heads/initrd/bin/key-init

#!/bin/ash
set -e -o pipefail
. /etc/functions

TRACE "Under /bin/key-init"

# Post processing of keys

# Import user's keys
gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || true

# Import trusted distro keys allowed for ISO signing
gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true
#Set distro keys trust level to ultimate (trust anything that was signed with these keys)
gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true
gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true

# Add user's keys to the list of trusted keys for ISO signing
gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true
Read and measure an EFI file into initrd during init 2018-04-30 02:58:44 +00:00			`#!/bin/ash`
			`set -e -o pipefail`
			`. /etc/functions`

Add TRACE function tracing function to output on console when enabled - Add TRACE function tracing output under etc/functions, depending on CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT enabled in board configs - Replace current DEBUG to TRACE calls in code, reserving DEBUG calls for more verbose debugging later on (output of variables etc) - add 'export CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y' in qemu-coreboot(fb)whiptail-tpm1(-hotp) boards to see it in action 2023-02-20 16:01:17 +00:00			`TRACE "Under /bin/key-init"`
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config -qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now 2023-02-18 17:58:43 +00:00
Read and measure an EFI file into initrd during init 2018-04-30 02:58:44 +00:00			`# Post processing of keys`
Separate trusted ISO signers from trusted config signers 2018-05-18 02:52:11 +00:00
			`# Import user's keys`
properly deal with trusting keys to supress UX confusion about trusted keys key-init makes sure trustdb is updated at run time and user and distro keys are ultimately trusted. Each time a file is signed, the related public key is showed without error on it's trustability. flash-gui deals with gpg1 to gpg2 migration. If pubring.kbx is found, pubring.gpg is deleted from running rom dump. 2019-02-08 17:38:38 +00:00			`gpg --import /.gnupg/keys/.key /.gnupg/keys/.asc 2>/dev/null \|\| true`
Read and measure an EFI file into initrd during init 2018-04-30 02:58:44 +00:00
Separate trusted ISO signers from trusted config signers 2018-05-18 02:52:11 +00:00			`# Import trusted distro keys allowed for ISO signing`
			`gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null \|\| true`
properly deal with trusting keys to supress UX confusion about trusted keys key-init makes sure trustdb is updated at run time and user and distro keys are ultimately trusted. Each time a file is signed, the related public key is showed without error on it's trustability. flash-gui deals with gpg1 to gpg2 migration. If pubring.kbx is found, pubring.gpg is deleted from running rom dump. 2019-02-08 17:38:38 +00:00			`#Set distro keys trust level to ultimate (trust anything that was signed with these keys)`
			`gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons\|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' \|gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null \|\| true`
			`gpg --homedir=/etc/distro/ --update-trust 2>/dev/null \|\| true`

Separate trusted ISO signers from trusted config signers 2018-05-18 02:52:11 +00:00			`# Add user's keys to the list of trusted keys for ISO signing`
			`gpg --export \| gpg --homedir=/etc/distro/ --import 2>/dev/null \|\| true`