-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmake_sec_boot_iso.py
213 lines (165 loc) · 6.66 KB
/
make_sec_boot_iso.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
#!/usr/bin/python3
import os
import pathlib
import subprocess
import requests
from shutil import copyfile
def is_arch_based():
"""Checks if the current OS is Arch-based using pacman.
Returns:
True if the OS is likely Arch-based, False otherwise.
"""
try:
subprocess.check_output(["pacman", "--version"])
return True
except subprocess.CalledProcessError:
pass
return False
def grab_iso():
"""
Download Arch ISO
"""
url = "https://geo.mirror.pkgbuild.com/iso/2024.10.01/archlinux-x86_64.iso"
r = requests.get(url, allow_redirects=True)
f = open(url.split('/')[-1], 'wb')
f.write(r.content)
f.close()
def extract_iso():
"""
Extract the iso to get the bootloader, kernel and other required files.
"""
cmd = "osirrox -indev ../archlinux-x86_64.iso -extract_boot_images ./ -extract /EFI/BOOT/BOOTx64.EFI grubx64.efi -extract /shellx64.efi shellx64.efi -extract /arch/boot/x86_64/vmlinuz-linux vmlinuz-linux"
ret = subprocess.run(cmd, shell=True, capture_output=True)
if ret.returncode != 0:
print(f"Error: {ret.stderr.decode('utf-8')}")
exit(1)
cmd2 = "chmod +w *"
ret2 = subprocess.run(cmd2, shell=True, capture_output=True)
if ret2.returncode != 0:
print(f"Error: {ret2.stderr.decode('utf-8')}")
return 0
def get_shim_bin():
"""
Get the shim binaries from `shim-signed`
"""
cmd1 = "cp /usr/share/shim-signed/shimx64.efi BOOTx64.EFI"
cmd2 = "cp /usr/share/shim-signed/mmx64.efi ./"
ret1 = subprocess.run(cmd1, shell=True, capture_output=True)
if ret1.returncode != 0:
print(f"Error: {ret1.stderr.decode('utf-8')}")
exit(1)
ret2 = subprocess.run(cmd2, shell=True, capture_output=True)
if ret2.returncode != 0:
print(f"Error: {ret2.stderr.decode('utf-8')}")
exit(1)
return 0
def sign_with_sbsigntools():
"""
Signs the extracted and copied files with MOK.crt file
"""
cmd1 = "sbsign --key MOK.key --cert MOK.crt --output grubx64.efi grubx64.efi"
cmd2 = "sbsign --key MOK.key --cert MOK.crt --output shellx64.efi shellx64.efi"
cmd3 = "sbsign --key MOK.key --cert MOK.crt --output vmlinuz-linux vmlinuz-linux"
#### NOTE
#### The following two signatures MAY NOT BE REQUIRED as THEY ARE ALREADY SIGNED.
#### However, absence of the signature using the created MOK keys made the
#### Bootable USB to NOT SHOW UP on my device.
cmd4 = "sbsign --key ../MOK.key --cert MOK.crt --output BOOTx64.EFI BOOTx64.EFI"
cmd5 = "sbsign --key ../MOK.key --cert MOK.crt --output mmx64.efi mmx64.efi"
ret1 = subprocess.run(cmd1, shell=True, capture_output=True)
if ret1.returncode != 0:
print(f"Error: {ret1.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret1.stdout.decode('utf-8')}\n\n")
ret2 = subprocess.run(cmd2, shell=True, capture_output=True)
if ret2.returncode != 0:
print(f"Error: {ret2.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret2.stdout.decode('utf-8')}\n\n")
ret3 = subprocess.run(cmd3, shell=True, capture_output=True)
if ret3.returncode != 0:
print(f"Error: {ret3.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret3.stdout.decode('utf-8')}\n\n")
ret4 = subprocess.run(cmd4, shell=True, capture_output=True)
if ret4.returncode != 0:
print(f"Error: {ret4.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret4.stdout.decode('utf-8')}\n\n")
ret5 = subprocess.run(cmd5, shell=True, capture_output=True)
if ret5.returncode != 0:
print(f"Error: {ret5.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret5.stdout.decode('utf-8')}\n\n")
return 0
def copy_to_image():
"""
Copy the signed stuff to be loaded into ISO
"""
cmd1 = "mcopy -D oO -i eltorito_img2_uefi.img vmlinuz-linux ::/arch/boot/x86_64/vmlinuz-linux"
cmd2 = "mcopy -D oO -i eltorito_img2_uefi.img MOK.cer shellx64.efi ::/"
cmd3 = "mcopy -D oO -i eltorito_img2_uefi.img BOOTx64.EFI grubx64.efi mmx64.efi ::/EFI/BOOT/"
ret1 = subprocess.run(cmd1, shell=True, capture_output=True)
if ret1.returncode != 0:
print(f"Error: {ret1.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret1.stdout.decode('utf-8')}\n\n")
ret2 = subprocess.run(cmd2, shell=True, capture_output=True)
if ret2.returncode != 0:
print(f"Error: {ret2.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret2.stdout.decode('utf-8')}\n\n")
ret3 = subprocess.run(cmd3, shell=True, capture_output=True)
if ret3.returncode != 0:
print(f"Error: {ret3.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret3.stdout.decode('utf-8')}\n\n")
return 0
def repack_iso():
"""
Repack the ISO file.
"""
cmd = "xorriso -indev ../archlinux-x86_64.iso -outdev archlinux-secure-boot-shim-x86_64.iso -map vmlinuz-linux /arch/boot/x86_64/vmlinuz-linux -map_l ./ / shellx64.efi MOK.cer -- -map_l ./ /EFI/BOOT/ BOOTx64.EFI grubx64.efi mmx64.efi -- -boot_image any replay -append_partition 2 0xef eltorito_img2_uefi.img"
ret = subprocess.run(cmd, shell=True, capture_output=True)
if ret.returncode != 0:
print(f"Error: {ret.stderr.decode('utf-8')}")
exit(1)
else:
print(f"[INFO]: {ret.stdout.decode('utf-8')}\n\n")
return 0
def create_mok_keys():
cmd1 = 'openssl req -x509 -newkey rsa:2048 -keyout MOK.key -out MOK.crt -subj "/CN=Aero/"' # Replace Aero with your name!
cmd2 = "openssl x509 -in MOK.crt -out MOK.cer -outform DER"
if __name__ == '__main__':
if not is_arch_based():
print("This is not an Arch based system. Exiting...")
exit(1)
print("Arch or Arch based system found. Ensure you have the following packages installed:")
print("shim-signed - AUR")
print("libisoburn - REPO")
print("mtools - REPO")
cwd = os.getcwd()
os.mkdir(f"{cwd}/archsec")
if not pathlib.Path(f"{cwd}/archlinux-x86_64.iso").exists():
grab_iso()
if not (pathlib.Path(f"{cwd}/MOK.key").exists() or pathlib.Path(f"{cwd}/MOK.crt").exists() or pathlib.Path(f"{cwd}/MOK.cer").exists()):
create_mok_keys()
os.chdir(f"{cwd}/archsec")
copyfile("../MOK.cer", './MOK.cer')
copyfile("../MOK.crt", './MOK.crt')
copyfile("../MOK.key", './MOK.key')
extract_iso()
get_shim_bin()
sign_with_sbsigntools()
copy_to_image()
repack_iso()
print(f"Done... Check the iso file: archlinux-secure-boot-shim-x86_64.iso at: {cwd}/archsec")
os.chdir(cwd)