ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2024-12-19 04:57:55 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ce4b91cad9
heads/initrd/bin/kexec-sign-config

46 lines
911 B
Plaintext
Raw Normal View History

Added a generic boot config and persistent params Refactored boot parsing code and applied that in local-init to scan /boot for grub options and allow the user to unsafely boot anything. This goes a long way to addressing #196. Optionally the user can customize those boot parameters or enforce arbitrary hashes on the boot device by creating and signing config files in /boot/ or /media/ or /media/kexec_iso/ISO_FILENAME/.
2017-07-03 03:01:04 +00:00
#!/bin/sh
# Sign a valid directory of kexec params
. /etc/functions
MEDIA="$1"
if [ -z "$MEDIA" ]; then
die "Usage: $0 /boot "
fi
# setup the USB so we can reach the GPG card
if ! lsmod | grep -q ehci_hcd; then
insmod /lib/modules/ehci-hcd.ko \
|| die "ehci_hcd: module load failed"
fi
if ! lsmod | grep -q ehci_pci; then
insmod /lib/modules/ehci-pci.ko \
|| die "ehci_pci: module load failed"
fi
if ! lsmod | grep -q xhci_hcd; then
insmod /lib/modules/xhci-hcd.ko \
|| die "ehci_hcd: module load failed"
fi
if ! lsmod | grep -q xhci_pci; then
insmod /lib/modules/xhci-pci.ko \
|| die "ehci_pci: module load failed"
sleep 2
fi
gpg --card-status \
|| die "gpg card read failed"
for tries in 1 2 3; do
if sha256sum `find $MEDIA/kexec*.txt` | gpg \
--digest-algo SHA256 \
--detach-sign \
-a \
> $MEDIA/kexec.sig \
; then
exit 0
fi
done
warn "$MEDIA: Unable to sign boot hashes"
exit 1
Reference in New Issue Copy Permalink