2017-07-03 03:01:04 +00:00
|
|
|
#!/bin/sh
|
|
|
|
# Sign a valid directory of kexec params
|
2017-07-12 04:17:45 +00:00
|
|
|
set -e -o pipefail
|
2018-12-06 23:24:28 +00:00
|
|
|
. /tmp/config
|
2017-07-03 03:01:04 +00:00
|
|
|
. /etc/functions
|
|
|
|
|
2023-02-20 16:01:17 +00:00
|
|
|
TRACE "Under /bin/kexec-sign-config"
|
2023-02-18 17:58:43 +00:00
|
|
|
|
2017-07-08 20:59:37 +00:00
|
|
|
rollback="n"
|
2020-10-08 13:16:08 +00:00
|
|
|
update="n"
|
2020-11-06 19:21:35 +00:00
|
|
|
while getopts "p:c:ur" arg; do
|
2017-07-08 20:59:37 +00:00
|
|
|
case $arg in
|
|
|
|
p) paramsdir="$OPTARG" ;;
|
|
|
|
c) counter="$OPTARG"; rollback="y" ;;
|
2020-10-08 13:16:08 +00:00
|
|
|
u) update="y" ;;
|
|
|
|
r) rollback="y" ;;
|
2017-07-08 20:59:37 +00:00
|
|
|
esac
|
|
|
|
done
|
2017-07-03 03:01:04 +00:00
|
|
|
|
2017-07-08 20:59:37 +00:00
|
|
|
if [ -z "$paramsdir" ]; then
|
2017-07-17 16:43:14 +00:00
|
|
|
die "Usage: $0 -p /boot [ -u | -c counter ]"
|
2017-07-03 03:01:04 +00:00
|
|
|
fi
|
|
|
|
|
2017-07-22 18:25:39 +00:00
|
|
|
paramsdir="${paramsdir%%/}"
|
|
|
|
|
2023-01-12 16:31:31 +00:00
|
|
|
assert_signable
|
|
|
|
|
2023-01-14 09:07:31 +00:00
|
|
|
confirm_gpg_card
|
|
|
|
|
2020-10-08 13:16:08 +00:00
|
|
|
# update hashes in /boot before signing
|
|
|
|
if [ "$update" = "y" ]; then
|
2020-10-18 18:46:57 +00:00
|
|
|
(
|
2020-10-08 13:16:08 +00:00
|
|
|
cd /boot
|
2022-12-31 17:41:24 +00:00
|
|
|
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
|
2020-10-08 13:16:08 +00:00
|
|
|
if [ -e /boot/kexec_default_hashes.txt ]; then
|
|
|
|
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
|
|
|
|
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
|
|
|
|
fi
|
2022-12-31 17:41:24 +00:00
|
|
|
|
|
|
|
#also save the file & directory structure to detect added files
|
|
|
|
print_tree > /boot/kexec_tree.txt
|
2020-10-08 13:16:08 +00:00
|
|
|
)
|
2022-12-31 17:41:24 +00:00
|
|
|
[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
|
2020-10-08 13:16:08 +00:00
|
|
|
|
|
|
|
# Remove any package trigger log files
|
|
|
|
# We don't need them after the user decides to sign
|
|
|
|
rm -f /boot/kexec_package_trigger*
|
|
|
|
fi
|
|
|
|
|
2017-07-08 20:59:37 +00:00
|
|
|
if [ "$rollback" = "y" ]; then
|
|
|
|
rollback_file="$paramsdir/kexec_rollback.txt"
|
|
|
|
|
|
|
|
if [ -n "$counter" ]; then
|
|
|
|
# use existing counter
|
|
|
|
read_tpm_counter $counter \
|
|
|
|
|| die "$paramsdir: Unable to read tpm counter '$counter'"
|
|
|
|
else
|
|
|
|
# increment counter
|
|
|
|
check_tpm_counter $rollback_file \
|
|
|
|
|| die "$paramsdir: Unable to find/create tpm counter"
|
|
|
|
counter="$TPM_COUNTER"
|
|
|
|
|
|
|
|
increment_tpm_counter $counter \
|
|
|
|
|| die "$paramsdir: Unable to increment tpm counter"
|
|
|
|
fi
|
|
|
|
|
|
|
|
sha256sum /tmp/counter-$counter > $rollback_file \
|
|
|
|
|| die "$paramsdir: Unable to create rollback file"
|
|
|
|
fi
|
|
|
|
|
|
|
|
param_files=`find $paramsdir/kexec*.txt`
|
|
|
|
if [ -z "$param_files" ]; then
|
|
|
|
die "$paramsdir: No kexec parameter files to sign"
|
|
|
|
fi
|
|
|
|
|
2017-07-03 03:01:04 +00:00
|
|
|
for tries in 1 2 3; do
|
2017-07-08 20:59:37 +00:00
|
|
|
if sha256sum $param_files | gpg \
|
2017-07-03 03:01:04 +00:00
|
|
|
--detach-sign \
|
|
|
|
-a \
|
2017-07-08 20:59:37 +00:00
|
|
|
> $paramsdir/kexec.sig \
|
2017-07-03 03:01:04 +00:00
|
|
|
; then
|
2017-07-22 20:32:10 +00:00
|
|
|
# successful - update the validated params
|
|
|
|
check_config $paramsdir
|
2017-07-03 03:01:04 +00:00
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
2017-07-08 20:59:37 +00:00
|
|
|
die "$paramsdir: Unable to sign kexec hashes"
|