#!/bin/zsh
export GRUB_INIT_TUNE="480 440 1"
if [ -e /etc/secureboot ];then
sleep .01
else
mkdir -p /etc/secureboot
openssl req -new -x509 -newkey rsa:4096 -days 365000 -keyout /etc/secureboot/MOK.key -out /etc/secureboot/MOK.crt -nodes -subj "/CN=Jenux ISO Secure Boot Enrolement Password is jenux/"
openssl x509 -in /etc/secureboot/MOK.crt -out /boot/EFI/Jenux\ Secure\ Boot\ Enrolement\ Password\ is\ jenux.cer -outform DER
chown -R root:root /etc/secureboot
chmod -R 600 /etc/secureboot
fi
if which mokutil > /dev/null 2>/dev/null;then
if mokutil --test-key /boot/EFI/Jenux\ Secure\ Boot\ Enrolement\ Password\ is\ jenux.cer|grep -iqw not\ enroled;then
sleep .01
else
mokutil --import /boot/EFI/Jenux\ Secure\ Boot\ Enrolement\ Password\ is\ jenux.cer<<EOF
jenux
jenux
EOF
fi
else
echo MOK management operations, such as requesting key enrolement, are not available on this system. Such operations must be performed manually through MOKManager.
fi
export uuid=`blkid -o value /dev/disk/by-partlabel/linux|head -n 1|tr -d -`
export tmpdir=`mktemp -d`
export sbgen=1
export prebootmods=`echo afsplitter all_video archelp bli boot bufio configfile crypto cryptodisk datetime efi_gop efi_uga ext2 extcmd fshelp gcry_crc gcry_rijndael gcry_sha256 gettext gzio ieee1275_fb iso9660 json linux loadenv luks2 lzopio memdisk minicmd net normal part_acorn part_amiga part_apple part_bsd part_dfly part_dvh part_gpt part_msdos part_plan part_sun part_sunpc pbkdf2 play priority_queue procfs reboot search search_fs_file tar terminal test usb_keyboard vbe vga video_bochs video_cirrus`
if mount|grep -w /|head -n 1|cut -f 1 -d \  |grep -q /dev/mapper;then
for m in `echo -n $prebootmods`;do
echo insmod $m >> $tmpdir/grub.pre.cfg
done
cat >> $tmpdir/grub.pre.cfg<<EOF
set uuid=$uuid
clear
play 250 250 1
play 500 500 1
play 750 750 1
cryptomount -u \$uuid
if test -e (crypto0)/boot/grub/grub.cfg;then
play 600 300 1
play 300 600 1
set prefix=(crypto0)/boot/grub
play $GRUB_INIT_TUNE
else
play 600 600 1
play 300 300 1
reboot
fi
EOF
else
cat >> $tmpdir/grub.pre.cfg<<EOF
clear
play 200 200 1
play 400 400 1
play 600 600 1
search.file /boot/grub/grub.cfg root
set prefix=(\$root)/boot/grub
play 600 300 1
play 300 600 1
play $GRUB_INIT_TUNE
EOF
fi
echo source \(memdisk\)/grub.pre.cfg > $tmpdir/grubinit.cfg
cd $tmpdir
tar -cf memdisk.tar grub.pre.cfg
cd $OLDPWD
if echo $f|grep -q - -efi;then
export prebootmods=`echo -n $prebootmods  efi_gop efi_uga `
else
export prebootmods=`echo -n $prebootmods|sed "s|efi_gop efi_uga| |g"`
fi
for f in `ls /lib/grub`;do
for g in `echo $prebootmods`;do
if [ -e /lib/grub/$f/$g".mod" ];then
sleep .01
else
export prebootmods=`echo -en $prebootmods|sed "s|$g| |g"`
fi
done
case "$f" in
arm64-efi)
export outname=/boot/EFI/EFI/boot/bootaa64.efi
unset nosbat
grub-install --target $f --no-nvram -k /etc/secureboot/MOK.crt
;;
i386-pc)
export outname=/boot/grub/i386-pc/core.img
export nosbat=1
;;
i386-efi)
export outname=/boot/EFI/EFI/arch/grubia32.efi
unset nosbat
grub-install --target $f --no-nvram -k /etc/secureboot/MOK.crt
;;
x86_64-efi)
export outname=/boot/EFI/EFI/arch/grubx64.efi
unset nosbat
grub-install --target $f --no-nvram -k /etc/secureboot/MOK.crt
;;
*)
export outname=/boot/EFI/EFI/arch/$f.efi
unset nosbat
;;
esac

if echo $f|grep -qw i386-pc ;then
export rootdisk=`grub-probe -t disk /boot/EFI`
cd /
grub-install --target i386-pc $rootdisk
export prebootmods=$prebootmods" biosdisk "
grub-mkimage -O $f -o $outname -c $tmpdir/grubinit.cfg -m $tmpdir/memdisk.tar `echo -n $prebootmods`
cd $OLDPWD
grub-bios-setup -d /boot/grub/i386-pc/ $rootdisk
continue
else
export prebootmods=`echo -n $prebootmods|sed "s| biosdisk ||g"`
fi
if [ -z $nosbat ];then
cp /usr/share/grub/sbat.csv $tmpdir/sbat.csv
grub-mkimage -O $f -o $outname --sbat $tmpdir/sbat.csv -c $tmpdir/grubinit.cfg -m $tmpdir/memdisk.tar `echo -n $prebootmods`
else
grub-mkimage -O $f -o $outname -c $tmpdir/grubinit.cfg -m $tmpdir/memdisk.tar `echo -n $prebootmods`
fi
done
rm -rf $tmpdir
for f in `find /boot -type f|grep vmlinuz`;do
if which sbverify > /dev/null 2>/dev/null;then
if sbverify --cert /etc/secureboot/MOK.crt  $f > /dev/null 2>/dev/null;then
sleep .01
else
mv $f $f.unsigned
sbsign --key /etc/secureboot/MOK.key --cert /etc/secureboot/MOK.crt --output $f $f.unsigned
rm $f.unsigned
fi
else
echo verifying secure boot signatures, as well as signing binaries with generated secure boot keys are not available on this system, since the sbverify tool, part of the sbsigntools package, is not installed.
fi
done
for f in `find /boot/EFI -type f|sed "/shim/d;/mm/d;/fb/d;/EFI\/boot/d"|grep .efi`;do
if which sbverify > /dev/null 2>/dev/null;then
if sbverify --cert /etc/secureboot/MOK.crt  $f > /dev/null 2>/dev/null;then
sleep .01
else
mv $f $f.unsigned
sbsign --key /etc/secureboot/MOK.key --cert /etc/secureboot/MOK.crt --output $f $f.unsigned
rm $f.unsigned
fi
else
echo verifying secure boot signatures, as well as signing binaries with generated secure boot keys are not available on this system, since the sbverify tool, part of the sbsigntools package, is not installed.
fi
done
