diff --git a/.gitignore b/.gitignore index 1d60f85..a94f205 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ output/* /*.tar.gz +OVMF_VARS_4M.fd diff --git a/Dockerfile b/Dockerfile index b005037..ac2cc8b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,34 +14,82 @@ RUN cargo install --locked --root /usr/local --git https://github.com/weareseba/ --branch feature/rust-1.69 -FROM builder -RUN apt-get install -y --no-install-recommends \ +FROM debian:trixie-slim +ENV SOURCE_DATE_EPOCH=1231006505 +ENV VERITY_SALT=08a0beacc11acabe72fa687107a743ed0680cfa985eac4386b6143ad93a563fc +ENV VERITY_UUID=12345678-1234-1234-1234-123456789abc +RUN apt-get update \ + && apt-get -y dist-upgrade \ + && apt-get install -y --no-install-recommends \ + autoconf \ + automake \ + bash \ build-essential \ coreutils \ - grub-efi-amd64-bin \ + cpio \ + cryptsetup-bin \ + dkms \ + efitools \ + e2tools \ + e2fsprogs \ + faketime \ + gawk \ + gnupg \ + grub-efi-amd64 \ + initramfs-tools \ + libccid \ + libcryptsetup-dev \ + libengine-pkcs11-openssl \ libsystemd-shared \ + libtool \ + locales \ mmdebstrap \ mtools \ + opensc-pkcs11 \ + openssl \ + pkg-config \ python3-dev \ python3-pip \ python3-pytest \ + sbsigntool \ squashfs-tools \ squashfs-tools-ng \ + wget \ xorriso \ - xz-utils - + xz-utils \ + ykcs11 \ + yubico-piv-tool \ + yubikey-manager \ + zstd -RUN mkdir -p staging/live \ - && mkdir -p staging/boot/grub/x86_64-efi \ - && mkdir -p staging/boot/syslinux/ +# Create user +ARG UID +ARG GID +RUN groupadd -g ${GID} satoshi && \ + useradd -m -r -u ${UID} -g ${GID} -G users,lp,disk,adm,dialout -c "Satoshi Nakamoto" -s /bin/bash satoshi +WORKDIR /home/satoshi +# Copy res and useful files COPY resources/skeleton/ resources/skeleton # copy binaries built with cargo to the chroot COPY --from=cargo-install /usr/local/bin/bdk-cli /usr/local/bin/ COPY --from=cargo-install /usr/local/bin/electrum2descriptors /usr/local/bin/ +# Set the locale +RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ + dpkg-reconfigure --frontend=noninteractive locales && \ + update-locale LANG=en_US.UTF-8 +ENV LANG en_US.UTF-8 +ENV LANGUAGE en_US:en +ENV LC_ALL en_US.UTF-8 +# Create staging folders +RUN mkdir -p staging/live && \ + mkdir -p staging/boot/grub/x86_64-efi && \ + mkdir -p staging/boot/syslinux/ + +# Create Live OS filesystem RUN mmdebstrap \ --variant=apt \ --dpkgopt='path-exclude=/usr/share/man/*' \ @@ -52,44 +100,65 @@ RUN mmdebstrap \ --dpkgopt='path-include=/usr/share/doc/*/changelog.Debian.*' \ --include='\ busybox,\ + curl,\ + cryptsetup-bin,\ dosfstools,\ + efitools,\ electrum,\ evince,\ fdisk,\ firefox-esr,\ fonts-freefont-ttf,\ fonts-noto-mono,\ - gpa,\ gpg,\ grub-efi-amd64-bin,\ isolinux,\ + jq,\ keepassxc,\ + libgl1,\ + libglib2.0-0,\ + libnss-resolve,\ + libpcsclite1,\ libykpiv2,\ libnss-resolve,\ + lightdm,\ linux-image-amd64,\ live-boot,\ + nodm,\ + mokutil,\ mousepad,\ + mtools,\ + net-tools,\ + network-manager,\ openssh-client,\ p7zip-full,\ pcscd,\ + python3-btchip,\ python3-ecdsa,\ python3-hidapi,\ - python3-libusb1,\ python3-mnemonic,\ python3-pyaes,\ python3-pyqt5,\ python3-semver,\ python3-trezor,\ python3-typing-extensions,\ + python3-usb,\ + python3-usb1,\ rsync,\ scdaemon,\ syslinux-common,\ + systemd-cryptsetup,\ + systemd-repart,\ systemd-resolved,\ systemd-timesyncd,\ + systemd-sysv,\ thunar-archive-plugin,\ + uuid-runtime,\ usbutils,\ vim,\ + wget,\ xarchiver,\ + xclip,\ xfce4,\ xfce4-terminal,\ xinit,\ @@ -99,29 +168,33 @@ RUN mmdebstrap \ yubikey-personalization,\ yubioath-desktop' \ --customize-hook='chroot "$1" usermod --expiredate 1 --shell /usr/sbin/nologin --password ! root' \ - --customize-hook='chroot "$1" useradd -G users,lp,disk,adm,dialout -c "Satoshi Nakamoto" --home-dir /home/satoshi --create-home -s /bin/bash satoshi' \ + --customize-hook='chroot "$1" useradd -G users,lp,disk,adm,dialout,video,tty -c "Satoshi Nakamoto" --home-dir /home/satoshi --create-home -s /bin/bash satoshi' \ --customize-hook='sync-in resources/skeleton/ /' \ --customize-hook='sync-in /usr/local/bin/ /usr/local/bin/' \ --customize-hook='chroot "$1" chown -R satoshi:satoshi /home/satoshi' \ - --customize-hook='pip3 install --no-cache-dir --no-warn-script-location --no-deps --root "$1" \ - bitbox02 \ + --customize-hook='pip3 install --no-cache-dir --no-warn-script-location --root "$1" \ + bitbox02==6.3.0 \ base58 \ + jade-client==1.0.32 \ noiseprotocol \ protobuf==3.20 \ - btchip-python \ - ckcc-protocol \ + ledger-bitcoin==0.2.2 \ + ledgercomm==1.2.1 \ + ckcc-protocol==0.7.7 \ keepkey' \ --customize-hook='chroot "$1" /usr/bin/busybox --install -s' \ - --customize-hook='chroot "$1" systemctl enable systemd-networkd' \ - --customize-hook="download /vmlinuz staging/live/vmlinuz" \ + --customize-hook='chroot "$1" systemctl enable NetworkManager' \ + --customize-hook='chroot "$1" systemctl set-default graphical.target' \ + --customize-hook="download /vmlinuz staging/live/vmlinuz.unsigned" \ --customize-hook="download /initrd.img staging/live/initrd" \ - --customize-hook='set -e; for f in 20-hw1.rules 51-coinkite.rules 51-hid-digitalbitbox.rules 51-safe-t.rules 51-trezor.rules 51-usb-keepkey.rules 52-hid-digitalbitbox.rules 53-hid-bitbox02.rules 54-hid-bitbox02.rules 55-usb-jade.rules; do \ - wget -q -P "$1/etc/udev/rules.d" "https://raw.githubusercontent.com/spesmilo/electrum/4.4.5/contrib/udev/$f"; done' \ + --customize-hook='set -e; mkdir -p "$1/etc/udev/rules.d"; for f in 20-hw1.rules 51-coinkite.rules 51-hid-digitalbitbox.rules 51-safe-t.rules 51-trezor.rules 51-usb-keepkey.rules 52-hid-digitalbitbox.rules 53-hid-bitbox02.rules 54-hid-bitbox02.rules 55-usb-jade.rules; do \ + wget -q -P "$1/etc/udev/rules.d" "https://raw.githubusercontent.com/spesmilo/electrum/4.5.8/contrib/udev/$f"; done' \ --customize-hook='wget -q -O - https://gethstore.blob.core.windows.net/builds/geth-alltools-linux-amd64-1.13.11-8f7eb9cc.tar.gz | tar -C "$1/usr/local/bin" --strip-components=1 -zx' \ --customize-hook='wget -q -O - https://github.com/wealdtech/ethdo/releases/download/v1.35.2/ethdo-1.35.2-linux-amd64.tar.gz | tar -C "$1/usr/local/bin" -zx' \ --customize-hook='wget -q -O - https://github.com/ethereum/staking-deposit-cli/releases/download/v2.7.0/staking_deposit-cli-fdab65d-linux-amd64.tar.gz | tar -C "$1/usr/local/bin" --strip-components=2 -zx' \ --customize-hook='ln -sf /usr/share/zoneinfo/CET "$1/etc/localtime"' \ - --customize-hook='mkdir -p "$1/media/usb"' \ + --customize-hook='mkdir -p "$1/media/usb-rw"' \ + --customize-hook='mkdir -p "$1/media/usb-ro"' \ --customize-hook='echo CET > "$1/etc/timezone"' \ --customize-hook='sync-out /usr/lib/grub/x86_64-efi/ staging/boot/grub/x86_64-efi/' \ --customize-hook='copy-out /usr/lib/ISOLINUX/isohdpfx.bin staging/boot/syslinux/' \ @@ -143,44 +216,47 @@ RUN mmdebstrap \ --customize-hook='find "$1" -name "[a-z]*[.-]old" -delete' \ --customize-hook='find "$1/usr/lib" -name __pycache__ -type d -depth -exec rm -rf {} \;' \ --customize-hook='find "$1/usr/local/lib" -name __pycache__ -type d -depth -exec rm -rf {} \;' \ - bookworm staging/live/filesystem.squashfs - -COPY resources/isolinux.cfg staging/isolinux/isolinux.cfg -COPY resources/grub.cfg staging/boot/grub/grub.cfg -COPY resources/grub-early.cfg . - - -RUN mkdir -p staging/EFI/boot \ - && grub-mkimage \ - --compression="xz" \ - --format="x86_64-efi" \ - --config="grub-early.cfg" \ - --output="staging/EFI/boot/bootx64.efi" \ - --prefix="/boot/grub" \ - all_video disk part_gpt part_msdos linux normal configfile search \ - search_label efi_gop fat iso9660 cat echo ls test true help gzio - -RUN mformat -i staging/efiboot.img -C -f 1440 -N 0 :: \ - && mcopy -i staging/efiboot.img -s staging/EFI :: - -CMD find staging -print0 | xargs -0 touch -md "@${SOURCE_DATE_EPOCH}" \ - && xorrisofs \ - -iso-level 3 \ - -o /output/livedeb.iso \ - -full-iso9660-filenames \ - -joliet \ - -rational-rock \ - -sysid LINUX \ - -volid "$(echo DEB${TAG} | cut -c -32)" \ - -isohybrid-mbr staging/boot/syslinux/isohdpfx.bin \ - -eltorito-boot boot/syslinux/isolinux.bin \ - -eltorito-catalog boot/syslinux/boot.cat \ - -no-emul-boot \ - -boot-load-size 4 \ - -boot-info-table \ - -eltorito-alt-boot \ - -e efiboot.img \ - -no-emul-boot \ - -isohybrid-gpt-basdat \ - staging/ \ - && sha256sum /output/livedeb.iso + trixie staging/live/filesystem.squashfs + +# Copy secureboot and GRUB files +# https://wiki.debian.org/SecureBoot/VirtualMachine +# https://github.com/salrashid123/secure_boot +# https://superuser.com/questions/1660806/how-to-install-a-windows-guest-in-qemu-kvm-with-secure-boot-enabled +RUN mkdir -p secureboot +ADD secureboot/ secureboot/ +COPY resources/grub.cfg staging/boot/grub/grub.cfg +COPY resources/grub-standalone.cfg . + +# Create verity partition +RUN veritysetup format \ + --uuid=${VERITY_UUID} \ + --salt=${VERITY_SALT} \ + --root-hash-file=staging/live/filesystem.squashfs.roothash \ + staging/live/filesystem.squashfs staging/live/filesystem.squashfs.verity +RUN veritysetup verify \ + --root-hash-file=staging/live/filesystem.squashfs.roothash \ + staging/live/filesystem.squashfs staging/live/filesystem.squashfs.verity + +# Patch initrd for missing system libraries for dm-verity (dlopen) +# - libcryptsetup.so +# - libuuid.so.1 +# - libjson-c.so.5 +RUN mkdir initrd-patched && \ + unmkinitramfs -v staging/live/initrd initrd-patched +RUN cp /usr/lib/x86_64-linux-gnu/libcryptsetup.so.12 initrd-patched/usr/lib/x86_64-linux-gnu/ && \ + cp /usr/lib/x86_64-linux-gnu/libuuid.so.1 initrd-patched/usr/lib/x86_64-linux-gnu/ && \ + cp /usr/lib/x86_64-linux-gnu/libjson-c.so.5 initrd-patched/usr/lib/x86_64-linux-gnu/ +# NOTE: having different locales set can lead to different final checksums of the ISO (Docker takes locale from host's settings) +RUN cd initrd-patched && \ + find . -print0 | xargs -0 touch -md "@0" && \ + find . | sort -V | cpio -o -H newc --reproducible --device-independent --owner root:root > ../initrd.patched.img && \ + mv ../initrd.patched.img ../staging/live/initrd + +# TODO +# Add M$ keys to DBX (https://github.com/microsoft/secureboot_objects.git) + +# Copy script for creating the image +COPY scripts/mkimage.sh . +RUN chmod +x mkimage.sh + +ENTRYPOINT ["./mkimage.sh"] diff --git a/Makefile b/Makefile index 6a2343c..758c5cd 100644 --- a/Makefile +++ b/Makefile @@ -1,16 +1,51 @@ USB_DISK ?= $(shell realpath /dev/disk/by-path/*usb* | head -n 1) TAG := livedeb +ISO_FILENAME := output/livedeb.iso +ISO_FILENAME_NOSB := output/livedeb-nosb.iso +UID := $(shell id -u) +GID := $(shell id -g) # creating a live system roughly by following https://willhaley.com/blog/custom-debian-live-environment/ -iso: builder - docker run --rm \ - --volume ${PWD}/output:/output \ +iso: ${ISO_FILENAME} +iso-nosb: ${ISO_FILENAME_NOSB} + +# Creates and ISO by signing files for Secureboot +${ISO_FILENAME}: builder + @git --version + docker run \ + --rm \ + --interactive \ + --tty \ + --volume /run/pcscd:/run/pcscd:ro \ + --volume /run/user/${UID}/gnupg/S.gpg-agent:/root/.gnupg/S.gpg-agent:ro \ + --volume ${HOME}/.gnupg:/root/.gnupg:ro \ + --volume ${PWD}/output:/home/satoshi/output \ --env SOURCE_DATE_EPOCH=$(shell git log -1 --format=%ct) \ - --env TAG="$(shell git describe --long --always --dirty)" \ + --env TAG="$(shell git log -1 --format=%h)" \ ${TAG} -sign: iso - sha256sum output/livedeb.iso | gpg --clearsign +# Creates and ISO without signing files for Secureboot +${ISO_FILENAME_NOSB}: builder + @git --version + docker run \ + --rm \ + --interactive \ + --tty \ + --volume /run/pcscd:/run/pcscd:ro \ + --volume /run/user/${UID}/gnupg/S.gpg-agent:/root/.gnupg/S.gpg-agent:ro \ + --volume ${HOME}/.gnupg:/root/.gnupg:ro \ + --volume ${PWD}/output:/home/satoshi/output \ + --env SOURCE_DATE_EPOCH=$(shell git log -1 --format=%ct) \ + --env TAG="$(shell git log -1 --format=%h)" \ + ${TAG} --no-secureboot + +sign: + bash -c "if [ ! -f ${ISO_FILENAME} ]; then make ${ISO_FILENAME} ; fi" + sha256sum ${ISO_FILENAME} | gpg --clearsign + +sign-nosb: + bash -c "if [ ! -f ${ISO_FILENAME_NOSB} ]; then make ${ISO_FILENAME_NOSB} ; fi" + sha256sum ${ISO_FILENAME_NOSB} | gpg --clearsign builder: chmod -R go-w resources @@ -20,23 +55,50 @@ builder: --build-arg https_proxy="${http_proxy}" \ --build-arg HTTP_PROXY="${http_proxy}" \ --build-arg HTTPS_PROXY="${http_proxy}" \ + --build-arg UID="${UID}" \ + --build-arg GID="${GID}" \ --tag ${TAG} . -run: iso - qemu-system-x86_64 -cdrom output/livedeb.iso -m 2048 -bios /usr/share/ovmf/OVMF.fd +run: + echo "Press `Esc` to enter the Boot menu and enroll the certs from EFI directory" + bash -c "if [ ! -f OVMF_VARS_4M.fd ]; then cp /usr/share/OVMF/OVMF_VARS_4M.fd ./ ; fi" + bash -c "if [ ! -f ${ISO_FILENAME} ]; then make ${ISO_FILENAME} ; fi" + qemu-system-x86_64 \ + -enable-kvm \ + -machine q35,smm=on \ + -m 2048 \ + -device virtio-rng-pci,rng=rng0 \ + -object rng-random,filename=/dev/urandom,id=rng0 \ + -global driver=cfi.pflash01,property=secure,value=on \ + -drive if=pflash,format=raw,unit=1,file="OVMF_VARS_4M.fd" \ + -drive if=pflash,format=raw,unit=0,file="/usr/share/OVMF/OVMF_CODE_4M.secboot.fd",readonly=on \ + -boot menu=on \ + -cdrom ${ISO_FILENAME} + +run-nosb: + bash -c "if [ ! -f ${ISO_FILENAME_NOSB} ]; then make ${ISO_FILENAME_NOSB} ; fi" + $(shell lsusb -d 2c97:1015 | sed -E "s/.*Bus ([0-9]*) Device ([0-9]*).*/sudo chown ${USER}:docker \/dev\/bus\/usb\/\1\/\2/") + qemu-system-x86_64 \ + -enable-kvm \ + -machine q35,smm=on \ + -m 2048 \ + -object rng-random,filename=/dev/urandom,id=rng0 \ + -bios /usr/share/ovmf/OVMF.fd \ + -usb -device usb-host,vendorid=0x2c97,productid=0x1015 \ + -cdrom ${ISO_FILENAME_NOSB} -run_yubi: iso +run_yubi: qemu-system-x86_64 -cdrom output/livedeb.iso -m 2048 -bios /usr/share/ovmf/OVMF.fd -M q35 -usb -device usb-host,productid=0x0407,vendorid=0x1050 -usb: iso +usb: test -b ${USB_DISK} @umount ${USB_DISK}* || : - sudo dd bs=4M of=${USB_DISK} if=output/livedeb.iso status=progress + sudo dd bs=4M of=${USB_DISK} if=${ISO_FILENAME} status=progress sync -cd: iso - wodim -eject -tao output/livedeb.iso +cd: + wodim -eject -tao ${ISO_FILENAME} clear_docker: - docker rmi ${TAG} + docker rmi ${TAG} || : docker system prune -f diff --git a/resources/grub-early.cfg b/resources/grub-early.cfg deleted file mode 100644 index 4ac44b5..0000000 --- a/resources/grub-early.cfg +++ /dev/null @@ -1,3 +0,0 @@ -search --set=root --file /live/filesystem.squashfs -set prefix=($root)/boot/grub/ -configfile /boot/grub/grub.cfg diff --git a/resources/grub-standalone.cfg b/resources/grub-standalone.cfg new file mode 100644 index 0000000..774d3b4 --- /dev/null +++ b/resources/grub-standalone.cfg @@ -0,0 +1,3 @@ +search --set=root --no-floppy --file /live/vmlinuz +set prefix=($root)/boot/grub/ +configfile /boot/grub/grub.cfg \ No newline at end of file diff --git a/resources/grub.cfg b/resources/grub.cfg index a518a29..9022870 100644 --- a/resources/grub.cfg +++ b/resources/grub.cfg @@ -1,9 +1,11 @@ -search --set=root --file /live/filesystem.squashfs +search --set=root --no-floppy --file /live/vmlinuz set superusers="" set default=0 set timeout=0 +set check_signatures=enforce +export check_signatures menuentry "LiveDeb" --unrestricted { - linux ($root)/live/vmlinuz boot=live quiet + linux ($root)/live/vmlinuz boot=live dm-verity-oncorruption=panic quiet initrd ($root)/live/initrd } diff --git a/resources/isolinux.cfg b/resources/isolinux.cfg deleted file mode 100644 index 4e7b0ca..0000000 --- a/resources/isolinux.cfg +++ /dev/null @@ -1,4 +0,0 @@ -DEFAULT linux -LABEL linux - KERNEL /live/vmlinuz - APPEND initrd=/live/initrd boot=live quiet diff --git a/resources/skeleton/etc/default/nodm b/resources/skeleton/etc/default/nodm new file mode 100644 index 0000000..4692e7b --- /dev/null +++ b/resources/skeleton/etc/default/nodm @@ -0,0 +1 @@ +NODM_USER=satoshi diff --git a/resources/skeleton/etc/fstab b/resources/skeleton/etc/fstab index 2ff55ce..4ac7753 100644 --- a/resources/skeleton/etc/fstab +++ b/resources/skeleton/etc/fstab @@ -1 +1,2 @@ -/dev/usbdisk /media/usb vfat noauto,user 0 0 +/dev/usbdisk /media/usb-rw vfat noauto,user,rw 0 0 +/dev/usbdisk /media/usb-ro vfat noauto,user,ro 0 0 diff --git a/resources/skeleton/home/satoshi/.profile b/resources/skeleton/home/satoshi/.profile new file mode 100644 index 0000000..cf88704 --- /dev/null +++ b/resources/skeleton/home/satoshi/.profile @@ -0,0 +1 @@ +[ "$(tty)" = "/dev/tty1" ] && exec startx diff --git a/resources/skeleton/home/satoshi/.xinitrc b/resources/skeleton/home/satoshi/.xinitrc deleted file mode 100644 index 1a6ed56..0000000 --- a/resources/skeleton/home/satoshi/.xinitrc +++ /dev/null @@ -1,2 +0,0 @@ -setxkbmap -option terminate:ctrl_alt_bksp -startxfce4 diff --git a/scripts/mkimage.sh b/scripts/mkimage.sh new file mode 100644 index 0000000..105efff --- /dev/null +++ b/scripts/mkimage.sh @@ -0,0 +1,178 @@ +#!/bin/bash -e +# Transform long options to short ones +for arg in "$@"; do + shift + case "$arg" in + '--no-secureboot') set -- "$@" '-n' ;; + *) set -- "$@" "$arg" ;; + esac +done +# Default behaviour +SECUREBOOT_ON=true; + +# Parse input option +while getopts "n" opt; do + case "$opt" in + 'n') SECUREBOOT_ON=false ;; + '?') + echo "ERROR. Script usage $(basename \$0) -n [--no-secureboot]" >&2; + exit 1 + ;; + esac +done + +# At this stage we have all the unsigned binaries/files we need +# We check if we want secureboot or not and then we move accordingly +STAGING_BASE_PATH="staging" +STAGING_EFI_PATH="$STAGING_BASE_PATH/EFI" +SOURCE_DATE_EPOCH=1231006505 +SECUREBOOT_DATE_EPOCH=1748476800 + +mkdir -p staging/EFI/boot +if $SECUREBOOT_ON; then + # Create bootloader + grub-mkimage \ + --disable-shim-lock \ + --compression="xz" \ + --format="x86_64-efi" \ + --pubkey="secureboot/signers/ccc.pgp" \ + --output="staging/EFI/boot/bootx64.efi.unsigned" \ + --config="grub-standalone.cfg" \ + --prefix="/boot/grub" \ + all_video \ + cat \ + configfile \ + crypto \ + disk \ + echo \ + efi_gop \ + fat \ + gcry_dsa \ + gcry_rsa \ + gcry_sha256 \ + gcry_sha512 \ + gzio \ + help \ + iso9660 \ + linux \ + ls \ + normal \ + part_gpt \ + part_msdos \ + pgp \ + search \ + search_label \ + squash4 \ + test \ + true + + # Sign bootloader and kernel with Yubikey + # NOTE: key with ID=02 is the `Private key for Digital Signature` one + # NOTE2: we make use of `faketime` here for reproducibility 'cause digital signatures are based on timestamps + export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so + SB_TIMESTAMP=$(TZ=UTC date -d @${SECUREBOOT_DATE_EPOCH} +'%Y-%m-%d %H:%M:%S') + + read -p "Insert Signing Yubikey and press enter..." + echo "Signing kernel and bootloader, please wait..." + + # Sign + faketime -f "${SB_TIMESTAMP}" sbsign \ + --engine pkcs11 \ + --key 'pkcs11:id=%02;type=private' \ + --cert secureboot/keys/db.crt \ + --out staging/EFI/boot/bootx64.efi \ + staging/EFI/boot/bootx64.efi.unsigned + faketime -f "${SB_TIMESTAMP}" sbsign \ + --engine pkcs11 \ + --key 'pkcs11:id=%02;type=private' \ + --cert secureboot/keys/db.crt \ + --out staging/live/vmlinuz \ + staging/live/vmlinuz.unsigned + + # Verify + sbverify --list staging/EFI/boot/bootx64.efi + sbverify --list staging/live/vmlinuz + + # Clean unsigned artifacts + rm staging/live/vmlinuz.unsigned + rm staging/EFI/boot/bootx64.efi.unsigned + + # Sign grub.cfg, kernel and intird with PGP + # NOTE: optional, but useful since GRUB can perform PGP verification on boot + faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign grub-standalone.cfg + faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign staging/live/vmlinuz + faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign staging/live/initrd + faketime -f "${SB_TIMESTAMP}" gpg --local-user ccc --detach-sign staging/boot/grub/grub.cfg + + # Set final ISO name + ISO_NAME=livedeb +else + # Create the bootloader + grub-mkimage \ + --compression="xz" \ + --format="x86_64-efi" \ + --output="staging/EFI/boot/bootx64.efi" \ + --config="grub-standalone.cfg" \ + --prefix="/boot/grub" \ + all_video \ + cat \ + configfile \ + crypto \ + disk \ + echo \ + efi_gop \ + fat \ + gzio \ + help \ + iso9660 \ + linux \ + ls \ + normal \ + part_gpt \ + part_msdos \ + search \ + search_label \ + squash4 \ + test \ + true + + # Here we simply rename the files in the expected convention + mv staging/live/vmlinuz.unsigned staging/live/vmlinuz + + # Set final ISO name + ISO_NAME=livedeb-nosb +fi + +# Create EFI image +dd if=/dev/zero of="$STAGING_BASE_PATH"/efiboot.img bs=1M count=4 +mformat -i "$STAGING_BASE_PATH"/efiboot.img -h 64 -t 32 -s 32 -N 0 :: +mmd -i "$STAGING_BASE_PATH"/efiboot.img ::/EFI +mmd -i "$STAGING_BASE_PATH"/efiboot.img ::/EFI/boot +mmd -i "$STAGING_BASE_PATH"/efiboot.img ::/EFI/HP +mcopy -i "$STAGING_BASE_PATH"/efiboot.img "$STAGING_EFI_PATH"/boot/bootx64.efi ::/EFI/boot/bootx64.efi +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/PK.cer ::/EFI/PK.cer +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/KEK.cer ::/EFI/KEK.cer +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/db.cer ::/EFI/db.cer +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/DBX.cer ::/EFI/DBX.cer +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/PK.bin ::/EFI/HP/PK.bin +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/KEK.bin ::/EFI/HP/KEK.bin +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/db.bin ::/EFI/HP/db.bin +mcopy -i "$STAGING_BASE_PATH"/efiboot.img secureboot/keys/DBX.bin ::/EFI/HP/DBX.bin + +# Create ISO +find staging -print0 | xargs -0 touch -md "@${SOURCE_DATE_EPOCH}" && \ +xorrisofs \ + -iso-level 3 \ + -o output/${ISO_NAME}.iso \ + -full-iso9660-filenames \ + -joliet \ + -rational-rock \ + -sysid LINUX \ + -volid "$(echo CCCDEB${TAG} | cut -c -32)" \ + -eltorito-alt-boot \ + -e efiboot.img \ + -no-emul-boot \ + -isohybrid-gpt-basdat \ + staging/ && \ +sha256sum output/${ISO_NAME}.iso && \ +chown -R satoshi:satoshi output/ diff --git a/secureboot/keys/DBX.bin b/secureboot/keys/DBX.bin new file mode 100644 index 0000000..c5a234a Binary files /dev/null and b/secureboot/keys/DBX.bin differ diff --git a/secureboot/keys/DBX.cer b/secureboot/keys/DBX.cer new file mode 100644 index 0000000..c7901fe Binary files /dev/null and b/secureboot/keys/DBX.cer differ diff --git a/secureboot/keys/DBX.crt b/secureboot/keys/DBX.crt new file mode 100644 index 0000000..4143133 --- /dev/null +++ b/secureboot/keys/DBX.crt @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFczCCA1ugAwIBAgIUB4TJ9/b6viUGvpGiErVZHRuWS7swDQYJKoZIhvcNAQEL +BQAwSTFHMEUGA1UEAww+QU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChTaWdu +YXR1cmUgQmxhY2tsaXN0IERhdGFiYXNlIEtleSkwHhcNMjUwNTI4MTEyNzI3WhcN +MzUwNTI2MTEyNzI3WjBJMUcwRQYDVQQDDD5BTUlOQSBCYW5rIEFHIC0gU2VjdXJl +IEJvb3QgKFNpZ25hdHVyZSBCbGFja2xpc3QgRGF0YWJhc2UgS2V5KTCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJY1uQME/PtFW5gnWNio80A/n1UQMXWq +QdUWnZZiLHQf1n0NxIBZzn89/RYuCKnlq91A3Vkm0OpZggl6FF9eICJXjAfZa66/ +BF9UxKaqkTTyNR2hZ+BPodo4Kj7iCsjiufLDPHmDTaQullgx99mYX44NqfjV5SCI +FnKa8omCAKuyFebAUruwA2BX0b1NEweZtIuDcIJy4f3VD/NI3GFBuuzBNSdm9fyn +9czaI5teHU9u8MKuETWkVpshK/S12AyhOqVFiDp79g4p8/ZZeLZCtSyMhVarurCX +3IRs+cjpVOnUMAK+eBAY6ZhXfoDM+GIL4oOJ20xF+eEprNGO1t/H80hkjC8+oMKW +Js2XMfsn1IwonRfyoEfK9PLpkYNbqbt2SIQvv1w57KAcO1R0VjqXD5TwefLlT+N6 +zRrdp0cB4EG4GKY/prFyRZX8PvXRRJa1efRQNzzbHCakJZ4QbIjfhLsdTPq6SOQX +DZdyoLlSq5ltc0eG23KAHXb1w9TrrAlptMk1dmGZLYmqwmpJ8h3tCo+7trlJ7Yf9 +7TVVwwcA/YVr1iunKr0HJFn6QQvBwQgwjeidYjwQCnuVMR07ZH4RO5PTJpFUXwxF +yzG2Lw6PGBup6tuhrx8yd4atIjgPhEBuHVxNmfQrAUDdFhqC9N8VbT7EYS4/fq8C +KP5SBxn4zU8vAgMBAAGjUzBRMB0GA1UdDgQWBBQDHXKC+ilPKtJ47Gk/mAQ5Gro3 +XDAfBgNVHSMEGDAWgBQDHXKC+ilPKtJ47Gk/mAQ5Gro3XDAPBgNVHRMBAf8EBTAD +AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBQT4kCTUFivyYDjb6gnfphtyNSKRiMr+hn +bJA3NEHHBcOl+ozIHTI8ayaB4ALsxrgragQMxfAs7FbP2bH84FN/VCkbPf0hsfyt +TXeJ16o1uL+nqhrOs0X+OCBcyIDbS7Lzkl6+mm3PG6K7ciwzrUxMhHn7aohLu1gn +xKLPrPpK6r/AuvbpgsDrLq9g0a3+A3v6m0tyoutRQsrhqTWLUs5YCq2S9q3HjY+X +lxOokMcZ7SLrswriU4a9Ud7zjRGIrxmH0Y7f0mNSZDoBC7UmtLvmcZiZ3by5VVfA +FbUv+VGeAaZuHOhefVh+A7z3JiKM75o/l3hSACxJ8EnSrdljy5wrafnhsRsvwf4N +5Hn5xCr97FZpWd2ePQ7eQy8y8wATJnLqWtUZL2qW57XfvB8k9OspFBKScJaGHVrj +hkk80QNj43gUGItGENwM9jeLfDg6ngvgXDldIePU5+9ohtXebrTCYCT229soYOKR +kxMUZJnBoFHCgAdT+qITqja0yz+j7b0uhcXISLNNo3izFpkAfkt0mL94/3LFUlhG +7Y4KEg2BO7ny82rHPlT03D+nCVeHqfd9e3K3YAj7ogkMwBe+TnRle+sDM33Wzci7 +t0rY9hsGeHXwmaoC4Y8+ZaRAsxuZL9N1Gj6Q79H5cQVBUsGgxlPPDE8k+f+Fo+ux +QfID5zl7ng== +-----END CERTIFICATE----- diff --git a/secureboot/keys/DBX.esl b/secureboot/keys/DBX.esl new file mode 100644 index 0000000..79be029 Binary files /dev/null and b/secureboot/keys/DBX.esl differ diff --git a/secureboot/keys/GUID.txt b/secureboot/keys/GUID.txt new file mode 100644 index 0000000..67135ea --- /dev/null +++ b/secureboot/keys/GUID.txt @@ -0,0 +1 @@ +177d66d0-bf4d-4c40-8bfc-1db9f5cd2b41 diff --git a/secureboot/keys/KEK.bin b/secureboot/keys/KEK.bin new file mode 100644 index 0000000..10ff825 Binary files /dev/null and b/secureboot/keys/KEK.bin differ diff --git a/secureboot/keys/KEK.cer b/secureboot/keys/KEK.cer new file mode 100644 index 0000000..b74cb9c Binary files /dev/null and b/secureboot/keys/KEK.cer differ diff --git a/secureboot/keys/KEK.crt b/secureboot/keys/KEK.crt new file mode 100644 index 0000000..d3abbb5 --- /dev/null +++ b/secureboot/keys/KEK.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFUzCCAzugAwIBAgIUIizkvWoJXkZ1dvn+mGJpJqCGYBEwDQYJKoZIhvcNAQEL +BQAwOTE3MDUGA1UEAwwuQU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChLZXkg +RXhjaGFuZ2UgS2V5KTAeFw0yNTA1MjgxMTI3MjZaFw0zNTA1MjYxMTI3MjZaMDkx +NzA1BgNVBAMMLkFNSU5BIEJhbmsgQUcgLSBTZWN1cmUgQm9vdCAoS2V5IEV4Y2hh +bmdlIEtleSkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC3Pw3HTbcq +JhesqI1hk1fLtH7QvWjetVWBcy75FaOu+qXVG8pQqQXyzbccRZt9wXswdWc6dmaB +8iGRHxWqzDhlXsXbwuJ3g8Efu6L9aaBtKfDP/ENSnROsswfOg3oAK7pe8366va3h +JHwBwH/qhcvT/eZf6nw63lF2W4Btxe5JlQnj420lmskjWzdhDwI1VjGd1oTUV08q +HaCmU5CmBcJoPwR87m+y6a42AB6mY4vl/IfIUOy3rB5eoQ+dLoI5+5f0Fg3ybK8c +7zSi9FFIwokf296nZsHimM6WTjFokh8LCNiZGMQ0t4maSnXoMbFNXxWBxyyL2G/N +ClimJQ+SznlEfdx9jgYRz0CI8P2kLjcwtG7LR24M/4lE9UWI89MYVyMghQ0Kf7y0 +tqddTyuOvlAmaT+AtNCIx3bYwtfg3fqanlU5B5D29X/Fh1tvAyQI8iyBtaeEo945 +x7qKkfkqXIqEOI1qi412GoF+UXSdz7kd92l5RVvzp68oRtEMCp7e5Ar5Azc2g0z+ ++/r7pziqNE3J9aGwTgUr9uOCWOeDVla2RV+VvlfYmdXMdlJywFMj14zS2xohNbuk +5+2X7+m0CpgmHrH7rKeZ98UQAsAMMmiChp7GP3SllwnxOiwiZIfQhBM0Imet8OjQ +EX5jTobBBAAzhyXFXFCu+u3pwO+Qa8fNvwIDAQABo1MwUTAdBgNVHQ4EFgQUx5D6 +TZLPnWeVD2mEIVL5lq9mo9YwHwYDVR0jBBgwFoAUx5D6TZLPnWeVD2mEIVL5lq9m +o9YwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAg40HRG7HvVzS +6qCvnFDeJc3Z74Sg0nmbZlNgvp7gT78NKpBW1iL8zuh08+Ou45rb4kgF1BSru1Pn +mFBn+xgjZLiVgE1u+wkXa/E99SrqEn0m21KnCYPvUzjM+EsQs44j54OVUnI+vlTl +bjlhSg9swpFKuJQEbml+XTokTPF7Zr5cGJ+sOsWVJjKznTAxYDYsHQIsP31ueYZU +uj9YM5NF3qiIozs7CmrbMVxYIsjZ2BoRnAtE6En3s7mr4fDaAKioby6Aw1GhTNGY +HQ/w0nBGOxum5ZaN/jeObP/7qL9IFyPdAoqqpxIbYa5YnnDfVVe9PM4RJY45/0jP +IZR+Zt6kgiYXjZRwz4ydJDF5hEn+0ELNkvunnqdj67w/ohVzUG5tGLAWB6Lv8stS +5srZze02B8dl9/JzRJv/G++FFb715HCe8U2uhb2l8plrzCvqXPQ3W5/0+FS/EfwN +8Dz/Gnvspf0TJQVWUdIV4KBO1zroaDD2Ursw+zkG7CdGZqWQB5rOTs2+hkGMhtlg +CZQLd7pLJC64RommV7GUkCK0xnYMvoJUuX7MHHDBGetAkF1dgsQNaK3Z3LpBJinS +6Eh2GsO9dwWAUV/En/SjP8cGFHoVaz2/wmqv40GcMdebrQZ6ktLCNnIaT7T4Do1y +pjPkeTnhfUMHbU9cwqXs4gs20v+bncg= +-----END CERTIFICATE----- diff --git a/secureboot/keys/KEK.esl b/secureboot/keys/KEK.esl new file mode 100644 index 0000000..8e188dc Binary files /dev/null and b/secureboot/keys/KEK.esl differ diff --git a/secureboot/keys/PK.bin b/secureboot/keys/PK.bin new file mode 100644 index 0000000..f4fd037 Binary files /dev/null and b/secureboot/keys/PK.bin differ diff --git a/secureboot/keys/PK.cer b/secureboot/keys/PK.cer new file mode 100644 index 0000000..eb21d31 Binary files /dev/null and b/secureboot/keys/PK.cer differ diff --git a/secureboot/keys/PK.crt b/secureboot/keys/PK.crt new file mode 100644 index 0000000..c1f1935 --- /dev/null +++ b/secureboot/keys/PK.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFSzCCAzOgAwIBAgIUay7LwJcCin0yk1t1VSH2/HxF31swDQYJKoZIhvcNAQEL +BQAwNTEzMDEGA1UEAwwqQU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChQbGF0 +Zm9ybSBLZXkpMB4XDTI1MDUyODExMjcyNVoXDTM1MDUyNjExMjcyNVowNTEzMDEG +A1UEAwwqQU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChQbGF0Zm9ybSBLZXkp +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtaiVBPM2PMDJkXyofUkt +oLiEU8QzaM1raHZoZyWBW6H30btC4+zX4NXtzO+dJxa8paJpps6TFhvyU4B8f9r3 +LGAnHl7W32qhM6/uKWOCOICSNi9FSI903TTP72pKllgyMLYUkBSqVgek0D5JvZIx +Mf4OyN9fjMygB+xkdTe5By36J5Pgz7JHFObrKbkIPedQrMxsDYCc0hK5M70zkUfQ +rGMNPbinZZiD5lB5+H5pY++FZEwgobsxziu4desnGH1mV8xi2Upy6Aa01ypL/wFv +B8pFncjX2fJ+k5JKfbu8Lbaa6UOegdb9tdiIlFOe7gOGErxyBMlncqN1CRqpfYTj +dFjnsRl+xS7sZnmYMF+JSIBIjgc2YmhPi46KZ850vTZqkqkiOIxG2FBLzjWc3VSV +oVv/u2zW5lVCFU/7RRFYZG7yYgvIS7kWJPZfYvrlub+5ciahFwvq+WtCtctrCc9m ++NZl2HdycL4Er19lbB/c+1mDvpp6TCHfsLDZ+cgQaD+SdQ0xxfS7TtvCzv7Zx04C +5nPU6tmlI8OSHPPZPfzX5FcBwT2me0ydAg+hZnCIcSacbSp0LNNebnY5AQk+4cv6 +y8D9yPlUD+KRqyVM/d7TlhwNPLO0IZk6vY+y4rm6UsM3rc/Y5PdTwyl9yjhz+0qw +qCTZa9MyxfFtAKGTHIrg3zMCAwEAAaNTMFEwHQYDVR0OBBYEFBetIyBtkdXTNA3v +ohI4lDAErDwRMB8GA1UdIwQYMBaAFBetIyBtkdXTNA3vohI4lDAErDwRMA8GA1Ud +EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFN4RzMCBqWnncNSFTmCj+1d +kS7iFP1b+bwTAnBjW/B7QSNBMSid4pwo+3OrsfafgTR6UiZKwIYHcKz1gZm94BZ0 +9NHlFCW58zXG6MK7bpWoYRbwYOsR/UiuGNbwPLb1wh4niZORQg0baxnUHCf9HX8D +eYdMwE2dHKiitxucpgcWRlMtnGJ5PU0Nj17RgGgZf/0uK+8zoavkf2DLgvFYzPkn +KV7uTik/Ifygguze3YzUSLfpiaG1y0Kzney/f00jjtCNlRZvuKgd6PwPnTJAis+k +8wOygygF4Rt2L9EaNPgHEHCVGLq89lSGsInDJJXPD4uHAAVJ9NArYICQjLW+CV4r ++4rfo4EsUjSA4nqjAdz56/o8/XkoiLg/rA37akfyhGmAYQHxqktrwFF4+ZniEOZm +MYL459zllNipshVvh8UFteIo+PlDrd5uv+EbGjRU+QkmvzSb+1GCGO9juSEVk1m1 +XkRZon4lM/cW/5i0vvd3Mh8Mgb8AHLl4sIfwciNRrbzJn9vuw85PBOldWTN/t7Ei +wRiBvzDhNQCd7UEYEfZc8ttI7KzO5YT13TsIsdU17hWthCIGy6ajZ054jay3FhOk +r2pg7BN1EZqstAAH2CsuJB1ot76KRTPGE1JWB4+JTuqISOcjwNHfa6nevycPBwcd +QNucLC8sID+3HCYtpcMb +-----END CERTIFICATE----- diff --git a/secureboot/keys/PK.esl b/secureboot/keys/PK.esl new file mode 100644 index 0000000..d1df6d7 Binary files /dev/null and b/secureboot/keys/PK.esl differ diff --git a/secureboot/keys/db.bin b/secureboot/keys/db.bin new file mode 100644 index 0000000..5928043 Binary files /dev/null and b/secureboot/keys/db.bin differ diff --git a/secureboot/keys/db.cer b/secureboot/keys/db.cer new file mode 100644 index 0000000..dc6f0cd Binary files /dev/null and b/secureboot/keys/db.cer differ diff --git a/secureboot/keys/db.crt b/secureboot/keys/db.crt new file mode 100644 index 0000000..3a67d4b --- /dev/null +++ b/secureboot/keys/db.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFXzCCA0egAwIBAgIUHftXYwI4XPhvlm90qKqzMcw7x74wDQYJKoZIhvcNAQEL +BQAwPzE9MDsGA1UEAww0QU1JTkEgQmFuayBBRyAtIFNlY3VyZSBCb290IChTaWdu +YXR1cmUgRGF0YWJhc2UgS2V5KTAeFw0yNTA1MjgxMTI3MjdaFw0zNTA1MjYxMTI3 +MjdaMD8xPTA7BgNVBAMMNEFNSU5BIEJhbmsgQUcgLSBTZWN1cmUgQm9vdCAoU2ln +bmF0dXJlIERhdGFiYXNlIEtleSkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK +AoICAQC7xBrI3YMk7GNuyyAQvEQbV5zX6Ri9FM5IRiPPbAELabf909JGv9cirxvk +vEhL9J7Eiwcb0mUvvphRkFGIInDIHbeX3N6dZo7sYpT5TGzwoJaaMxEeA3Qq8JCD +GMHI90oxb3+d8YN/huJ2fIvNT521QqQqsoOzYODhdIrSwp7qazpIvguTSVi6AdQX +lqyZPZaqq60EFjWqMhhRY0xtg+PdKOHbDTrWawigPlAbz8GDClYd7ao0WTq+SpTF +n0fl5Ui3tEu0HOPba2pjZXkN2ATZMGQmzB7Idi66aQqKVt192fOsm93+geKM9hLo +KDHYi2oG7VNZYZ34Fb2af1hdlMqfEzavrOWCDTn/Z//hBClcFamFSbma3w4cO0tU +ogvZPyuWFDHr1hlHAyEc24S9vdiQtJpiMmud6uMxEy2YZcq+DBJL3VfHVmfwhVUH +/LR81NZKRUtnuOPSIkkTjrLQtkCQ/YLLnXfvpr43Nm4RiYOj58qCfFcPU9I6THnD +AYk1jIX852nYzt997+63f7814ddAwXykQWq+ExdXj+6FYK5UEdWPzCASjnB6KeDj +5cb/7jxSvq3UsM2/kCPSvs1dQzLby4qbJZOcV6mPrmqwozwwgae6lM/Ei/hBlKli +vBoelKw+lIRMgBX9SYLD48mete145ZSLBTjiCegMigJM/+0f0wIDAQABo1MwUTAd +BgNVHQ4EFgQUS7oTolKuuUed94T1L2H5A3AtS6owHwYDVR0jBBgwFoAUS7oTolKu +uUed94T1L2H5A3AtS6owDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC +AgEALZFsN617/YQvqF5hH+RXfQCIqmAtFVe0YnAhRlaKIleFEYozlSvAxuo3vHOy +UJ5uTYfht/8hRROJBzshlONIIwynMU0miOpvbpJMkLWAdHIkpqO/UVtXJQg49jsh +yoieDjIuQa1JSW7sGxnS34R4F4bWUUPf3YN3/foeNwKJC3bFlZETzUJT0w4iL2NW +/fy0OYHV7vRiMUKUvv5xiliMdG68+rigIdJ2e7MBrjatabGn0ECPyHUO99N4H5zF +ZtJY9tuP3RCR3fswdFo5/JLo6AcS0dGLULzXvegHWZiv5AKIhloqwmGmZejbrB8h +bQ5yyCez1hNBhGZxGAz4Vb7Xt6Jq6aAmg/vnuYh74m2w45QFyjIb1alBM+t40wxe +F1oDMIrbeneSTvyLWPkKKe+/kkGAh9zUBxsLwBytS8zngPYKtUWO2gjT8WZI52mr +aG7ujE2bZt5BVSYVcB3iPiIaRZjAytqHEPRIGcFWyDD3xahHBggua7T/axHxa9MM +pccpP65qKIZV3awjppP83yxhinzscSYQt4Q/CS6cNFyVk0iYh1QwkTwawfDUiD0L +XRH+dolZQDeekoehOaLOp7BC4vp8BoaIHWiM3P19vgMyYHJUq1Q9MQx42u0i2FSz +R/tTsMpeoPG0bzD4ONZA+yDpp4WL5Ldokedikx99qspTzNE= +-----END CERTIFICATE----- diff --git a/secureboot/keys/db.esl b/secureboot/keys/db.esl new file mode 100644 index 0000000..55dc856 Binary files /dev/null and b/secureboot/keys/db.esl differ diff --git a/secureboot/signers/ccc.pgp b/secureboot/signers/ccc.pgp new file mode 100644 index 0000000..6b9788d Binary files /dev/null and b/secureboot/signers/ccc.pgp differ