init secure boot try

arch.sh

@@ -1,6 +1,11 @@
 #!/bin/bash
 
-pacman -Sy --noconfirm dialog ||  { printf "Error at script start:\n\nAre you sure you're running this as the root user?\n\t(Tip: run 'whoami' to check)\n\nAre you sure you have an internet connection?\n\t(Tip: run 'ip a' to check)\n"; exit; }
+error_exit() {
+    echo "$1"
+    exit 1
+}
+
+pacman -Sy --noconfirm dialog || error_exit "Error at script start:\n\nAre you sure you're running this as the root user?\n\t(Tip: run 'whoami' to check)\n\nAre you sure you have an internet connection?\n\t(Tip: run 'ip a' to check)\n"
 
 clear
 lsblk -d | sed 's/0 disk/0 disk\\n/;s/POINT/POINT\\n/'
@@ -8,11 +13,20 @@ read -rp "Press any key to continue"
 
 dialog --no-cancel --inputbox "Enter the drive you want do install Arch Linux for the VIDEOPC on." 10 60 2>drive
 
+test -d /sys/firmware/efi/efivars || error_exit "Error: Please boot in UEFI mode. No efi vars detected."
+
 DRIVE=$(cat drive)
 PVALUE=$(echo "${DRIVE}" | grep "^nvme" | sed 's/.*[0-9]/p/')
 
 cat <<EOF | fdisk -W always /dev/"${DRIVE}"
-o
+g
+n
+p
+
+
++1024M
+t
+1
 n
 p
 
@@ -23,16 +37,16 @@ w
 EOF
 partprobe
 
-yes | mkfs.ext4 /dev/"${DRIVE}${PVALUE}"1
-mount /dev/"${DRIVE}${PVALUE}"1 /mnt
+mkfs.vfat -F32 /dev/"${DRIVE}${PVALUE}"1
+yes | mkfs.ext4 /dev/"${DRIVE}${PVALUE}"2
+mount /dev/"${DRIVE}${PVALUE}"2 /mnt
 
 pacman -Sy --noconfirm archlinux-keyring
 
-pacstrap /mnt base linux linux-firmware networkmanager rsync grub
+pacstrap /mnt base linux networkmanager sbctl amd-ucode efibootmgr
 
 genfstab -U /mnt >> /mnt/etc/fstab
 mv drive /mnt
-echo "Europe/Zurich" > /mnt/tzfinal.tmp
 echo "videopc" > /mnt/etc/hostname
 
 cp chroot.sh /mnt

chroot.sh

@@ -1,12 +1,17 @@
 #!/bin/bash
 
+error_exit() {
+    echo "$1"
+    exit 1
+
+}
 while true; do
     passwd && break
 done
 
 DRIVE=$(cat drive)
 
-ln -sf /usr/share/zoneinfo/"$(cat tzfinal.tmp)" /etc/localtime
+ln -sf /usr/share/zoneinfo/Europe/Zurich /etc/localtime
 
 hwclock --systohc
 
@@ -16,10 +21,38 @@ locale-gen
 
 systemctl enable NetworkManager
 
-sed -i 's/^\s*GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/' /etc/default/grub
-sed -i 's/^\s*GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"/GRUB_CMDLINE_LINUX_DEFAULT="loglevel=0 quiet udev.log_level=3"/' /etc/default/grub
+mount /dev/"$DRIVE"1 /efi
+test -d /efi/EFI || error_exit "Error: EFI partition could not be mounted correctly."
+
+echo "loglevel=0 quiet udev.log_level=3" > /etc/kernel/cmdline
+chmod /etc/kernel/cmdline
+
+sb_status="$(sbctl status)"
+echo "$sb_status" | grep "^Setup Mode:" | grep -q "Enabled" || error_exit "Error: Secure Boot not in Setup Mode. Please chane UEFI settings."
+echo "$sb_status" | grep "^Secure Boot:" | grep -q "Disabled" || error_exit "Error: Secure Boot enabled. Please chane UEFI settings."
+echo "$sb_status" | grep "^Vendor Keys:" | grep -q "none" || error_exit "Error: Vendor Keys present. Please change UEFI settings."
+
+sbctl bundle -s \
+    -a /boot/amd-ucode.img \
+    -k /boot/vmlinuz-linux \
+    -f /boot/initramfs-linux.img \
+    -c /etc/kernel/cmdline \
+    /efi/EFI/Linux/ArchBundle.efi
+
+sbctl create-keys
+sbctl generate-bundles --sign
+sbctl enroll-keys
+
+efibootmgr --create \
+    --disk /dev/"$DRIVE" \
+    --part 1 \
+    --label "videopc signed efi bundle" \
+    --loader /EFI/Linux/ArchBundle.efi
+
+# sed -i 's/^\s*GRUB_TIMEOUT=5/GRUB_TIMEOUT=0/' /etc/default/grub
+# sed -i 's/^\s*GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet"/GRUB_CMDLINE_LINUX_DEFAULT="loglevel=0 quiet udev.log_level=3"/' /etc/default/grub
 
-grub-install /dev/"$DRIVE"
-grub-mkconfig -o /boot/grub/grub.cfg
+# grub-install /dev/"$DRIVE"
+# grub-mkconfig -o /boot/grub/grub.cfg
 
-rm drive tzfinal.tmp
+rm drive