commit 61e008a0f892ea5a764dfae7b00f9d32eada70e7
parent 407dbda2f9bd499f0c33372bdcf02c122ea5a634
Author: mrgrouse <bdmfegys@duck.com>
Date: Mon, 13 May 2024 00:38:21 -0400
arch-secure-boot.sh: add echo with descriptions for each step for user's view; add comments for future plans
Diffstat:
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/arch-secure-boot.sh b/arch-secure-boot.sh
@@ -2,34 +2,45 @@
### PRE RUN INSTRUCTIONS ###
# clear secure boot keys in uefi/enter setup mode
+# TODO: add if statement to check if secure boot keys are cleared; probably use
+echo "In UEFI, clear the secure boot keys and disable secure boot. Then boot into this OS."
+echo "Rebooting..."
systemctl reboot --firmware-setup
-# disable secure boot
-
-# boot into installation
# reinstalls grub, replace esp with your boot directory
+echo "Reinstalling grub..."
grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=Artix --modules="tpm" --disable-shim-lock
# remove existing files with Rcns
# TODO: get which aur helper exists on system
+echo "Cleaning existing secure boot files..."
pacman -Rcns sbctl || paru -Rcns sbctl-git
pacman -S sbctl || paru -S sbctl-git
# generate keys
+echo "Creating secure boot keys with:"
+echo "\t sbctl create-keys"
sbctl create-keys
# enroll keys to hardware
+echo "Enrolling Microsoft secure boot keys with:"
+echo "\t sbctl enroll-keys -m"
sbctl enroll-keys -m
# outputs files to sign from database
+echo "Files to be signed:"
sbctl list files
# sign those files
# TODO: auto sign files
+echo "Signing EFI files with:"
+echo "\t sbctl sign -s"
sbctl sign -s # <- vmlinuz and files from the above command
# checks if all are signed
+echo "Verifying signed EFI files with:"
+echo "\t sbctl verify"
sbctl verify # its okay if it doesnt work it wont break anything if ESP drive not found
echo "Reboot to UEFI and enable secure boot!"
