commit 00aa97560d621a65af33bc9678a1a2babadf5fe5 parent c5ee3b867364cd7a2fc0178209f0ca865cef5bb8 Author: mrgrouse <bdmfegys@duck.com> Date: Mon, 13 May 2024 00:18:40 -0400 create arch-secure-boot.sh Diffstat:
| A | arch-secure-boot.sh | | | 35 | +++++++++++++++++++++++++++++++++++ |
1 file changed, 35 insertions(+), 0 deletions(-)
diff --git a/arch-secure-boot.sh b/arch-secure-boot.sh @@ -0,0 +1,35 @@ +#!/bin/sh +### PRE RUN INSTRUCTIONS ### +# clear secure boot keys in uefi/enter setup mode + +systemctl reboot --firmware-setup +# disable secure boot + +# boot into installation + +# reinstalls grub, replace esp with your boot directory +grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=Artix --modules="tpm" --disable-shim-lock + + +# remove existing files with Rcns +# TODO: get which aur helper exists on system +pacman -Rcns sbctl || paru -Rcns sbctl-git +pacman -S sbctl || paru -S sbctl-git + +# generate keys +sbctl create-keys + +# enroll keys to hardware +sbctl enroll-keys -m + +# outputs files to sign from database +sbctl list files + +# sign those files +# TODO: auto sign files +sbctl sign -s # <- vmlinuz and files from the above command + +# checks if all are signed +sbctl verify # its okay if it doesnt work it wont break anything if ESP drive not found + +echo "Reboot to UEFI and enable secure boot!"