This repository has been archived by the owner on Feb 21, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathchain-sign-hook.conf
130 lines (106 loc) · 4.85 KB
/
chain-sign-hook.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# shellcheck shell=bash
# shellcheck disable=SC2154
# determine relative postfix required to discard path prepended by DKMS framework
# script path composed like
# run="$dkms_tree/$module/$module_version/$script_type/$2"
root_relative_path=""
while [[ "$(realpath "$dkms_tree/$root_relative_path")" != '/' ]] ; do
root_relative_path="${root_relative_path}../"
done
root_relative_path="${root_relative_path}../../../"
# get original post-build script path
orig_post_build="$POST_BUILD"
# preview some variables inferred by DKMS
array_size=0
for s in ${#BUILT_MODULE_NAME[@]} \
${#BUILT_MODULE_LOCATION[@]} \
${#DEST_MODULE_NAME[@]} \
${#DEST_MODULE_LOCATION[@]}; do
((s > array_size)) && array_size=$s
done
for ((index=0; index < array_size; index++)); do
built_module_name[$index]=${BUILT_MODULE_NAME[$index]}
built_module_location[$index]=${BUILT_MODULE_LOCATION[$index]}
dest_module_name[$index]=${DEST_MODULE_NAME[$index]}
dest_module_location[$index]=${DEST_MODULE_LOCATION[$index]}
[[ ! ${built_module_name[$index]} ]] && \
((${#DEST_MODULE_LOCATION[@]} == 1)) && \
built_module_name[$index]=$module
[[ ! ${dest_module_name[$index]} ]] && \
dest_module_name[$index]=${built_module_name[$index]}
[[ ${built_module_location[$index]} && \
${built_module_location[$index]:(-1)} != / ]] && \
built_module_location[$index]="${built_module_location[$index]}/"
dest_module_location[$index]="$(override_dest_module_location ${dest_module_location[$index]})"
done
# force strip to remove foreign signatures
for ((index=0; index < array_size; index++)); do
STRIP[$index]=Y
done
# discover module suffix
set_module_suffix "$kernelver"
base_dir="$dkms_tree/$module/$module_version/$kernelver/$arch"
# make temporary file with script performing required actions and passing
# control to original POST_BUILD script
tmpscript="$(mktemp)"
cat > "$tmpscript" << EOF
#!/bin/bash
rm -f "$tmpscript"
orig_post_build="$orig_post_build"
run="$dkms_tree/$module/$module_version/build/$orig_post_build"
if [[ \$orig_post_build ]] ; then
if [[ -x \${run%% *} ]]; then
\$run
else
>&2 echo "The \$orig_post_build script is not executable."
fi
fi
EOF
for ((count=0; count < ${#built_module_name[@]}; count++)); do
if [ "$module_compressed_suffix" = ".gz" ]; then
cat >> "$tmpscript" << EOF
gunzip -f "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_suffix"
"$kernel_source_dir/scripts/sign-file" sha256 /var/lib/secureboot/efi-keys/db.key /var/lib/secureboot/efi-keys/db.der "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_uncompressed_suffix"
gzip -9f "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_uncompressed_suffix"
EOF
elif [ "$module_compressed_suffix" = ".xz" ]; then
cat >> "$tmpscript" << EOF
unxz -f "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_suffix"
"$kernel_source_dir/scripts/sign-file" sha256 /var/lib/secureboot/efi-keys/db.key /var/lib/secureboot/efi-keys/db.der "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_uncompressed_suffix"
xz -f "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_uncompressed_suffix"
EOF
else
cat >> "$tmpscript" << EOF
"$kernel_source_dir/scripts/sign-file" sha256 /var/lib/secureboot/efi-keys/db.key /var/lib/secureboot/efi-keys/db.der "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_suffix"
EOF
fi
# Copy module again, with signature
cat >> "$tmpscript" << EOF
cp -f "$dkms_tree/$module/$module_version/build/${built_module_location[$count]}${built_module_name[$count]}$module_suffix" "$base_dir/module/${dest_module_name[$count]}$module_suffix" >/dev/null
EOF
done
chmod +x "$tmpscript"
POST_BUILD="${root_relative_path}${tmpscript}"
# supress DKMS signature mechanism on Ubuntu.
# $tmpfile is a file which is used by DKMS to source this config safely.
if type sign_build >/dev/null 2>&1 ; then
if [[ "$tmpfile" ]] && [[ "${export_envs+x}" ]] && \
[[ $_ != $0 ]] && (( $$ != BASHPID )) ; then
# matched safe_source environment
cat >> "$tmpfile" << EOF
unset sign_build
sign_build () { :; }
EOF
exec >>"$tmpfile"
for _export_env in "${export_envs[@]}"; do
for _i in $(eval echo \${!$_export_env[@]}); do
eval echo '$_export_env[$_i]=\"${'$_export_env'[$_i]}\"'
done
done
exit 0
else
# safe_source condition doesn't match. probably it's a direct source
unset sign_build
sign_build () { :; }
fi
fi