From 87dfd9755f4e07db5528b776e2df2f3be340be10 Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 13:44:08 -0300 Subject: [PATCH 01/13] feat: enable secureboot --- CONTRIBUTORS.txt | 9 +- README.md | 570 ++++++++++++++++++++++++++++++----------------- 2 files changed, 367 insertions(+), 212 deletions(-) diff --git a/CONTRIBUTORS.txt b/CONTRIBUTORS.txt index aab9d462..13ab9075 100644 --- a/CONTRIBUTORS.txt +++ b/CONTRIBUTORS.txt @@ -1,4 +1,7 @@ -Marcos Vallim -Ken Gilmer +Marcos Vallim - mvallim +Ken Gilmer - kgilmer +Anduin Xue - Anduin2017 +Andreas Blaesius - andi34 +Andre Julius <> - NotNorom +sostela <> monkey-jsun <> -Andreas Blaesius diff --git a/README.md b/README.md index 67976230..b760af2c 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,9 @@ sudo apt-get install \ xorriso \ grub-pc-bin \ grub-efi-amd64-bin \ - mtools + mtools \ + openssl \ + sbsigntool ``` ```shell @@ -78,7 +80,7 @@ mkdir $HOME/live-ubuntu-from-scratch *A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the chroot system call or the chroot wrapper program. The modified environment is called a chroot jail.* -> Reference: https://en.wikipedia.org/wiki/Chroot +> Reference: From this point we will be configuring the `live system`. @@ -167,24 +169,27 @@ From this point we will be configuring the `live system`. ```shell apt-get install -y \ - sudo \ - ubuntu-standard \ - casper \ - lupin-casper \ - discover \ - laptop-detect \ - os-prober \ - network-manager \ - resolvconf \ - net-tools \ - wireless-tools \ - wpagui \ - locales \ - grub-common \ - grub-gfxpayload-lists \ - grub-pc \ - grub-pc-bin \ - grub2-common + sudo \ + ubuntu-standard \ + casper \ + lupin-casper \ + discover \ + laptop-detect \ + os-prober \ + network-manager \ + resolvconf \ + net-tools \ + wireless-tools \ + wpagui \ + locales \ + grub-common \ + grub-gfxpayload-lists \ + grub-pc \ + grub-pc-bin \ + grub2-common \ + grub-efi-amd64-signed \ + shim-signed \ + binutils ``` ```shell @@ -244,43 +249,43 @@ From this point we will be configuring the `live system`. 13. **Install Visual Studio Code (optional)** - 1. Download and install the key + 1. Download and install the key - ```shell - curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg + ```shell + curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg - install -o root -g root -m 644 microsoft.gpg /etc/apt/trusted.gpg.d/ + install -o root -g root -m 644 microsoft.gpg /etc/apt/trusted.gpg.d/ - echo "deb [arch=amd64] https://packages.microsoft.com/repos/vscode stable main" > /etc/apt/sources.list.d/vscode.list + echo "deb [arch=amd64] https://packages.microsoft.com/repos/vscode stable main" > /etc/apt/sources.list.d/vscode.list - rm microsoft.gpg - ``` + rm microsoft.gpg + ``` - 2. Then update the package cache and install the package using + 2. Then update the package cache and install the package using - ```shell - apt-get update + ```shell + apt-get update - apt-get install -y code - ``` + apt-get install -y code + ``` 14. **Install Google Chrome (optional)** - 1. Download and install the key + 1. Download and install the key - ```shell - wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - + ```shell + wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | sudo apt-key add - - echo "deb http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list - ``` + echo "deb http://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list + ``` - 2. Then update the package cache and install the package using + 2. Then update the package cache and install the package using - ```shell - apt-get update + ```shell + apt-get update - apt-get install google-chrome-stable - ``` + apt-get install google-chrome-stable + ``` 15. **Install Java JDK 8 (optional)** @@ -311,134 +316,86 @@ From this point we will be configuring the `live system`. 18. **Reconfigure packages** - 1. Generate locales + 1. Generate locales - ```shell - dpkg-reconfigure locales - ``` + ```shell + dpkg-reconfigure locales + ``` - 1. *Select locales* -

- -

+ 1. *Select locales* +

+ +

- 2. *Select default locale* -

- -

+ 2. *Select default locale* +

+ +

- 2. Reconfigure resolvconf + 2. Reconfigure resolvconf - ```shell - dpkg-reconfigure resolvconf - ``` + ```shell + dpkg-reconfigure resolvconf + ``` - 1. *Confirm changes* -

- -

+ 1. *Confirm changes* +

+ +

-

- -

+

+ +

-

- -

+

+ +

- 3. Configure network-manager + 3. Configure network-manager - ```shell - cat < /etc/NetworkManager/NetworkManager.conf - [main] - rc-manager=resolvconf - plugins=ifupdown,keyfile - dns=dnsmasq + ```shell + cat < /etc/NetworkManager/NetworkManager.conf + [main] + rc-manager=resolvconf + plugins=ifupdown,keyfile + dns=dnsmasq - [ifupdown] - managed=false - EOF - ``` + [ifupdown] + managed=false + EOF + ``` - 4. Reconfigure network-manager + 4. Reconfigure network-manager - ```shell - dpkg-reconfigure network-manager - ``` - -19. **Cleanup the chroot environment** - - 1. If you installed software, be sure to run - - ```shell - truncate -s 0 /etc/machine-id - ``` - - 2. Remove the diversion - - ```shell - rm /sbin/initctl - - dpkg-divert --rename --remove /sbin/initctl - ``` - - 3. Clean up - - ```shell - apt-get clean - - rm -rf /tmp/* ~/.bash_history - - umount /proc - - umount /sys - - umount /dev/pts - - export HISTSIZE=0 - - exit - ``` - -## Unbind mount points - -```shell -sudo umount $HOME/live-ubuntu-from-scratch/chroot/dev - -sudo umount $HOME/live-ubuntu-from-scratch/chroot/run -``` + ```shell + dpkg-reconfigure network-manager + ``` ## Create the CD image directory and populate it We are now back in our `build environment` after setting up our `live system` and will continue creating files necessary to generate the ISO. -1. Access build directory +1. Create directories ```shell - cd $HOME/live-ubuntu-from-scratch + mkdir -p /image/{casper,isolinux,install} ``` -2. Create directories +2. Copy kernel images ```shell - mkdir -p image/{casper,isolinux,install} + cp /boot/vmlinuz-**-**-generic image/casper/vmlinuz + + cp /boot/initrd.img-**-**-generic image/casper/initrd ``` -3. Copy kernel images +3. Copy memtest86+ binary (BIOS) ```shell - sudo cp chroot/boot/vmlinuz-**-**-generic image/casper/vmlinuz - - sudo cp chroot/boot/initrd.img-**-**-generic image/casper/initrd + cp /boot/memtest86+.bin image/install/memtest86+ ``` -4. Copy memtest86+ binary (BIOS) - - ```shell - sudo cp chroot/boot/memtest86+.bin image/install/memtest86+ - ``` - -5. Download and extract memtest86 binary (UEFI) +4. Download and extract memtest86 binary (UEFI) ```shell wget --progress=dot https://www.memtest86.com/downloads/memtest86-usb.zip -O image/install/memtest86-usb.zip @@ -450,19 +407,13 @@ We are now back in our `build environment` after setting up our `live system` an ## GRUB menu configuration - 1. Access build directory - - ```shell - cd $HOME/live-ubuntu-from-scratch - ``` - - 2. Create base point access file for grub + 1. Create base point access file for grub ```shell touch image/ubuntu ``` - 3. Create image/isolinux/grub.cfg + 2. Create image/isolinux/grub.cfg ```shell cat < image/isolinux/grub.cfg @@ -508,69 +459,32 @@ We are now back in our `build environment` after setting up our `live system` an Next we create a file `filesystem.manifest` to specify each package and it's version that is installed on the `live system`. We create another file `filesystem.manifest-desktop` which specifies which files will be installed on the `target system`. Once the Ubiquity installer completes, it will remove packages specified in `filesystem.manifest` that are *not* listed in `filesystem.manifest-desktop`. -1. Access build directory +1. Generate manifest ```shell - cd $HOME/live-ubuntu-from-scratch - ``` + dpkg-query -W --showformat='${Package} ${Version}\n' | sudo tee /image/casper/filesystem.manifest -2. Generate manifest + cp -v /image/casper/filesystem.manifest image/casper/filesystem.manifest-desktop - ```shell - sudo chroot chroot dpkg-query -W --showformat='${Package} ${Version}\n' | sudo tee image/casper/filesystem.manifest + sed -i '/ubiquity/d' /image/casper/filesystem.manifest-desktop - sudo cp -v image/casper/filesystem.manifest image/casper/filesystem.manifest-desktop + sed -i '/casper/d' /image/casper/filesystem.manifest-desktop - sudo sed -i '/ubiquity/d' image/casper/filesystem.manifest-desktop + sed -i '/discover/d' /image/casper/filesystem.manifest-desktop - sudo sed -i '/casper/d' image/casper/filesystem.manifest-desktop + sed -i '/laptop-detect/d' /image/casper/filesystem.manifest-desktop - sudo sed -i '/discover/d' image/casper/filesystem.manifest-desktop - - sudo sed -i '/laptop-detect/d' image/casper/filesystem.manifest-desktop - - sudo sed -i '/os-prober/d' image/casper/filesystem.manifest-desktop - ``` - -## Compress the chroot - -After everything has been installed and preconfigured in the **chrooted** environment, we need to generate an image of everything that was done by following the next steps in the `build environment`. - -1. Access build directory - - ```shell - cd $HOME/live-ubuntu-from-scratch - ``` - -2. Create squashfs - - ```shell - sudo mksquashfs chroot image/casper/filesystem.squashfs - ``` - - > **Squashfs** is a highly compressed read-only filesystem for Linux. It uses zlib compression to compress both files, inodes and directories. Inodes in the system are very small and all blocks are packed to minimize data overhead. Block sizes greater than 4K are supported up to a maximum of 64K. - > **Squashfs** is intended for general read-only filesystem use, for archival use (i.e. in cases where a .tar.gz file may be used), and in constrained block device/memory systems (e.g. **embedded systems**) where low overhead is needed. - -3. Write the filesystem.size - - ```shell - printf $(sudo du -sx --block-size=1 chroot | cut -f1) > image/casper/filesystem.size + sed -i '/os-prober/d' /image/casper/filesystem.manifest-desktop ``` ## Create diskdefines **README** file often found on Linux LiveCD installer discs, such as an Ubuntu Linux installation CD; typically named “**README.diskdefines**” and may be referenced during installation. -1. Access build directory +1. Create file /image/README.diskdefines ```shell - cd $HOME/live-ubuntu-from-scratch - ``` - -2. Create file image/README.diskdefines - - ```shell - cat < image/README.diskdefines + cat < /image/README.diskdefines #define DISKNAME Ubuntu from scratch #define TYPE binary #define TYPEbinary 1 @@ -583,38 +497,196 @@ After everything has been installed and preconfigured in the **chrooted** enviro EOF ``` -## Create ISO Image for a LiveCD (BIOS + UEFI) +### Creating the certificates to Secure Boot + + 1. Create the certificate template + + ```shell + mkdir /certificates + ``` + + ```shell + cd /certificates + ``` + + ```shell + cat < config.conf + [ req ] + default_bits = 2048 + default_md = sha256 + distinguished_name = dn + prompt = no + + [ dn ] + C = BR + ST = SP + L = Campinas + O = Scratch, Labs + OU = Labs + CN = \${ENV::CN} + + [ root ] + basicConstraints = critical,CA:TRUE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer + keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign,cRLSign + + [ ca ] + basicConstraints = critical,CA:TRUE,pathlen:0 + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer:always + keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign,cRLSign + + [ db ] + subjectKeyIdentifier = hash + basicConstraints = critical,CA:FALSE + keyUsage = critical,keyEncipherment,dataEncipherment + authorityKeyIdentifier = keyid,issuer:always + EOF + ``` + + 2. Create the Root CA certificate + + ```shell + CN="Root, CA" \ + openssl req -x509 -newkey rsa:2048 -nodes \ + -keyout root.key \ + -days 3650 \ + -config config.conf \ + -extensions root \ + -out root.pem + ``` + + 3. Create the intermediate CA certificate + + ```shell + CN="Ubuntu live from scratch, CA" \ + openssl req -newkey rsa:2048 -nodes \ + -keyout ca.key \ + -config config.conf \ + -out ca.pem + ``` + + 4. Create Database (DB) request certificate + + ```shell + CN="Ubuntu live from scratch, Database" \ + openssl req -newkey rsa:2048 -nodes \ + -keyout db.key \ + -config config.conf \ + -out db.pem + ``` + + 5. Sign the intermediate CA certificate with the Root CA certificate + + ```shell + CN="Ubuntu live from scratch, CA" \ + openssl x509 -req \ + -extfile config.conf \ + -extensions ca \ + -in ca.pem \ + -CA root.pem \ + -CAkey root.key \ + -CAcreateserial \ + -out ca.pem \ + -days 3650 -sha256 + ``` + + 6. Sign Database (DB) certificate using your own CA + + ```shell + CN="Ubuntu live from scratch, Database" \ + openssl x509 -req \ + -extfile config.conf \ + -extensions db \ + -in db.pem \ + -CA ca.pem \ + -CAkey ca.key \ + -CAcreateserial \ + -out db.pem \ + -days 3650 -sha256 + ``` + + 7. Create the intermediate CA certificate chain + + ```shell + cat ca.pem root.pem > ca-chain.pem + ``` + + 8. Verify the signatures + + ```shell + openssl verify -CAfile ca-chain.pem db.pem + ``` + + 9. Create DER version of our public key (CA) + + ```shell + openssl x509 -outform DER -in ca.pem -out ca.cer + ``` + +### Creating image 1. Access image directory ```shell - cd $HOME/live-ubuntu-from-scratch/image + cd /image ``` -2. Create a grub UEFI image +2. Create [SBAT](https://github.com/rhboot/shim/blob/main/SBAT.md) file + + ```shell + cat < isolinux/sbat.csv + sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md + grub,1,Free Software Foundation,grub,2.04,https://www.gnu.org/software/grub/ + EOF + ``` + +3. Create a grub UEFI image ```shell grub-mkstandalone \ --format=x86_64-efi \ - --output=isolinux/bootx64.efi \ + --output=isolinux/grubx64.efi \ --locales="" \ --fonts="" \ "boot/grub/grub.cfg=isolinux/grub.cfg" ``` -3. Create a FAT16 UEFI boot disk image containing the EFI bootloader + * Fix Secure Boot Grub + + ```shell + sed -i 's/SecureBoot/SecureB00t/' isolinux/grubx64.efi + ``` + +4. Add .sbat sections + + ```shell + objcopy --set-section-alignment '.sbat=512' --add-section .sbat=isolinux/sbat.csv isolinux/grubx64.efi --adjust-section-vma .sbat+10000000 + ``` + +5. UEFI secure boot signing + + ```shell + sbsign --key /certificates/db.key --cert /certificates/db.pem --output isolinux/grubx64.efi isolinux/grubx64.efi + ``` + +6. Create a FAT16 UEFI boot disk image containing the EFI bootloader ```shell ( cd isolinux && \ dd if=/dev/zero of=efiboot.img bs=1M count=10 && \ - sudo mkfs.vfat efiboot.img && \ - LC_CTYPE=C mmd -i efiboot.img efi efi/boot && \ - LC_CTYPE=C mcopy -i efiboot.img ./bootx64.efi ::efi/boot/ + mkfs.vfat -F 16 efiboot.img && \ + LC_CTYPE=C mmd -i efiboot.img certificates efi efi/boot && \ + LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/shimx64.efi.signed.previous ::efi/boot/bootx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/mmx64.efi ::efi/boot/mmx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img /image/isolinux/grubx64.efi ::efi/boot/grubx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img /certificates/ca.cer ::certificates/ ) ``` -4. Create a grub BIOS image +7. Create a grub BIOS image ```shell grub-mkstandalone \ @@ -627,19 +699,99 @@ After everything has been installed and preconfigured in the **chrooted** enviro "boot/grub/grub.cfg=isolinux/grub.cfg" ``` -5. Combine a bootable Grub cdboot.img +8. Combine a bootable Grub cdboot.img ```shell cat /usr/lib/grub/i386-pc/cdboot.img isolinux/core.img > isolinux/bios.img ``` -6. Generate md5sum.txt +9. Generate md5sum.txt ```shell - sudo /bin/bash -c "(find . -type f -print0 | xargs -0 md5sum | grep -v -e 'md5sum.txt' -e 'bios.img' -e 'efiboot.img' > md5sum.txt)" + /bin/bash -c "(find . -type f -print0 | xargs -0 md5sum | grep -v -e 'md5sum.txt' -e 'bios.img' -e 'efiboot.img' > md5sum.txt)" ``` -7. Create iso from the image directory using the command-line +## Cleanup the chroot environment + + 1. If you installed software, be sure to run + + ```shell + truncate -s 0 /etc/machine-id + ``` + + 2. Remove the diversion + + ```shell + rm /sbin/initctl + + dpkg-divert --rename --remove /sbin/initctl + ``` + + 3. Clean up + + ```shell + apt-get clean + + rm -rf /tmp/* ~/.bash_history + + umount /proc + + umount /sys + + umount /dev/pts + + export HISTSIZE=0 + + exit + ``` + +## Unbind mount points + +```shell +sudo umount $HOME/live-ubuntu-from-scratch/chroot/dev + +sudo umount $HOME/live-ubuntu-from-scratch/chroot/run +``` + +## Compress the chroot + +After everything has been installed and preconfigured in the **chrooted** environment, we need to generate an image of everything that was done by following the next steps in the `build environment`. + +1. Access build directory + + ```shell + cd $HOME/live-ubuntu-from-scratch + ``` + +2. Move image artifacts + + ```shell + sudo mv chroot/{image,certificates} . + ``` + +3. Create squashfs + + ```shell + sudo mksquashfs chroot image/casper/filesystem.squashfs + ``` + + > **Squashfs** is a highly compressed read-only filesystem for Linux. It uses zlib compression to compress both files, inodes and directories. Inodes in the system are very small and all blocks are packed to minimize data overhead. Block sizes greater than 4K are supported up to a maximum of 64K. + > **Squashfs** is intended for general read-only filesystem use, for archival use (i.e. in cases where a .tar.gz file may be used), and in constrained block device/memory systems (e.g. **embedded systems**) where low overhead is needed. + +4. Write the filesystem.size + + ```shell + printf $(sudo du -sx --block-size=1 chroot | cut -f1) | sudo tee image/casper/filesystem.size + ``` + +## Create ISO Image for a LiveCD (BIOS + UEFI + Secure Boot) + +1. Access build directory + + ```shell + cd $HOME/live-ubuntu-from-scratch/image + +2. Create iso from the image directory using the command-line ```shell sudo xorriso \ @@ -654,7 +806,7 @@ After everything has been installed and preconfigured in the **chrooted** enviro -boot-info-table \ --eltorito-catalog boot/grub/boot.cat \ --grub2-boot-info \ - --grub2-mbr /usr/lib/grub/i386-pc/boot_hybrid.img \ + --grub2-mbr ../chroot/usr/lib/grub/i386-pc/boot_hybrid.img \ -eltorito-alt-boot \ -e EFI/efiboot.img \ -no-emul-boot \ From 1e15c105ab5d1ba41ef6e9936238b53ba31b628e Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 15:43:10 -0300 Subject: [PATCH 02/13] feat: enable secureboot --- README.md | 19 +-- scripts/build.sh | 113 ++-------------- scripts/chroot_build.sh | 284 ++++++++++++++++++++++++++++++++++++---- 3 files changed, 276 insertions(+), 140 deletions(-) diff --git a/README.md b/README.md index b760af2c..6d8998a5 100644 --- a/README.md +++ b/README.md @@ -37,12 +37,7 @@ sudo apt-get install \ binutils \ debootstrap \ squashfs-tools \ - xorriso \ - grub-pc-bin \ - grub-efi-amd64-bin \ - mtools \ - openssl \ - sbsigntool + xorriso ``` ```shell @@ -211,13 +206,13 @@ From this point we will be configuring the `live system`. 1. Configure keyboard -

- -

+

+ +

-

- -

+

+ +

2. Console setup diff --git a/scripts/build.sh b/scripts/build.sh index 84ea0c7d..46178a25 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -99,13 +99,13 @@ function check_config() { function setup_host() { echo "=====> running setup_host ..." sudo apt update - sudo apt install -y binutils debootstrap squashfs-tools xorriso grub-pc-bin grub-efi-amd64-bin mtools dosfstools unzip + sudo apt install -y binutils debootstrap squashfs-tools xorriso dosfstools unzip sudo mkdir -p chroot } function debootstrap() { echo "=====> running debootstrap ... will take a couple of minutes ..." - sudo debootstrap --arch=amd64 --variant=minbase $TARGET_UBUNTU_VERSION chroot $TARGET_UBUNTU_MIRROR + sudo debootstrap --arch=amd64 --variant=minbase $TARGET_UBUNTU_VERSION chroot $TARGET_UBUNTU_MIRROR } function run_chroot() { @@ -136,120 +136,23 @@ function run_chroot() { function build_iso() { echo "=====> running build_iso ..." - rm -rf image - mkdir -p image/{casper,isolinux,install} - - # copy kernel files - sudo cp chroot/boot/vmlinuz-**-**-generic image/casper/vmlinuz - sudo cp chroot/boot/initrd.img-**-**-generic image/casper/initrd - - # memtest86 - sudo cp chroot/boot/memtest86+.bin image/install/memtest86+ - - wget --progress=dot https://www.memtest86.com/downloads/memtest86-usb.zip -O image/install/memtest86-usb.zip - unzip -p image/install/memtest86-usb.zip memtest86-usb.img > image/install/memtest86 - rm -f image/install/memtest86-usb.zip - - # grub - touch image/ubuntu - cat < image/isolinux/grub.cfg - -search --set=root --file /ubuntu - -insmod all_video - -set default="0" -set timeout=30 - -menuentry "${GRUB_LIVEBOOT_LABEL}" { - linux /casper/vmlinuz boot=casper nopersistent toram quiet splash --- - initrd /casper/initrd -} - -menuentry "${GRUB_INSTALL_LABEL}" { - linux /casper/vmlinuz boot=casper only-ubiquity quiet splash --- - initrd /casper/initrd -} - -menuentry "Check disc for defects" { - linux /casper/vmlinuz boot=casper integrity-check quiet splash --- - initrd /casper/initrd -} - -menuentry "Test memory Memtest86+ (BIOS)" { - linux16 /install/memtest86+ -} - -menuentry "Test memory Memtest86 (UEFI, long load time)" { - insmod part_gpt - insmod search_fs_uuid - insmod chain - loopback loop /install/memtest86 - chainloader (loop,gpt1)/efi/boot/BOOTX64.efi -} -EOF - - # generate manifest - sudo chroot chroot dpkg-query -W --showformat='${Package} ${Version}\n' | sudo tee image/casper/filesystem.manifest - sudo cp -v image/casper/filesystem.manifest image/casper/filesystem.manifest-desktop - for pkg in $TARGET_PACKAGE_REMOVE; do - sudo sed -i "/$pkg/d" image/casper/filesystem.manifest-desktop - done + # move image artifacts + sudo mv chroot/{image,certificates} . # compress rootfs sudo mksquashfs chroot image/casper/filesystem.squashfs \ -noappend -no-duplicates -no-recovery \ -wildcards \ + -comp xz -b 1M -Xdict-size 100% \ -e "var/cache/apt/archives/*" \ -e "root/*" \ -e "root/.*" \ -e "tmp/*" \ -e "tmp/.*" \ -e "swapfile" - printf $(sudo du -sx --block-size=1 chroot | cut -f1) > image/casper/filesystem.size - # create diskdefines - cat < image/README.diskdefines -#define DISKNAME ${GRUB_LIVEBOOT_LABEL} -#define TYPE binary -#define TYPEbinary 1 -#define ARCH amd64 -#define ARCHamd64 1 -#define DISKNUM 1 -#define DISKNUM1 1 -#define TOTALNUM 0 -#define TOTALNUM0 1 -EOF - - # create iso image - pushd $SCRIPT_DIR/image - grub-mkstandalone \ - --format=x86_64-efi \ - --output=isolinux/bootx64.efi \ - --locales="" \ - --fonts="" \ - "boot/grub/grub.cfg=isolinux/grub.cfg" - - ( - cd isolinux && \ - dd if=/dev/zero of=efiboot.img bs=1M count=10 && \ - sudo mkfs.vfat efiboot.img && \ - LC_CTYPE=C mmd -i efiboot.img efi efi/boot && \ - LC_CTYPE=C mcopy -i efiboot.img ./bootx64.efi ::efi/boot/ - ) - - grub-mkstandalone \ - --format=i386-pc \ - --output=isolinux/core.img \ - --install-modules="linux16 linux normal iso9660 biosdisk memdisk search tar ls" \ - --modules="linux16 linux normal iso9660 biosdisk search" \ - --locales="" \ - --fonts="" \ - "boot/grub/grub.cfg=isolinux/grub.cfg" - - cat /usr/lib/grub/i386-pc/cdboot.img isolinux/core.img > isolinux/bios.img - - sudo /bin/bash -c "(find . -type f -print0 | xargs -0 md5sum | grep -v -e 'md5sum.txt' -e 'bios.img' -e 'efiboot.img' > md5sum.txt)" + # write the filesystem.size + printf $(sudo du -sx --block-size=1 chroot | cut -f1) | sudo tee image/casper/filesystem.size sudo xorriso \ -as mkisofs \ @@ -262,7 +165,7 @@ EOF -boot-info-table \ --eltorito-catalog boot/grub/boot.cat \ --grub2-boot-info \ - --grub2-mbr /usr/lib/grub/i386-pc/boot_hybrid.img \ + --grub2-mbr ../chroot/usr/lib/grub/i386-pc/boot_hybrid.img \ -eltorito-alt-boot \ -e EFI/efiboot.img \ -no-emul-boot \ diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index b9a9c983..12b05b92 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -7,7 +7,7 @@ set -u # treat unset variable as error SCRIPT_DIR="$(dirname "$(readlink -f "$0")")" -CMD=(setup_host install_pkg finish_up) +CMD=(setup_host install_pkg build_image finish_up) function help() { # if $1 is set, use $1 as headline message in help() @@ -100,23 +100,26 @@ function install_pkg() { # install live packages apt-get install -y \ - sudo \ - ubuntu-standard \ - casper \ - discover \ - laptop-detect \ - os-prober \ - network-manager \ - resolvconf \ - net-tools \ - wireless-tools \ - wpagui \ - grub-common \ - grub-gfxpayload-lists \ - grub-pc \ - grub-pc-bin \ - grub2-common \ - locales + sudo \ + ubuntu-standard \ + casper \ + discover \ + laptop-detect \ + os-prober \ + network-manager \ + resolvconf \ + net-tools \ + wireless-tools \ + wpagui \ + locales \ + grub-common \ + grub-gfxpayload-lists \ + grub-pc \ + grub-pc-bin \ + grub2-common \ + grub-efi-amd64-signed \ + shim-signed \ + binutils case $TARGET_UBUNTU_VERSION in "focal" | "bionic") @@ -132,11 +135,11 @@ function install_pkg() { # graphic installer - ubiquity apt-get install -y \ - ubiquity \ - ubiquity-casper \ - ubiquity-frontend-gtk \ - ubiquity-slideshow-ubuntu \ - ubiquity-ubuntu-artwork + ubiquity \ + ubiquity-casper \ + ubiquity-frontend-gtk \ + ubiquity-slideshow-ubuntu \ + ubiquity-ubuntu-artwork # Call into config function customize_image @@ -164,6 +167,241 @@ EOF apt-get clean -y } +function build_image() { + echo "=====> running build_image ..." + + rm -rf /image + + mkdir -p /image/{casper,isolinux,install} + + pushd /image + + # copy kernel files + cp /boot/vmlinuz-**-**-generic casper/vmlinuz + cp /boot/initrd.img-**-**-generic casper/initrd + + # memtest86 + cp /boot/memtest86+.bin install/memtest86+ + + # memtest86++ + wget --progress=dot https://www.memtest86.com/downloads/memtest86-usb.zip -O install/memtest86-usb.zip + unzip -p install/memtest86-usb.zip memtest86-usb.img > install/memtest86 + rm -f install/memtest86-usb.zip + + # grub + touch ubuntu + cat < isolinux/grub.cfg + +search --set=root --file /ubuntu + +insmod all_video + +set default="0" +set timeout=30 + +menuentry "Try Ubuntu FS without installing" { + linux /casper/vmlinuz boot=casper nopersistent toram quiet splash --- + initrd /casper/initrd +} + +menuentry "Install Ubuntu FS" { + linux /casper/vmlinuz boot=casper only-ubiquity quiet splash --- + initrd /casper/initrd +} + +menuentry "Check disc for defects" { + linux /casper/vmlinuz boot=casper integrity-check quiet splash --- + initrd /casper/initrd +} + +menuentry "Test memory Memtest86+ (BIOS)" { + linux16 /install/memtest86+ +} + +menuentry "Test memory Memtest86 (UEFI, long load time)" { + insmod part_gpt + insmod search_fs_uuid + insmod chain + loopback loop /install/memtest86 + chainloader (loop,gpt1)/efi/boot/BOOTX64.efi +} +EOF + + # generate manifest + dpkg-query -W --showformat='${Package} ${Version}\n' | sudo tee casper/filesystem.manifest + + cp -v casper/filesystem.manifest casper/filesystem.manifest-desktop + + for pkg in $TARGET_PACKAGE_REMOVE; do + sudo sed -i "/$pkg/d" casper/filesystem.manifest-desktop + done + + # create diskdefines + cat < README.diskdefines +#define DISKNAME ${GRUB_LIVEBOOT_LABEL} +#define TYPE binary +#define TYPEbinary 1 +#define ARCH amd64 +#define ARCHamd64 1 +#define DISKNUM 1 +#define DISKNUM1 1 +#define TOTALNUM 0 +#define TOTALNUM0 1 +EOF + + # create certificates + rm -rf /certificates + mkdir /certificates + + pushd /certificates + + # create the certificate template + cat < config.conf +[ req ] +default_bits = 2048 +default_md = sha256 +distinguished_name = dn +prompt = no + +[ dn ] +C = BR +ST = SP +L = Campinas +O = Scratch, Labs +OU = Labs +CN = \${ENV::CN} + +[ root ] +basicConstraints = critical,CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign,cRLSign + +[ ca ] +basicConstraints = critical,CA:TRUE,pathlen:0 +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = critical,digitalSignature,keyEncipherment,keyCertSign,cRLSign + +[ db ] +subjectKeyIdentifier = hash +basicConstraints = critical,CA:FALSE +keyUsage = critical,keyEncipherment,dataEncipherment +authorityKeyIdentifier = keyid,issuer:always +EOF + + # create the Root CA certificate + CN="Root, CA" \ + openssl req -x509 -newkey rsa:2048 -nodes \ + -keyout root.key \ + -days 3650 \ + -config config.conf \ + -extensions root \ + -out root.pem + + # create the intermediate CA certificate + CN="Ubuntu live from scratch, CA" \ + openssl req -newkey rsa:2048 -nodes \ + -keyout ca.key \ + -config config.conf \ + -out ca.pem + + # create Database (DB) request certificate + CN="Ubuntu live from scratch, Database" \ + openssl req -newkey rsa:2048 -nodes \ + -keyout db.key \ + -config config.conf \ + -out db.pem + + # sign the intermediate CA certificate with the Root CA certificate + CN="Ubuntu live from scratch, CA" \ + openssl x509 -req \ + -extfile config.conf \ + -extensions ca \ + -in ca.pem \ + -CA root.pem \ + -CAkey root.key \ + -CAcreateserial \ + -out ca.pem \ + -days 3650 -sha256 + + # sign Database (DB) certificate using your own CA + CN="Ubuntu live from scratch, Database" \ + openssl x509 -req \ + -extfile config.conf \ + -extensions db \ + -in db.pem \ + -CA ca.pem \ + -CAkey ca.key \ + -CAcreateserial \ + -out db.pem \ + -days 3650 -sha256 + + # create the intermediate CA certificate chain + cat ca.pem root.pem > ca-chain.pem + + # verify the signatures + openssl verify -CAfile ca-chain.pem db.pem + + # create DER version of our public key (CA) + openssl x509 -outform DER -in ca.pem -out ca.cer + + popd # return to image directory + + # create SBAT file + cat < isolinux/sbat.csv +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +grub,1,Free Software Foundation,grub,2.04,https://www.gnu.org/software/grub/ +EOF + + # create a grub UEFI image + grub-mkstandalone \ + --format=x86_64-efi \ + --output=isolinux/grubx64.efi \ + --locales="" \ + --fonts="" \ + "boot/grub/grub.cfg=isolinux/grub.cfg" + + # fix secure boot grub + sed -i 's/SecureBoot/SecureB00t/' isolinux/grubx64.efi + + # add .sbat sections + objcopy --set-section-alignment '.sbat=512' --add-section .sbat=isolinux/sbat.csv isolinux/grubx64.efi --adjust-section-vma .sbat+10000000 + + # UEFI secure boot signing + sbsign --key /certificates/db.key --cert /certificates/db.pem --output isolinux/grubx64.efi isolinux/grubx64.efi + + # create a FAT16 UEFI boot disk image containing the EFI bootloader + ( + cd isolinux && \ + dd if=/dev/zero of=efiboot.img bs=1M count=10 && \ + mkfs.vfat -F 16 efiboot.img && \ + LC_CTYPE=C mmd -i efiboot.img certificates efi efi/boot && \ + LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/shimx64.efi.signed.previous ::efi/boot/bootx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/mmx64.efi ::efi/boot/mmx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img isolinux/grubx64.efi ::efi/boot/grubx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img /certificates/ca.cer ::certificates/ + ) + + # create a grub BIOS image + grub-mkstandalone \ + --format=i386-pc \ + --output=isolinux/core.img \ + --install-modules="linux16 linux normal iso9660 biosdisk memdisk search tar ls" \ + --modules="linux16 linux normal iso9660 biosdisk search" \ + --locales="" \ + --fonts="" \ + "boot/grub/grub.cfg=isolinux/grub.cfg" + + # combine a bootable Grub cdboot.img + cat /usr/lib/grub/i386-pc/cdboot.img isolinux/core.img > isolinux/bios.img + + # generate md5sum.txt + /bin/bash -c "(find . -type f -print0 | xargs -0 md5sum | grep -v -e 'md5sum.txt' -e 'bios.img' -e 'efiboot.img' > md5sum.txt)" + + popd # return initial directory +} + function finish_up() { echo "=====> finish_up" From b0da1a0d50c11776454b0cd0c75a7cefc20194cc Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 15:57:53 -0300 Subject: [PATCH 03/13] feat: enable secureboot --- scripts/chroot_build.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index 12b05b92..d4c83bd4 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -119,6 +119,7 @@ function install_pkg() { grub2-common \ grub-efi-amd64-signed \ shim-signed \ + mtools \ binutils case $TARGET_UBUNTU_VERSION in From 0ff048131d4d1e5aa1dcf5fe4a95fa511808cfe7 Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 16:07:47 -0300 Subject: [PATCH 04/13] feat: enable secureboot --- scripts/chroot_build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index d4c83bd4..c8b17e0c 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -380,7 +380,7 @@ EOF LC_CTYPE=C mmd -i efiboot.img certificates efi efi/boot && \ LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/shimx64.efi.signed.previous ::efi/boot/bootx64.efi && \ LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/mmx64.efi ::efi/boot/mmx64.efi && \ - LC_CTYPE=C mcopy -i efiboot.img isolinux/grubx64.efi ::efi/boot/grubx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img ./isolinux/grubx64.efi ::efi/boot/grubx64.efi && \ LC_CTYPE=C mcopy -i efiboot.img /certificates/ca.cer ::certificates/ ) From e253205f1ab7b15f8002997a54dc7556722ea0b4 Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 16:08:23 -0300 Subject: [PATCH 05/13] feat: enable secureboot --- scripts/chroot_build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index c8b17e0c..6789f84d 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -380,7 +380,7 @@ EOF LC_CTYPE=C mmd -i efiboot.img certificates efi efi/boot && \ LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/shimx64.efi.signed.previous ::efi/boot/bootx64.efi && \ LC_CTYPE=C mcopy -i efiboot.img /usr/lib/shim/mmx64.efi ::efi/boot/mmx64.efi && \ - LC_CTYPE=C mcopy -i efiboot.img ./isolinux/grubx64.efi ::efi/boot/grubx64.efi && \ + LC_CTYPE=C mcopy -i efiboot.img ./grubx64.efi ::efi/boot/grubx64.efi && \ LC_CTYPE=C mcopy -i efiboot.img /certificates/ca.cer ::certificates/ ) From d78d4b2e261fcd0d43d5cca8dd3d5390636b220b Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 16:24:58 -0300 Subject: [PATCH 06/13] feat: enable secureboot --- scripts/build.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/build.sh b/scripts/build.sh index 46178a25..9d23cac9 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -154,6 +154,8 @@ function build_iso() { # write the filesystem.size printf $(sudo du -sx --block-size=1 chroot | cut -f1) | sudo tee image/casper/filesystem.size + pushd $SCRIPT_DIR/image + sudo xorriso \ -as mkisofs \ -iso-level 3 \ From ff619402eb92a03cd45b4dba49a9bae2e5cb318d Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 19:04:32 -0300 Subject: [PATCH 07/13] feat: enable secureboot --- .github/workflows/build-bionic.yml | 2 +- .github/workflows/build-focal.yml | 2 +- .github/workflows/build-jammy.yml | 2 +- .gitignore | 1 + README.md | 7 ++++++- scripts/chroot_build.sh | 7 ++++++- 6 files changed, 16 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-bionic.yml b/.github/workflows/build-bionic.yml index 4e557662..592f98c1 100644 --- a/.github/workflows/build-bionic.yml +++ b/.github/workflows/build-bionic.yml @@ -9,7 +9,7 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/build-focal.yml b/.github/workflows/build-focal.yml index 6de719be..ea3a38e7 100644 --- a/.github/workflows/build-focal.yml +++ b/.github/workflows/build-focal.yml @@ -9,7 +9,7 @@ on: jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/build-jammy.yml b/.github/workflows/build-jammy.yml index 12467880..d451b2d0 100644 --- a/.github/workflows/build-jammy.yml +++ b/.github/workflows/build-jammy.yml @@ -9,7 +9,7 @@ on: jobs: build: - runs-on: ubuntu-22.04 + runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.gitignore b/.gitignore index f0d19b18..f13c26b8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ scripts/chroot scripts/image +scripts/certificates *.iso diff --git a/README.md b/README.md index 152842e0..30c421a7 100644 --- a/README.md +++ b/README.md @@ -631,9 +631,14 @@ remove packages specified in `filesystem.manifest` that are *not* listed in `fil 2. Create [SBAT](https://github.com/rhboot/shim/blob/main/SBAT.md) file ```shell + GRUB_VERSION=`grub-mkstandalone -V | tr -s ' ' | cut -d' ' -f3 | cut -d'-' -f1` + GRUB_RELEASE=`grub-mkstandalone -V | tr -s ' ' | cut -d' ' -f3` + + # create SBAT file cat < isolinux/sbat.csv sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md - grub,1,Free Software Foundation,grub,2.04,https://www.gnu.org/software/grub/ + grub,1,Free Software Foundation,grub,$GRUB_VERSION,https://www.gnu.org/software/grub/ + grub.ubuntu,1,Ubuntu,grub2,$GRUB_RELEASE,https://www.ubuntu.com/ EOF ``` diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index 6789f84d..7104a9a5 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -349,10 +349,15 @@ EOF popd # return to image directory + # grub version/release + GRUB_VERSION=`grub-mkstandalone -V | tr -s ' ' | cut -d' ' -f3 | cut -d'-' -f1` + GRUB_RELEASE=`grub-mkstandalone -V | tr -s ' ' | cut -d' ' -f3` + # create SBAT file cat < isolinux/sbat.csv sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -grub,1,Free Software Foundation,grub,2.04,https://www.gnu.org/software/grub/ +grub,1,Free Software Foundation,grub,$GRUB_VERSION,https://www.gnu.org/software/grub/ +grub.ubuntu,1,Ubuntu,grub2,$GRUB_RELEASE,https://www.ubuntu.com/ EOF # create a grub UEFI image From e8c6ecab256db2c7bb240e70cec5d729721b4010 Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 19:06:45 -0300 Subject: [PATCH 08/13] feat: enable secureboot --- .github/workflows/build-noble.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/build-noble.yml diff --git a/.github/workflows/build-noble.yml b/.github/workflows/build-noble.yml new file mode 100644 index 00000000..e3725d08 --- /dev/null +++ b/.github/workflows/build-noble.yml @@ -0,0 +1,29 @@ +name: build-jammy + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Build + run: | + cd scripts + sed -i -E 's/TARGET_UBUNTU_VERSION=(.*)/TARGET_UBUNTU_VERSION="noble"/g' default_config.sh + ./build.sh - + cd .. + - name: Archive artifacts + uses: actions/upload-artifact@v3 + with: + name: ubuntu-from-scratch + path: | + scripts/ubuntu-from-scratch.iso + scripts/image/md5sum.txt From 13fac000e0c938c75bb0aa589041a765b2b3ff3a Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Fri, 6 Sep 2024 19:07:57 -0300 Subject: [PATCH 09/13] feat: enable secureboot --- .github/workflows/build-noble.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-noble.yml b/.github/workflows/build-noble.yml index e3725d08..21ca9ab5 100644 --- a/.github/workflows/build-noble.yml +++ b/.github/workflows/build-noble.yml @@ -1,4 +1,4 @@ -name: build-jammy +name: build-noble on: push: From c9709f63c63d3ebbac67c1c927b3afc5ab85dca7 Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Sat, 7 Sep 2024 17:02:59 -0300 Subject: [PATCH 10/13] feat: enable secureboot --- README.md | 2 +- scripts/chroot_build.sh | 2 +- scripts/default_config.sh | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 30c421a7..596912f0 100644 --- a/README.md +++ b/README.md @@ -662,7 +662,7 @@ remove packages specified in `filesystem.manifest` that are *not* listed in `fil 4. Add .sbat sections ```shell - objcopy --set-section-alignment '.sbat=512' --add-section .sbat=isolinux/sbat.csv isolinux/grubx64.efi --adjust-section-vma .sbat+10000000 + objcopy --add-section .sbat=isolinux/sbat.csv isolinux/grubx64.efi --change-section-address .sbat=10000000 ``` 5. UEFI secure boot signing diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index 7104a9a5..206f00ad 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -372,7 +372,7 @@ EOF sed -i 's/SecureBoot/SecureB00t/' isolinux/grubx64.efi # add .sbat sections - objcopy --set-section-alignment '.sbat=512' --add-section .sbat=isolinux/sbat.csv isolinux/grubx64.efi --adjust-section-vma .sbat+10000000 + objcopy --add-section .sbat=isolinux/sbat.csv isolinux/grubx64.efi --change-section-address .sbat=10000000 # UEFI secure boot signing sbsign --key /certificates/db.key --cert /certificates/db.pem --output isolinux/grubx64.efi isolinux/grubx64.efi diff --git a/scripts/default_config.sh b/scripts/default_config.sh index 02fa6909..06167564 100644 --- a/scripts/default_config.sh +++ b/scripts/default_config.sh @@ -5,9 +5,9 @@ # Usage: Copy this file to config.sh and make changes there. Keep this file (default_config.sh) as-is # so that subsequent changes can be easily merged from upstream. Keep all customiations in config.sh -# The version of Ubuntu to generate. Successfully tested: bionic, cosmic, disco, eoan, focal, groovy, jammy +# The version of Ubuntu to generate. Successfully tested LTS: bionic, focal, jammy, noble # See https://wiki.ubuntu.com/DevelopmentCodeNames for details -export TARGET_UBUNTU_VERSION="jammy" +export TARGET_UBUNTU_VERSION="noble" # The Ubuntu Mirror URL. It's better to change for faster download. # More mirrors see: https://launchpad.net/ubuntu/+archivemirrors @@ -41,7 +41,7 @@ export TARGET_PACKAGE_REMOVE=" function customize_image() { # install graphics and desktop apt-get install -y \ - plymouth-theme-ubuntu-logo \ + plymouth-themes \ ubuntu-gnome-desktop \ ubuntu-gnome-wallpapers From 61ca760f7939abf135c6baf0de2b12dd5a8c077b Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Sat, 7 Sep 2024 21:44:09 -0300 Subject: [PATCH 11/13] feat: enable secureboot --- README.md | 50 ++++++++++++++++++++++++----------------- scripts/build.sh | 18 +++++++-------- scripts/chroot_build.sh | 7 ++---- 3 files changed, 40 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 596912f0..e34ae8c0 100644 --- a/README.md +++ b/README.md @@ -34,10 +34,9 @@ Install packages we need in the `build system` required by our scripts. ```shell sudo apt-get install \ - binutils \ - debootstrap \ - squashfs-tools \ - xorriso + debootstrap \ + squashfs-tools \ + xorriso ``` ```shell @@ -799,6 +798,7 @@ After everything has been installed and preconfigured in the **chrooted** enviro ```shell cd $HOME/live-ubuntu-from-scratch/image + ``` 2. Create iso from the image directory using the command-line @@ -807,25 +807,26 @@ After everything has been installed and preconfigured in the **chrooted** enviro -as mkisofs \ -iso-level 3 \ -full-iso9660-filenames \ + -J -J -joliet-long \ -volid "Ubuntu from scratch" \ -output "../ubuntu-from-scratch.iso" \ - -eltorito-boot boot/grub/bios.img \ - -no-emul-boot \ - -boot-load-size 4 \ - -boot-info-table \ - --eltorito-catalog boot/grub/boot.cat \ - --grub2-boot-info \ - --grub2-mbr ../chroot/usr/lib/grub/i386-pc/boot_hybrid.img \ - -eltorito-alt-boot \ - -e EFI/efiboot.img \ - -no-emul-boot \ + -eltorito-boot boot/grub/bios.img \ + -no-emul-boot \ + -boot-load-size 4 \ + -boot-info-table \ + --eltorito-catalog boot/grub/boot.cat \ + --grub2-boot-info \ + --grub2-mbr ../chroot/usr/lib/grub/i386-pc/boot_hybrid.img \ + -eltorito-alt-boot \ + -e EFI/efiboot.img \ + -no-emul-boot \ -append_partition 2 0xef isolinux/efiboot.img \ -m "isolinux/efiboot.img" \ -m "isolinux/bios.img" \ - -graft-points \ - "/EFI/efiboot.img=isolinux/efiboot.img" \ - "/boot/grub/bios.img=isolinux/bios.img" \ - "." + -graft-points \ + "/EFI/efiboot.img=isolinux/efiboot.img" \ + "/boot/grub/bios.img=isolinux/bios.img" \ + "." ``` ## Alternative way, if previous one fails, create an Hybrid ISO @@ -868,17 +869,24 @@ After everything has been installed and preconfigured in the **chrooted** enviro ```shell apt install -y syslinux-common && \ - cp /usr/lib/ISOLINUX/isolinux.bin isolinux/ && \ - cp /usr/lib/syslinux/modules/bios/* isolinux/ + cp /usr/lib/ISOLINUX/isolinux.bin image/isolinux/ && \ + cp /usr/lib/syslinux/modules/bios/* image/isolinux/ ``` -3. Create iso from the image directory +3. Access build directory + + ```shell + cd $HOME/live-ubuntu-from-scratch/image + ``` + +4. Create iso from the image directory ```shell sudo xorriso \ -as mkisofs \ -iso-level 3 \ -full-iso9660-filenames \ + -J -J -joliet-long \ -volid "Ubuntu from scratch" \ -output "../ubuntu-from-scratch.iso" \ -isohybrid-mbr /usr/lib/ISOLINUX/isohdpfx.bin \ diff --git a/scripts/build.sh b/scripts/build.sh index 9d23cac9..5ee1ee50 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -3,7 +3,6 @@ set -e # exit on error set -o pipefail # exit on pipeline error set -u # treat unset variable as error -#set -x SCRIPT_DIR="$(dirname "$(readlink -f "$0")")" @@ -99,7 +98,7 @@ function check_config() { function setup_host() { echo "=====> running setup_host ..." sudo apt update - sudo apt install -y binutils debootstrap squashfs-tools xorriso dosfstools unzip + sudo apt install -y debootstrap squashfs-tools xorriso sudo mkdir -p chroot } @@ -160,25 +159,26 @@ function build_iso() { -as mkisofs \ -iso-level 3 \ -full-iso9660-filenames \ + -J -J -joliet-long \ -volid "$TARGET_NAME" \ - -eltorito-boot boot/grub/bios.img \ + -output "$SCRIPT_DIR/$TARGET_NAME.iso" \ + -eltorito-boot boot/grub/bios.img \ -no-emul-boot \ -boot-load-size 4 \ -boot-info-table \ --eltorito-catalog boot/grub/boot.cat \ --grub2-boot-info \ --grub2-mbr ../chroot/usr/lib/grub/i386-pc/boot_hybrid.img \ - -eltorito-alt-boot \ + -eltorito-alt-boot \ -e EFI/efiboot.img \ -no-emul-boot \ -append_partition 2 0xef isolinux/efiboot.img \ - -output "$SCRIPT_DIR/$TARGET_NAME.iso" \ -m "isolinux/efiboot.img" \ -m "isolinux/bios.img" \ - -graft-points \ - "/EFI/efiboot.img=isolinux/efiboot.img" \ - "/boot/grub/bios.img=isolinux/bios.img" \ - "." + -graft-points \ + "/EFI/efiboot.img=isolinux/efiboot.img" \ + "/boot/grub/bios.img=isolinux/bios.img" \ + "." popd } diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index 206f00ad..90fdafe8 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -3,7 +3,6 @@ set -e # exit on error set -o pipefail # exit on pipeline error set -u # treat unset variable as error -#set -x SCRIPT_DIR="$(dirname "$(readlink -f "$0")")" @@ -107,7 +106,6 @@ function install_pkg() { laptop-detect \ os-prober \ network-manager \ - resolvconf \ net-tools \ wireless-tools \ wpagui \ @@ -150,14 +148,13 @@ function install_pkg() { # final touch dpkg-reconfigure locales - dpkg-reconfigure resolvconf # network manager cat < /etc/NetworkManager/NetworkManager.conf [main] -rc-manager=resolvconf +rc-manager=none plugins=ifupdown,keyfile -dns=dnsmasq +dns=systemd-resolved [ifupdown] managed=false From b0748bf30b3af711cc4fa2869f53758a8530bf17 Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Sat, 7 Sep 2024 22:06:28 -0300 Subject: [PATCH 12/13] feat: enable secureboot --- README.md | 2 ++ scripts/chroot_build.sh | 10 +++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e34ae8c0..5437e222 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,8 @@ See also the list of [contributors](CONTRIBUTORS.txt) who participated in this p [![build-bionic](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-bionic.yml/badge.svg)](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-bionic.yml) [![build-focal](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-focal.yml/badge.svg)](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-focal.yml) +[![build-jammy](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-jammy.yml/badge.svg)](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-jammy.yml) +[![build-noble](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-noble.yml/badge.svg)](https://github.com/mvallim/live-custom-ubuntu-from-scratch/actions/workflows/build-noble.yml) ## Terms diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index 90fdafe8..42e5a053 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -117,6 +117,7 @@ function install_pkg() { grub2-common \ grub-efi-amd64-signed \ shim-signed \ + memtest86+ \ mtools \ binutils @@ -179,7 +180,14 @@ function build_image() { cp /boot/initrd.img-**-**-generic casper/initrd # memtest86 - cp /boot/memtest86+.bin install/memtest86+ + case $TARGET_UBUNTU_VERSION in + "noble") + cp /boot/memtest86+x64.bin install/memtest86+ + ;; + *) + cp /boot/memtest86+.bin install/memtest86+ + ;; + esac # memtest86++ wget --progress=dot https://www.memtest86.com/downloads/memtest86-usb.zip -O install/memtest86-usb.zip From 5bd8fb395c470bafd39c5d130d9ac3ea8390bcce Mon Sep 17 00:00:00 2001 From: Marcos Tischer Vallim Date: Sat, 7 Sep 2024 22:44:46 -0300 Subject: [PATCH 13/13] feat: enable secureboot --- README.md | 40 ++++++++++------------------------------ scripts/chroot_build.sh | 13 +++++-------- 2 files changed, 15 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 5437e222..1292206d 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ mkdir $HOME/live-ubuntu-from-scratch sudo debootstrap \ --arch=amd64 \ --variant=minbase \ - focal \ + noble \ $HOME/live-ubuntu-from-scratch/chroot \ http://us.archive.ubuntu.com/ubuntu/ ``` @@ -168,12 +168,10 @@ From this point we will be configuring the `live system`. sudo \ ubuntu-standard \ casper \ - lupin-casper \ discover \ laptop-detect \ os-prober \ network-manager \ - resolvconf \ net-tools \ wireless-tools \ wpagui \ @@ -185,6 +183,8 @@ From this point we will be configuring the `live system`. grub2-common \ grub-efi-amd64-signed \ shim-signed \ + memtest86+ \ + mtools \ binutils ``` @@ -217,9 +217,9 @@ From this point we will be configuring the `live system`. 2. Console setup -

- -

+

+ +

11. **Install window manager** @@ -328,40 +328,20 @@ From this point we will be configuring the `live system`.

- 2. Reconfigure resolvconf - - ```shell - dpkg-reconfigure resolvconf - ``` - - 1. *Confirm changes* -

- -

- -

- -

- -

- -

- - 3. Configure network-manager + 2. Configure network-manager ```shell cat < /etc/NetworkManager/NetworkManager.conf [main] - rc-manager=resolvconf + rc-manager=none plugins=ifupdown,keyfile - dns=dnsmasq + dns=systemd-resolved [ifupdown] managed=false - EOF ``` - 4. Reconfigure network-manager + 3. Reconfigure network-manager ```shell dpkg-reconfigure network-manager diff --git a/scripts/chroot_build.sh b/scripts/chroot_build.sh index 42e5a053..57b321a2 100755 --- a/scripts/chroot_build.sh +++ b/scripts/chroot_build.sh @@ -180,14 +180,11 @@ function build_image() { cp /boot/initrd.img-**-**-generic casper/initrd # memtest86 - case $TARGET_UBUNTU_VERSION in - "noble") - cp /boot/memtest86+x64.bin install/memtest86+ - ;; - *) - cp /boot/memtest86+.bin install/memtest86+ - ;; - esac + if [ -f "/boot/memtest86+x64.bin" ]; then + cp /boot/memtest86+x64.bin install/memtest86+ + else + cp /boot/memtest86+.bin install/memtest86+ + fi # memtest86++ wget --progress=dot https://www.memtest86.com/downloads/memtest86-usb.zip -O install/memtest86-usb.zip