+3 applications
+	libappindicator-gtk3
+	# Extension for GNOME Shell to disable screensaver and auto suspend
+	gnome-shell-extension-caffeine 
+	# Helps you to set up your OS when you boot for the first time
+	gnome-initial-setup
+	# Stores passwords and encryption keys
+    gnome-keyring
+	# Credential manager
+    seahorse
+	# GNOME's main interface to configure various aspects of the desktop
+    gnome-control-center
+	# View current processes and monitor system state
+    gnome-system-monitor
+	# gnome-control-center: screen sharing
+	gnome-remote-desktop
+	# gnome-control-center: network settings
+	networkmanager
+	# networkmanager: firewall support
+    firewalld
+    # DNS-SD, mostly for printers, i.e. CUPS. Service discovery is
+	# handled by Avahi, name resolution by systemd-resolved.
+    avahi
+	# gnome-control-center: remote login
+	openssh
+	# gnome-control-center: power profiles
+	power-profiles-daemon
+	# gnome-control-center: printer settings
+	system-config-printer
+	# Software framework for implementing USB device authorization policies
+	# gnome-settings-daemon: USB protection support
+	usbguard
+	# Default file manager for GNOME
+    nautilus
+	# gnome-online-accounts (e.g. NextCloud) support
+    gvfs-goa
+	# gphoto2 (PTP camera/MTP media player) support
+    gvfs-gphoto2
+	# MTP device support
+    gvfs-mtp
+	# NFS support
+    gvfs-nfs
+	# SMB/CIFS (Windows client) support
+    gvfs-smb
+	# Filesystem indexer and metadata extractor
+	# nautilus: Full text search and metadata-based renaming
+	tracker3-miners
+	# Create and modify archives
+    file-roller
+	# file-roller: lrzip archive support
+	lrzip
+	# file-roller: 7z, arj, exe and encrypted zip files support
+	p7zip
+	# Basic applications
+    gnome-backgrounds
+    gnome-themes-extra # For adwaita-dark
+    gnome-characters
+    gnome-screenshot
+    gnome-maps
+    gnome-clocks
+    gnome-weather
+    gnome-calendar
+    gnome-contacts
+    gnome-console
+	gnome-disk-utility
+    gnome-calculator
+	gnome-text-editor
+    gnome-firmware
+	gnome-logs
+	gnome-software # for flatpak management
+    gnome-tweaks
+	# Help viewer, i.e. Mallard, DocBook, man, info, and HTML documents
+	yelp
+	# Document viewer
+	# xdg-desktop-portal-gnome: Print previews
+    evince
+	# Image viewer
+    loupe
+	# Simple scanning utility
+    simple-scan
+	# A graphical directory tree analyzer
+    baobab
+	# Take pictures and videos
+	snapshot
+	# Video player
+	totem
+
+	flatpak
+
+KernelCommandLine=
+	# Output fewer messages during boot. Errors will not be suppressed.
+	quiet
+	# prevents access to a shell if boot fails
+	rd.shell=0
+	# prevents access to a shell if the root is corrupt
+	rd.emergency=reboot
+	# reboots system 30 seconds after a kernel panic
+	panic=30
+	# enable apparmor
+	lsm=landlock,lockdown,yama,integrity,apparmor,bpf audit=1 audit_backlog_limit=256
+
+RemoveFiles=
+	/usr/share/xsessions/
+	/usr/share/glib-2.0/schemas/org.gnome.shell.extensions.apps-menu.gschema.xml
+	/usr/share/gnome-shell/extensions/apps-menu@gnome-shell-extensions.gcampax.github.com/

mkosi.images/workstation/mkosi.extra/usr/lib/systemd/NetworkManager/conf.d/50-ip6-privacy.conf

@@ -0,0 +1,2 @@
+[connection]
+ipv6.ip6-privacy=2

mkosi.images/workstation/mkosi.extra/usr/lib/systemd/NetworkManager/conf.d/50-ipv6-dhcp-duid.conf

@@ -0,0 +1,2 @@
+[connection]
+ipv6.dhcp-duid=stable-uuid

mkosi.images/workstation/mkosi.extra/usr/lib/systemd/NetworkManager/conf.d/50-mdns.conf

@@ -0,0 +1,7 @@
+[connection]
+# Enable mDNS resolving (1) on all interfaces by default, but do not enable
+# mDNS responding, i.e. do not register an mDNS hostname for this connection (2)
+#
+# We use systemd-resolved only for resolution because responding is handled by
+# Avahi for proper discovery.
+connection.mdns=1

mkosi.images/workstation/mkosi.extra/usr/lib/systemd/resolved.conf.d/50-avahi.conf

@@ -0,0 +1,3 @@
+[Resolve]
+# Resolve mDNS hostnames via resolved, but leave the rest to Avahi
+MulticastDNS=resolve

mkosi.images/workstation/mkosi.extra/usr/lib/systemd/resolved.conf.d/50-dnssec.conf

@@ -0,0 +1,3 @@
+[Resolve]
+# Enable and enforce DNSSEC
+DNSSEC=allow-downgrade

mkosi.images/workstation/mkosi.extra/usr/lib/systemd/system-preset/60-rafeos-workstation.preset

@@ -0,0 +1,3 @@
+disable systemd-networkd.service
+enable NetworkManager.service
+enable gdm.service

mkosi.images/workstation/mkosi.postinst.chroot

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+echo "VARIANT_ID=workstation" >> /etc/os-release
+
+# Reconfigure wireless drivers to respect the regulatory domain of Germany
+# See: https://wiki.archlinux.org/title/Network_configuration/Wireless#Respecting_the_regulatory_domain
+sed -i 's/^#\(WIRELESS_REGDOM="DE"\)/\1/' /etc/conf.d/wireless-regdom
+
+plymouth-set-default-theme bgrt

mkosi.key

@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCgr3uWd5gDNBh1
-dSWCfCJ+zluKdMcflHzaQIcmvldBa23qBWCWSuPsS/dIYhZH20uWL0EPvdiWQ3WG
-BCiThJ9CGl4nneVJXzMrP+2L2cyTHFxlUeE7sfyA6D6e8a5lKn0H0KpicpMlfl6Q
-mPZ3htn0uPGlruyXNmbYprULxuuQPRSt28gQBWzTaq59XbaThSi7mMw00pWtLexf
-jDcwmmzn9Z+nyCaVXn/9sStE9PZf9LL/PWvlkjinWblIPe5LwgY18yrbnyM402ll
-kJfCKOhZjBlPA5fRslnzMIAn3ocJsrCddvBuEfm+Kwb1VE+tJV12byRiERgtax/v
-zJ/blziHAgMBAAECggEAOWkpb4PQWMiquoC+A6aFjqf9NfVuVb6wcyxd/X5BX7rZ
-/SSps1kToVAtDHwbONZF5eWBSfYLJfj5SwY+VyKp4izYmjAEhZgRiLDhFzgcqy0V
-aA/+uNzpekdAZHq2VCf/nySzU9Ra9aj2cZRtbxxL0G+pywg6OPazfVHm2svaS2Cu
-iyNX15uNhzE3PW1Z40r30ucG7+KpNKp/h2uP0vLLQEJnHNCHNr5BPb0lzD4supN1
-FWXTYXf+LBzq1w9yZu7M33dBf4VJxVQSePyRESZcvmy8hQdUdHslX61BLN6BDuE1
-pnlBVddB86Rl7a0ckwNm163wipUZEycefl5mFd2RXQKBgQDNTjBh2pl10Yc/4/Yh
-NkFlZPepCD+nwFThhiMaEXwYHYVUDO7zlmqpieCcy1DJpyhhLey0E5lsRlj1jmIB
-4mGG9/dkhd8tmTZjMi/gcngC6PnQSOEvx3Jac0EaH3ZSH4oNwNEMXu14CekTzYm7
-RlwnlOsDR3B4rwPR0tob8eU3VQKBgQDIXMSgkFBUlclRyLBEgLdfPOfocueHA/Jm
-MHaKzPNlOlR9I7z0I7hj2+W6TnTfqfGWlPYIJYzOiuAIKTJnQsPc82iYlqwCV7nC
-FRqldf7LZlrVg8Fh3tb2JghC/GljZE82cvBFCH6O2LtELE/IpKUOjeXjn1igwl2w
-IePjNPS4awKBgQCMjaH77A8xpN+mMue3NxCwXN5cf4Qs0TSLLSzs1NmTHOrBbxVL
-+EdPiFAYp+zIEUNIvIsXgW+Au+x9OBwK1DQWlb5tuGThL8oXQS2byGI3A8669JoN
-/spf+BWyz6VOdb8qyT2U7Yw/qPFDmGxZpMLEamQ2W3s5c//2bxbZGNLm/QKBgCB2
-Nz00ZG9v3TAs7bILkKoTehdFFpHfZ9R6oZoXXo/WBX5I3gJID0XOiMfIklLye7vD
-4qCrRMbp5SYtVoc4X/daUGX4c2HlyKjTNn/8QA3ARZM2R4yNyBIVU11W+9QomlTe
-BmOI3shSAPUooLyHQF69SrO4S2mwU/GHbB6Ro9yFAoGAYL0gbjGDsDIDkS4GEfFf
-+2LiWgFEj9rJ61q1HqlyCexmvq4cFVqiU0qqQYepT6LsI2u7U9tyJm6x7neFkCJV
-Whq+L+w88PKg99U3nCK4q0ZlYzUolapz3qAqs65nMKTmtQx5doUUijwRdwQxmfF3
-JGsX7imrsv154qC2E244mdU=
------END PRIVATE KEY-----

mkosi.repart/10-usr.conf

@@ -1,6 +1,6 @@
 [Partition]
 Type=usr
-Label=%M_%A
+Label=%M-%W_%A
 SizeMinBytes=3G
 SizeMaxBytes=3G
 Minimize=best

mkosi.repart/11-usr-verity.conf

@@ -1,6 +1,6 @@
 [Partition]
 Type=usr-verity
-Label=%M_%A
+Label=%M-%W_%A
 SizeMinBytes=256M
 SizeMaxBytes=256M
 Minimize=best

mkosi.repart/12-usr-verity-sig.conf

@@ -1,5 +1,5 @@
 [Partition]
 Type=usr-verity-sig
-Label=%M_%A
+Label=%M-%W_%A
 Verity=signature
 VerityMatchKey=usr

signing-keys/genkeys.sh

@@ -0,0 +1,78 @@
+#!/bin/sh
+# Automates the generation of keys in the context of Secure Boot.
+# The script utilizes the elliptic curve algorithm with the NIST
+# P-384 curve (prime384v1) for key generation.
+# 
+# UEFI Specification: https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html#firmware-os-crypto-algorithm-exchange
+
+set -eu
+
+IMAGE_ID="rafeOS"
+
+generate_key_pair() {
+    # Parameters
+    FILENAME_PREFIX="$1"
+    SUBJECT="$2"
+
+    # Check if parameters are provided
+    if [ -z "$FILENAME_PREFIX" ] || [ -z "$SUBJECT" ]; then
+        echo "Usage: generate_key_pair <filename_prefix> <subject>"
+        exit 2
+    fi
+
+    # Default filenames
+    PRIVATE_KEY_FILE="${IMAGE_ID}_${FILENAME_PREFIX}.key"
+    CERTIFICATE_FILE="${IMAGE_ID}_${FILENAME_PREFIX}.crt"
+
+    # Period of validity (in days) for  the created certificate.
+    # Defaults to 3650, i.e. 10 years.
+    CERT_VALIDITY_DAYS=3650
+
+    # Check if both private key and certificate files exist
+    if [ -e "$PRIVATE_KEY_FILE" ] && [ -e "$CERTIFICATE_FILE" ]; then
+        echo "$FILENAME_PREFIX: Both private key and certificate files exist."
+    elif [ -e "$PRIVATE_KEY_FILE" ]; then
+        # Only private key exists, generate certificate
+        openssl req -new -key "$PRIVATE_KEY_FILE" -out "$CERTIFICATE_FILE" \
+            -subj "$SUBJECT" -sha256 -days "$CERT_VALIDITY_DAYS"
+        echo "$FILENAME_PREFIX: Certificate generated for $PRIVATE_KEY_FILE."
+
+        # Set permissions for the new files
+        chmod 0400 "$PRIVATE_KEY_FILE" "$CERTIFICATE_FILE"
+    else
+        # Neither private key nor certificate exists, generate both
+        openssl req -newkey ec \
+            -pkeyopt ec_paramgen_curve:P-384 -pkeyopt ec_param_enc:named_curve \
+            -noenc -keyout "$PRIVATE_KEY_FILE" \
+            -new -x509 -sha256 \
+            -days "$CERT_VALIDITY_DAYS" \
+            -subj "$SUBJECT" \
+            -out "$CERTIFICATE_FILE"
+        echo "$FILENAME_PREFIX: Private key and certificate generated with filenames: $PRIVATE_KEY_FILE, $CERTIFICATE_FILE."
+
+        # Set permissions for the new files
+        chmod 0400 "$PRIVATE_KEY_FILE" "$CERTIFICATE_FILE"
+    fi
+}
+
+generate_mok_keys() {
+    generate_key_pair "mok" "/CN=$IMAGE_ID MOK"
+}
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <mok|all>"
+    exit 1
+fi
+
+case "$1" in
+    "mok")
+        generate_mok_keys
+        ;;
+    "all")
+        generate_mok_keys
+        ;;
+    *)
+        echo "Error: Invalid value for <mok|all>."
+        exit 1
+        ;;
+esac