-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup.sh
More file actions
executable file
·94 lines (77 loc) · 2.59 KB
/
setup.sh
File metadata and controls
executable file
·94 lines (77 loc) · 2.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/bin/bash
set -e
# Configuration
CONFIG_DIR="/etc/vmwsmr"
BIN_DIR="/usr/local/bin"
SERVICE_DIR="/etc/systemd/system"
# Check for root
if [ "$EUID" -ne 0 ]; then
echo "Please run as root"
exit 1
fi
echo "=== vmwsmr Setup ==="
# 1. Install Dependencies
echo "[+] Installing build dependencies..."
# 'linux-headers-generic' ensures we always get headers for the latest kernel update
apt-get update
apt-get install -y build-essential linux-headers-generic mokutil openssl
# 2. Create Directory Structure
echo "[+] Creating configuration directory at $CONFIG_DIR..."
mkdir -p "$CONFIG_DIR"
# 3. Handle MOK Keys
PRIV_KEY="$CONFIG_DIR/MOK.priv"
DER_KEY="$CONFIG_DIR/MOK.der"
if [ -f "$PRIV_KEY" ] && [ -f "$DER_KEY" ]; then
echo "[*] Existing MOK keys found in $CONFIG_DIR. Skipping generation."
else
echo "[+] Generating new MOK keys..."
# specific configuration for module signing key
cat <<EOF > "$CONFIG_DIR/openssl.cnf"
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
prompt = no
string_mask = utf8only
x509_extensions = myexts
[ req_distinguished_name ]
O = vmwsmr Rebuild Service
CN = vmwsmr Rebuild MOK
[ myexts ]
basicConstraints=critical,CA:FALSE
keyUsage=digitalSignature
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid
EOF
openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 \
-batch -config "$CONFIG_DIR/openssl.cnf" \
-outform DER -out "$DER_KEY" \
-keyout "$PRIV_KEY"
chmod 600 "$PRIV_KEY"
rm "$CONFIG_DIR/openssl.cnf"
echo "[!] IMPORTANT: You must import this key into your BIOS/Shim."
echo "[!] The system will ask for a password. Remember it for the reboot."
echo " Running: mokutil --import $DER_KEY"
mokutil --import "$DER_KEY"
fi
# 4. Install Configuration File
echo "[+] Installing configuration file..."
# We don't overwrite if it exists to preserve user settings
if [ ! -f "$CONFIG_DIR/vmwsmr.conf" ]; then
cp vmwsmr.conf "$CONFIG_DIR/vmwsmr.conf"
else
echo "[*] Config file exists. Skipping copy."
fi
# 5. Install Main Script
echo "[+] Installing rebuild script to $BIN_DIR..."
cp vmwsmr.sh "$BIN_DIR/vmwsmr.sh"
chmod +x "$BIN_DIR/vmwsmr.sh"
# 6. Install Service
echo "[+] Installing Systemd service..."
cp vmwsmr.service "$SERVICE_DIR/vmwsmr.service"
systemctl daemon-reload
systemctl enable vmwsmr.service
echo "=== Setup Complete ==="
echo "1. If you just generated a new key, REBOOT NOW."
echo "2. On boot, select 'Enroll MOK', 'Continue', 'Yes', and enter your password."
echo "3. If keys were already set up, you can test the service with:"
echo " systemctl start vmwsmr.service"