Re-init.

0001-Hibernate-Patch.patch

@@ -0,0 +1,69 @@
+From 71c4fb133b496d62539dd32dc3d377f861f067f2 Mon Sep 17 00:00:00 2001
+From: Captain ALM <captainalm@captainalm.com>
+Date: Sat, 25 May 2024 17:55:24 +0100
+Subject: [PATCH] Hibernate Patch.
+
+---
+ Documentation/admin-guide/kernel-parameters.txt |  5 +++++
+ kernel/power/hibernate.c                        | 11 +++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
+index a1b25a735..71b537ea6 100644
+--- a/Documentation/admin-guide/kernel-parameters.txt
++++ b/Documentation/admin-guide/kernel-parameters.txt
+@@ -2684,6 +2684,11 @@
+ 			to extract confidential information from the kernel
+ 			are also disabled.
+ 
++	lockdown_hibernate	[HIBERNATION]
++			Enable hibernation even if lockdown is enabled. Enable this only if
++			your swap is encrypted and secured properly, as an attacker can
++			modify the kernel offline during hibernation.
++
+ 	locktorture.nreaders_stress= [KNL]
+ 			Set the number of locking read-acquisition kthreads.
+ 			Defaults to being automatically set based on the
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index 9abc73d50..25c3a8fa6 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -36,7 +36,7 @@
+ 
+ #include "power.h"
+ 
+-
++static int lockdown_hibernate;
+ static int nocompress;
+ static int noresume;
+ static int nohibernate;
+@@ -83,7 +83,7 @@ void hibernate_release(void)
+ bool hibernation_available(void)
+ {
+ 	return nohibernate == 0 &&
+-		!security_locked_down(LOCKDOWN_HIBERNATION) &&
++		(lockdown_hibernate || !security_locked_down(LOCKDOWN_HIBERNATION)) &&
+ 		!secretmem_active();
+ }
+ 
+@@ -1337,6 +1337,12 @@ static int __init nohibernate_setup(char *str)
+ 	return 1;
+ }
+ 
++static int __init lockdown_hibernate_setup(char *str)
++{
++	lockdown_hibernate = 1;
++	return 1;
++}
++
+ __setup("noresume", noresume_setup);
+ __setup("resume_offset=", resume_offset_setup);
+ __setup("resume=", resume_setup);
+@@ -1344,3 +1350,4 @@ __setup("hibernate=", hibernate_setup);
+ __setup("resumewait", resumewait_setup);
+ __setup("resumedelay=", resumedelay_setup);
+ __setup("nohibernate", nohibernate_setup);
++__setup("lockdown_hibernate", lockdown_hibernate_setup);
+-- 
+2.34.1
+

BMOK-openssl.cnf

@@ -0,0 +1,25 @@
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
+RANDFILE                = $ENV::HOME/.rnd
+[ req ]
+distinguished_name      = req_distinguished_name
+x509_extensions         = v3
+string_mask             = utf8only
+prompt                  = no
+
+[ req_distinguished_name ]
+countryName             = UK
+stateOrProvinceName     = Kent
+localityName            = Herne Bay
+0.organizationName      = Captain ALM
+commonName              = Secure Boot Signing
+emailAddress            = alfred@captainalm.com
+
+[ v3 ]
+subjectKeyIdentifier    = hash
+authorityKeyIdentifier  = keyid:always,issuer
+basicConstraints        = critical,CA:FALSE
+extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6
+nsComment               = "OpenSSL Generated Certificate"
+

bash_aliases

@@ -0,0 +1,123 @@
+alias screen-off="xset dpms force off"
+alias boot-sign-verify="sudo sign-boot && sudo verify-boot"
+function kernel-build() {
+  echo "[+] Kernel Build Starting...";
+  cwd=$(pwd);
+  cd ~/kernel;
+  for _dir in *"linux"*; do
+    [ -d "${_dir}" ] && linuxdir="${_dir}" && break;
+  done;
+  echo "[-] Removing Sources...";
+  rm -rf "$linuxdir";
+  sudo rm -rf deb-contents;
+  rm -f *.gz;
+  rm -f *.dsc;
+  echo "[*] Archiving old packages...";
+  mkdir -p old-debs;
+  touch dummy.deb;
+  mv *.deb old-debs/;
+  echo "[+] Obtaining Sources...";
+  apt-get source linux-image-unsigned-$(uname -r);
+  for _dir in *"linux"*; do
+    [ -d "${_dir}" ] && linuxdir="${_dir}" && break;
+  done;
+  cd "$linuxdir";
+  echo "[*] Patching source and configuration...";
+  sed -i "s/.*CONFIG_MODULE_SIG_FORCE.*/CONFIG_MODULE_SIG_FORCE                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>/" debian.master/config/annotations;
+  git apply --verbose ~/Downloads/patches/hibernate/0001-Hibernate-Patch.patch;
+  echo "[*] Cleaning kernel build...";
+  chmod a+x debian/rules;
+  chmod a+x debian/scripts/*;
+  chmod a+x debian/scripts/misc/*;
+  fakeroot debian/rules clean;
+  mkdir -p debian/build/build-generic/certs;
+  sudo cp /cert/mok/signing_key.pem debian/build/build-generic/certs/;
+  sudo chmod u=rw,g=rw,o=rw debian/build/build-generic/certs/signing_key.pem;
+  echo "[*] Building kernel...";
+  fakeroot debian/rules binary;
+  echo "[*] Build Complete!";
+  rm -f debian/build/build-generic/certs/signing_key.pem;
+  echo "[+] Extracting kernel package...";
+  cd ~/kernel;
+  mkdir -p deb-contents;
+  dpkg-deb -R $(ls linux-image-unsigned-* | head -1)  deb-contents;
+  cd "$linuxdir";
+  echo "[*] Making kernel signed...";
+  pkgarch=$(dpkg-architecture -qDEB_HOST_ARCH);
+  pkgver=$(dpkg-parsechangelog --show-field Version);
+  cd ~/kernel/deb-contents;
+  pkgunom=$(head -1 DEBIAN/control | sed -e 's/Package: //');
+  find ./ -type f -exec sed -i -e 's/-unsigned//g' {} \;
+  find ./ -type f -exec sed -i -e 's/ unsigned//g' {} \;
+  pkgnom=$(head -1 DEBIAN/control | sed -e 's/Package: //');
+  sudo mv usr/share/doc/$pkgunom usr/share/doc/$pkgnom;
+  tlinuz=$(ls boot/vmlinuz-* | head -1);
+  sudo sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $tlinuz --output $tlinuz;
+  sed -i "s/.*Conflicts: .*/Conflicts: $pkgunom/" DEBIAN/control;
+  pkgisz=$(du -ks * | grep -v DEBIAN | cut -f1 | xargs | sed -e 's/\ /+/g' | bc);
+  find ./ -path '*/DEBIAN' -prune -o -type f -exec md5sum {} \; | awk '{ print $1 "  " substr($2, 10) }' > DEBIAN/md5sums;
+  sed -i "s/.*Installed-Size: .*/Installed-Size: $pkgisz/" DEBIAN/control;
+  echo "[+] Packing signed kernel...";
+  cd ~/kernel;
+  dpkg-deb -b deb-contents ${pkgnom}_${pkgver}_${pkgarch}.deb;
+  sudo rm -rf deb-contents;
+  echo "[+] Deploying Packages Locally...";
+  sudo cp ${pkgnom}_${pkgver}_${pkgarch}.deb /usr/local/mydebs/;
+  sudo cp linux-headers-* /usr/local/mydebs/;
+  sudo cp linux-libc-dev* /usr/local/mydebs/;
+  sudo cp linux-modules* /usr/local/mydebs/;
+  sudo update-mydebs;
+  cd "$cwd";
+  echo "Kernel Build Finished!";
+}
+function install-tar() {
+  if [ $# -gt 0 ]; then
+    if [ $# -eq 1 ]; then
+      fln=$(basename -- "$1");
+      flp=$1;
+    else
+      fln=$(basename -- "$2");
+      flp=$2;
+    fi
+    fln="${fln%%.*}";
+    echo "Installing: /opt/$fln";
+    sudo mkdir -p "/opt/$fln";
+    sudo tar -xvf "$flp" -C /opt/$fln;
+    if [ $# -gt 1 ]; then
+      sudo chown -R "$1" /opt/$fln;
+    fi
+  else
+    echo "Usage:";
+    echo "install-tar <archive> | <owner> <archive>";
+  fi
+}
+function install-tar-contents() {
+  if [ $# -gt 0 ]; then
+    if [ $# -eq 1 ]; then
+      flp=$1;
+    else
+      flp=$2;
+    fi
+    echo "Installing: /opt";
+    sudo tar -xvf "$flp" -C /opt;
+    if [ $# -gt 1 ]; then
+      sudo chown -R "$1" /opt;
+    fi
+  else
+    echo "Usage:";
+    echo "install-tar-contents <archive> | <owner> <archive>";
+  fi
+}
+function edit-dot-desktop() {
+  sudo nano "/usr/share/applications/$(basename -- "$1").desktop";
+}
+function edit-dot-desktop-local() {
+  nano ~"/.local/share/applications/$(basename -- "$1").desktop";
+}
+function tpm2-contents() {
+  sudo tpm2_selftest
+  sudo tpm2_gettestresult
+  sudo tpm2_getcap -l
+  sudo tmp2_pcrread
+  sudo tpm2_pcrread
+}

boot-verify-sign

@@ -0,0 +1,9 @@
+#!/bin/bash
+/bin/bash /usr/local/sbin/verify-boot;
+if [ $? != 0 ]; then
+  echo "Bad" > /opt/boot-verify-state;
+  /bin/bash /usr/local/sbin/sign-boot;
+  echo "Good" > /opt/boot-verify-state;
+else
+  echo "Good" > /opt/boot-verify-state;
+fi;

grub-update

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo "[+] Updating Grub...";
+update-grub;
+/usr/share/ubuntu-system-adjustments/systemd/start;
+sign-boot;
+echo "[*] Grub Update Complete!";

install-grub

@@ -0,0 +1,12 @@
+#!/bin/bash
+echo "[+] Installing Grub...";
+grub-install -v --target=x86_64-efi /dev/sda --efi-directory=/boot/efi --boot-directory=/boot --uefi-secure-boot --pubkey=/root/pubkey --sbat=/root/sbat --disable-shim-lock --modules="acpi afsplitter all_video bitmap bitmap_scale boot btrfs bufio cat chain configfile cpuid crypto cryptodisk datetime disk diskfilter echo efi_gop efinet efi_uga ext2 extcmd fat font fshelp gcry_arcfour gcry_blowfish gcry_camellia gcry_cast5 gcry_crc gcry_des gcry_dsa gcry_idea gcry_md4 gcry_md5 gcry_rfc2268 gcry_rijndael gcry_rmd160 gcry_rsa gcry_seed gcry_serpent gcry_sha1 gcry_sha256 gcry_sha512 gcry_tiger gcry_twofish gcry_whirlpool gettext gfxmenu gfxterm gfxterm_background gzio halt help hfsplus iso9660 jpeg keystatus linux linuxefi loadenv loopback ls luks lvm lzopio mdraid09 mdraid1x mmap mpi net normal ntfs password_pbkdf2 pbkdf2 pgp png probe procfs raid5rec raid6rec regexp relocator search search_fs_file search_fs_uuid search_label sleep smbios squash4 terminal trig video video_bochs video_cirrus video_colors xfs xzio zfs zfscrypt zfsinfo zstd part_gpt tpm";
+#echo "[+] Patching load.cfg";
+#echo >> /boot/grub/x86_64-efi/load.cfg;
+#echo 'trust --skip-sig (hd0,gpt6)/pubkey' >> /boot/grub/x86_64-efi/load.cfg;
+#echo 'set check_signatures=enforce' >> /boot/grub/x86_64-efi/load.cfg;
+#echo 'set superusers="root"' >> /boot/grub/x86_64-efi/load.cfg;
+#echo 'password_pbkdf2 root grub.pbkdf2.sha512.10000.87A1064D2A4493C4235F8BB04C02309873D6ECC872696400690D4C6194A9EE8A0BE005590ACAE2E3C1F416A8E9DBB665EC1F6AE35B4274CE3CD8F4694D17D0DA.18DDB69D7AB16CDC661D9F8D47CFA37A9C6A9FF8E2851C56E0E131A99BC713C348C152D338171809BE7AE2CBDA7DACE06AAD83F6B7ED118430F0C3DD9935B5AF' >> /boot/grub/x86_64-efi/load.cfg;
+#sudo cp /boot/grub/x86_64-efi/load.cfg /boot/efi/EFI/ubuntu/grub.cfg;
+grub-update;
+echo "[*] Grub Install Complete!";

sign-boot

@@ -0,0 +1,36 @@
+#!/bin/bash
+echo "[*] Preparing to sign!";
+#touch /dev/shm/sb-passpwd.txt;
+#chown root:root /dev/shm/sb-passpwd.txt;
+#chmod u=rw,g=,o= /dev/shm/sb-passpwd.txt;
+#echo -n "Password: ";
+#read -s pwd;
+#echo -n "$pwd" > /dev/shm/sb-passpwd.txt;
+echo "[-] BMOK Un-Signing...";
+for i in $(find /boot/grub -iname "*.efi" -type f -print)
+do
+  echo $i;
+  sbattach --remove $i;
+done;
+echo "[+] BMOK Signing...";
+for i in $(find /boot/grub -iname "*.efi" -type f -print)
+do
+  echo $i;
+  sbsign --key /cert/BMOK.priv --cert /cert/BMOK.pem $i --output $i;
+done;
+echo "[-] Un-Signing...";
+#-iname "efi" -prune -o
+for i in $(find /boot -iname "*.sig" -type f -print)
+do
+  rm "$i";
+done;
+echo "[+] Signing...";
+for i in $(find /boot -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
+do
+  echo $i;
+  gpg --batch --detach-sign $i;
+  #gpg -v --batch --detach-sign --passphrase-fd 0 $i < \
+  #  /dev/shm/sb-passpwd.txt;
+done;
+#shred /dev/shm/sb-passpwd.txt;
+echo "[*] Signing Complete!";

update-mydebs

@@ -0,0 +1,3 @@
+#! /bin/bash
+cd /usr/local/mydebs
+dpkg-scanpackages . /dev/null | gzip -9c > Packages.gz

verify-boot

@@ -0,0 +1,32 @@
+#!/bin/bash
+echo "[*] Preparing to verify!";
+echo "[-] Missing Signatures:";
+ec=0;
+for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
+do
+  if [ ! -f "$i.sig" ]; then
+    echo "$i";
+    ec=1;
+  fi
+done;
+bad='Good';
+echo "[*] Signed:";
+for i in $(find /boot -iname "efi" -prune -o -iname "*.sig" -prune -o -iname "grubenv" -prune -o -iname "boot-tainted" -prune -o -type f -print)
+do
+  if gpg --verify-files "$i.sig" > /dev/null 2>&1
+  then
+    echo "Good: $i";
+  else
+    echo "Bad: $i";
+    bad='Bad';
+    ec=2;
+  fi
+done;
+echo "[-] Signature State: $bad";
+if [ $ec -ne 0 ]; then
+  touch /boot/boot-tainted;
+elif [ -f /boot/boot-tainted ]; then
+  rm -f /boot/boot-tainted;
+fi
+echo "[*] Finished Verification!";
+exit $ec;