T861: add UEFI Secure Boot support

This adds support for UEFI Secure Boot. It adds the missing pieces to the Linux
Kernel and enforces module signing. This results in an additional security
layer where untrusted (unsigned) Kernel modules can no longer be loaded into
the live system.

NOTE: This commit will not work unless signing keys are present. Arbitrary
keys can be generated using instructions found in:

  data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md

2 files changed, 18 insertions, 0 deletions

diff --git a/data/live-build-config/hooks/live/99-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot
index 704f9cb3..704f9cb3 100755
--- a/data/live-build-config/hooks/live/99-strip-symbols.chroot
+++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
new file mode 100755
index 00000000..031db10d
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sign-kernel.chroot
@@ -0,0 +1,18 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
+MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
+kernel_elf=$(readlink /boot/vmlinuz)
+
+if [ ! -f ${MOK_KEY} ]; then
+    echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+    echo "I: Signing Linux Kernel for Secure Boot"
+
+    sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
+    sbverify --list /boot/${kernel_elf}
+
+    find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
+      $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
+    done
+fi