This repository has been archived by the owner on Feb 21, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathdracut_lsbk_sign.conf
57 lines (50 loc) · 2.17 KB
/
dracut_lsbk_sign.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# shellcheck shell=bash
# shellcheck disable=SC2154
# note: printf is used instead of echo to avoid backslash
# processing and to properly handle values that begin with a '-'.
lsbk_log() { printf '%s\n' "$*"; }
lsbk_error() { lsbk_log "ERROR: $*" >&2; }
lsbk_fatal() { lsbk_error "$@"; exit 1; }
# appends a command to a trap
#
# - 1st arg: code to add
# - remaining args: names of traps to modify
#
lsbk_trap_add() {
trap_add_cmd=$1; shift || lsbk_fatal "${FUNCNAME} usage error"
for trap_add_name in "$@"; do
builtin trap -- "$(
# helper fn to get existing trap command from output
# of trap -p
extract_trap_cmd() { printf '%s\n' "$3"; }
# print existing trap command with newline
eval "extract_trap_cmd $(builtin trap -p "${trap_add_name}")"
# print the new trap command
printf '%s\n' "${trap_add_cmd}"
)" "${trap_add_name}" \
|| lsbk_fatal "unable to add to trap ${trap_add_name}"
done
}
lsbk_sign_ramdrive () {
if [ -r "$outfile" ] ; then
local GPG_SIGN_HOMEDIR="/var/lib/secureboot/gpg-home"
local GPG_SIGN_KEYID="bootsigner@localhost"
local GPG=$(command -v gpg2 2>/dev/null) || \
local GPG=$(command -v gpg 2>/dev/null)
if [[ "${outfile: -4}" = '.tmp' ]] && \
[[ "$(tr '\0' ' ' < /proc/$PPID/cmdline )" =~ 'weak-modules' ]] ; then
# ugly hacks for weak-modules
local realimg="${outfile: 0:-4}.img"
(
tail --pid=$PPID -f /dev/null
"$GPG" --quiet --no-permission-warning --homedir "${GPG_SIGN_HOMEDIR}" --detach-sign --default-key "${GPG_SIGN_KEYID}" < "${realimg}" > "${realimg}.sig" && \
{ >&2 echo "linux-secureboot-kit: successfully signed ramdrive '$realimg'!" ; }
) & disown
else
"$GPG" --quiet --no-permission-warning --homedir "${GPG_SIGN_HOMEDIR}" --detach-sign --default-key "${GPG_SIGN_KEYID}" < "${outfile}" > "${outfile}.sig" && \
{ >&2 echo "linux-secureboot-kit: successfully signed ramdrive '$outfile'!" ; }
fi
fi
}
trap () { lsbk_trap_add "$@" ; }
trap lsbk_sign_ramdrive EXIT