1.8 KiB
Create and sign a unified EFI executable
Description
This script (create-unified-kernel.sh) combines the Linux kernel and initrd images and creates a unified image which is then signed for secure boot. The image is created under /efi/EFI/Linux/linux.efi.
The script makes a number of assumptions about the system. Notably:
- The system is based on Arch Linux
- The system has boot parameters in
/etc/cmdline(minimal example provided in this repo - modify to your needs) - The system has secure boot keys in
/etc/secureboot - The system has the
sbsigntoolsandbinutilspackages installed - The system is using the stock kernel (kernel in
/boot/vmlinuz-linuxand initramfs in/boot/initramfs-linux.img)
Fortunately, the script is minimal - it's easy to understand and modify to your specific scenario. Specifically, the VARIANT variable defined at the top of the script is probably of most interest to you - this can be used to specify custom kernel builds, a la VARIANT="-zen".
You'll also need to actually use efibootmgr or similar to create the EFI boot entry. Something like so:
efibootmgr --create --disk /dev/nvme0n1 --part 1 --label "Arch" --loader '\EFI\Linux\linux.efi' --verbose
A convenience pacman hook is provided. This can be copied over:
mkdir -p /etc/pacman.d/hooks/
cp 999-sign-kernel.hook /etc/pacman.d/hooks/
Use case
I have full disk crypto set up using LUKS2. The entire rootfs is encrypted, including boot. Decryption is handled by systemd, using the sd-encrypt mkinitcpio hook. I leverage secure boot and EFISTUB to combine the entire boot chain into one EFI executable and sign it, thus preventing any tampering of the boot chain before I boot into the root filesystem.