Skip to content

Instantly share code, notes, and snippets.

@sharethewisdom

sharethewisdom/80-mkinitcpio-patch.hook

Last active September 20, 2019 12:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sharethewisdom/be866ba7b908221e6d36f07a0fac30e3 to your computer and use it in GitHub Desktop.
Save sharethewisdom/be866ba7b908221e6d36f07a0fac30e3 to your computer and use it in GitHub Desktop.
Download ZIP
mkinitcpio patch
Raw
80-mkinitcpio-patch.hook
[Trigger]
Type = File
Operation = Install
Operation = Upgrade
Target = usr/bin/mkinitcpio
[Action]
Description = Patching /usr/bin/mkinitcpio
When = PostTransaction
Exec = /usr/bin/patch /usr/bin/mkinitcpio /root/mkinitcpio.patch
Raw
README.md

mkinitcpio.patch

Patch fo the mkinitcpio script to sign kernels and initramfs images after compression.

To apply the patch the included hook can be used. Just put the patch in /root and the hook in /etc/pacman.d/hooks/ and reinstall the mkinitcpio package. Make sure to add NoUpgrade = etc/mkinitcpio.conf (no initial slash) to /etc/pacman.conf to guard yourself from creating an image from the config that got overwritten by the package default.

Evidently, this only works when you have generated a keypair in /root/keys and included a passphrase there.

  • follow the instructions from Fedja Beader's guide GRUB secure boot with GPG:

    The security of this setup depends on a good GRUB password as GPG signature checking can be disabled through the interactive console:

    set check_signatures=no

  • double check that /boot/boot.key is trusted (that it doesn't require a signature)

  • prepare yourself for when you're unable to boot because of unmatching signatures. Write down your super strong GRUB passphrase to be able to access the command line so that you can unset check_signatures if they don't match.

  • if the patch succeeded, manually run mkinitcpio and check with gpg --homedir /root/keys --verify /boot/vmlinuz-linux.sig

Raw
mkinitcpio.patch
--- /usr/bin/mkinitcpio 2019-09-14 21:10:15.000000000 +0200
+++ mkinitcpio 2019-09-14 21:10:15.000000000 +0200
@@ -241,6 +241,26 @@
error "Image generation FAILED: %s" "$errmsg"
elif (( _builderrors == 0 )); then
msg "Image generation successful"
+ sleep .1
+ if [ ! -f $out.sig ] || \
+ ! `gpg --homedir /root/keys --verify "$out.sig" 1>/dev/null 2>&1`; then
+ msg "Signing updated $out ..."
+ /usr/bin/gpg --yes --no-options --disable-dirmngr \
+ --detach-sign --pinentry loopback --batch \
+ --passphrase-file /root/keys/passphrase --homedir /root/keys "$out"
+ [ $? -gt 0 ] && error "$out is not signed!"
+ fi
+ kernelimg=/boot/vmlinuz-${out#*-}
+ kernelimg=${kernelimg%.img}
+ kernelimg=${kernelimg%-fallback}
+ if [ ! -f ${kernelimg}.sig ] || \
+ ! `gpg --homedir /root/keys --verify ${kernelimg}.sig 1>/dev/null 2>&1`; then
+ msg "Signing updated kernel $kernelimg ..."
+ /usr/bin/gpg --yes --no-options --disable-dirmngr \
+ --detach-sign --pinentry loopback --batch \
+ --passphrase-file /root/keys/passphrase --homedir /root/keys $kernelimg
+ [ $? -gt 0 ] && error "$kernelimg is not signed!"
+ fi
fi
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment