re-enable secureboot after sbctl fix

build.sh

@@ -33,7 +33,7 @@ PACKAGES=(
     polkit
     reflector
     systemd-ukify
-    # sbctl
+    sbctl
     zsh
 )
 SERVICES=(
@@ -42,7 +42,7 @@ SERVICES=(
     cloud-config
     cloud-final
     pacman-init
-    # secure-boot-init
+    secure-boot-init
     sshd
     systemd-boot-update
     systemd-networkd
@@ -58,75 +58,72 @@ cleanup() {
     if findmnt --mountpoint "$MOUNT" >/dev/null; then
         umount --recursive "$MOUNT"
     fi
-    if [[ -n $LOOPDEV ]]; then
+    if [[ -n "$LOOPDEV" ]]; then
         losetup --detach "$LOOPDEV"
     fi
     rm -rf "$MOUNT"
 }
-trap cleanup ERR
+trap cleanup EXIT
 
 # Image setup
-rm -f $IMG_FILE
-truncate --size $IMG_SIZE $IMG_FILE
+rm -f "$IMG_FILE"
+truncate --size "$IMG_SIZE" "$IMG_FILE"
 
 # Image format
 sfdisk --label gpt $IMG_FILE <<EOF
 type=$ESP_GPT_TYPE,name="$ESP_LABEL",size=$ESP_SIZE
 type=$ROOT_GPT_TYPE,name="$ROOT_LABEL",attrs=59
 EOF
-LOOPDEV=$(losetup --find --partscan --show $IMG_FILE)
+LOOPDEV=$(losetup --find --partscan --show "$IMG_FILE")
 sleep 1
 
-mkfs.vfat -F 32 -n "${ESP_LABEL}" "${LOOPDEV}p1"
-mkfs.btrfs -L "${ROOT_LABEL}" "${LOOPDEV}p2"
+mkfs.vfat -F 32 -n "$ESP_LABEL" "$LOOPDEV"p1
+mkfs.btrfs -L "$ROOT_LABEL" "$LOOPDEV"p2
 
 # Image mount
-mount "${LOOPDEV}p2" "${MOUNT}"
-btrfs subvolume create "${MOUNT}/${ROOT_SUBVOL}"
-btrfs subvolume set-default "${MOUNT}/${ROOT_SUBVOL}"
-umount "${MOUNT}"
-mount -o "${ROOT_FLAGS}" "${LOOPDEV}p2" "${MOUNT}"
-mkdir "${MOUNT}/${ESP_DIR}"
-mount "${LOOPDEV}p1" "${MOUNT}/${ESP_DIR}"
+mount "$LOOPDEV"p2 "$MOUNT"
+btrfs subvolume create "$MOUNT/$ROOT_SUBVOL"
+btrfs subvolume set-default "$MOUNT/$ROOT_SUBVOL"
+umount "$MOUNT"
+mount -o "$ROOT_FLAGS" "$LOOPDEV"p2 "$MOUNT"
+mount --mkdir=700 "$LOOPDEV"p1 "$MOUNT/$ESP_DIR"
 
 # Install
-pacstrap -cGM "${MOUNT}" "${PACKAGES[@]}"
+pacstrap -cGM "$MOUNT" "${PACKAGES[@]}"
 
 # Setting fstab is unnecessary for the following reasons:
 #   root partition is automatically mounted with its GPT partition type
 #   root partition grows thanks to GPT flag 59 set with sfdisk earlier https://github.com/systemd/systemd/pull/30030
 #   subvol is implicit from `btrfs subvolume set-default` and set with cmdline anyway
 #   compress & noatime are set by cmdline
-# Removing `rw` breaks boot
-CMDLINE="rootflags=${ROOT_FLAGS} rw"
-
-# /etc/kernel/cmdline is only necessary when using UKI instead of type 1 drop-in bootloader entry
-arch-chroot "${MOUNT}" systemd-firstboot \
+# Removing `rw` from cmdline breaks boot
+CMDLINE="rootflags=$ROOT_FLAGS rw"
+arch-chroot "$MOUNT" systemd-firstboot \
     --force \
     --keymap=us \
     --locale=C.UTF-8 \
     --timezone=UTC \
     --root-shell=/usr/bin/zsh \
-    --kernel-command-line="${CMDLINE}" \
+    --kernel-command-line="$CMDLINE" \
     ;
 
 # Bootloader
-arch-chroot "${MOUNT}" bootctl install --no-variables
+arch-chroot "$MOUNT" bootctl install --no-variables
 
-rm -f "${MOUNT}"/boot/initramfs-linux{,-fallback}.img
-mv "${MOUNT}/etc/mkinitcpio.d/linux."{preset,original}
-cat <<EOF >"${MOUNT}/etc/mkinitcpio.conf.d/custom.conf"
+rm -f "$MOUNT"/boot/initramfs-linux{,-fallback}.img
+mv "$MOUNT/etc/mkinitcpio.d/linux."{preset,original}
+cat <<EOF >"$MOUNT/etc/mkinitcpio.conf.d/custom.conf"
 MODULES=(btrfs)
 HOOKS=(systemd autodetect microcode modconf keyboard block)
 EOF
-cat <<EOF >"${MOUNT}/etc/mkinitcpio.d/linux.preset"
+cat <<EOF >"$MOUNT/etc/mkinitcpio.d/linux.preset"
 PRESETS=('default')
 default_kver="/boot/vmlinuz-linux"
-default_uki="/efi/EFI/Linux/arch.efi"
+default_uki="/$ESP_DIR/EFI/Linux/arch.efi"
 default_options="--splash /usr/share/systemd/bootctl/splash-arch.bmp -S autodetect"
 EOF
-arch-chroot "${MOUNT}" mkinitcpio --allpresets
-sed -i "s/ -S autodetect//" "${MOUNT}/etc/mkinitcpio.d/linux.preset"
+arch-chroot "$MOUNT" mkinitcpio --allpresets
+sed -i "s/ -S autodetect//" "$MOUNT/etc/mkinitcpio.d/linux.preset"
 
 # https://systemd.io/BUILDING_IMAGES/
 rm -f "$MOUNT/etc/machine-id"
@@ -135,13 +132,13 @@ rm -f "$MOUNT/$ESP_DIR/loader/random-seed"
 
 # Use systemd-repart to grow the root partition
 mkdir "$MOUNT/etc/repart.d"
-cat <<EOF >"${MOUNT}/etc/repart.d/root.conf"
+cat <<EOF >"$MOUNT/etc/repart.d/root.conf"
 [Partition]
 Type=root
 EOF
 
 # Basic Network DHCP Setup
-cat <<EOF >"${MOUNT}/etc/systemd/network/99-ethernet.network"
+cat <<EOF >"$MOUNT/etc/systemd/network/99-ethernet.network"
 [Match]
 Name=en*
 Type=ether
@@ -151,7 +148,7 @@ DHCP=yes
 EOF
 
 # Pacman Keyring Initialization
-cat <<EOF >"${MOUNT}/etc/systemd/system/pacman-init.service"
+cat <<EOF >"$MOUNT/etc/systemd/system/pacman-init.service"
 [Unit]
 Description=Pacman Keyring Initialization
 After=systemd-growfs-root.service
@@ -169,28 +166,28 @@ WantedBy=multi-user.target
 EOF
 
 # # Secure Boot Initialization
-# cat <<EOF >"${MOUNT}/etc/systemd/system/secure-boot-init.service"
-# [Unit]
-# Description=Secure Boot Initialization
-# After=systemd-growfs-root.service
-# ConditionFirstBoot=yes
-
-# [Service]
-# Type=oneshot
-# RemainAfterExit=yes
-# ExecStart=/usr/bin/sbctl create-keys
-# ExecStart=/usr/bin/sbctl sign -s /boot/vmlinuz-linux
-# ExecStart=/usr/bin/sbctl sign -s /boot/EFI/BOOT/BOOTX64.EFI
-# ExecStart=/usr/bin/sbctl sign -s /boot/EFI/systemd/systemd-bootx64.efi
-# ExecStart=/usr/bin/sbctl sign -s /usr/lib/systemd/boot/efi/systemd-bootx64.efi
-# ExecStart=/usr/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
-
-# [Install]
-# WantedBy=multi-user.target
-# EOF
+cat <<EOF >"$MOUNT/etc/systemd/system/secure-boot-init.service"
+[Unit]
+Description=Secure Boot Initialization
+After=systemd-growfs-root.service
+ConditionFirstBoot=yes
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/bin/sbctl create-keys
+ExecStart=/usr/bin/sbctl sign -s "/$ESP_DIR/EFI/Linux/arch.efi"
+ExecStart=/usr/bin/sbctl sign -s "/$ESP_DIR/EFI/BOOT/BOOTX64.EFI"
+ExecStart=/usr/bin/sbctl sign -s "/$ESP_DIR/EFI/systemd/systemd-bootx64.efi"
+ExecStart=/usr/bin/sbctl sign -s /usr/lib/systemd/boot/efi/systemd-bootx64.efi
+ExecStart=/usr/bin/sbctl enroll-keys --yes-this-might-brick-my-machine
+
+[Install]
+WantedBy=multi-user.target
+EOF
 
 # Cloud Init Settings
-cat <<EOF >"${MOUNT}/etc/cloud/cloud.cfg.d/custom.cfg"
+cat <<EOF >"$MOUNT/etc/cloud/cloud.cfg.d/custom.cfg"
 system_info:
   default_user:
     shell: /usr/bin/zsh
@@ -205,32 +202,31 @@ disable_root_opts: "#"
 EOF
 
 # Neovim Symlinks
-ln -sf /usr/bin/nvim "${MOUNT}/usr/local/bin/vim"
-ln -sf /usr/bin/nvim "${MOUNT}/usr/local/bin/vi"
+ln -sf /usr/bin/nvim "$MOUNT/usr/local/bin/vim"
+ln -sf /usr/bin/nvim "$MOUNT/usr/local/bin/vi"
 
 # Services
-arch-chroot "${MOUNT}" /usr/bin/systemctl enable "${SERVICES[@]}"
-arch-chroot "${MOUNT}" /usr/bin/systemctl mask systemd-nsresourced.socket systemd-userdbd.socket
-ln -sf /run/systemd/resolve/stub-resolv.conf "${MOUNT}/etc/resolv.conf"
+arch-chroot "$MOUNT" /usr/bin/systemctl enable "${SERVICES[@]}"
+arch-chroot "$MOUNT" /usr/bin/systemctl mask systemd-nsresourced.socket systemd-userdbd.socket
+ln -sf /run/systemd/resolve/stub-resolv.conf "$MOUNT/etc/resolv.conf"
 
 # Pacman config
-sed -i 's/^#Color/Color/' "${MOUNT}/etc/pacman.conf"
-sed -i 's/^#ParallelDownloads/ParallelDownloads/' "${MOUNT}/etc/pacman.conf"
+sed -i 's/^#Color/Color/' "$MOUNT/etc/pacman.conf"
+sed -i 's/^#ParallelDownloads/ParallelDownloads/' "$MOUNT/etc/pacman.conf"
 
 # Mirror list
-cat <<EOF >"${MOUNT}/etc/pacman.d/mirrorlist"
+cat <<EOF >"$MOUNT/etc/pacman.d/mirrorlist"
 Server = https://geo.mirror.pkgbuild.com/\$repo/os/\$arch
 EOF
 
 # Disable SSH password and root login
-cat <<EOF >"${MOUNT}/etc/ssh/sshd_config.d/custom.conf"
+cat <<EOF >"$MOUNT/etc/ssh/sshd_config.d/custom.conf"
 PermitRootLogin no
 PasswordAuthentication no
 EOF
 
 # Image cleanup
 sync -f "$MOUNT/etc/os-release"
-fstrim --verbose "${MOUNT}/${ESP_DIR}"
-fstrim --verbose "${MOUNT}"
-cleanup
-qemu-img convert -f raw -O qcow2 "${IMG_FILE}" "${QCOW_FILE}"
+fstrim --verbose "$MOUNT/$ESP_DIR"
+fstrim --verbose "$MOUNT"
+qemu-img convert -f raw -O qcow2 "$IMG_FILE" "$QCOW_FILE"