From 4d32b4adf841fff539da5cc8977af0937b565aec Mon Sep 17 00:00:00 2001
From: Matt DeVillier <matt.devillier@puri.sm>
Date: Wed, 13 Nov 2019 17:28:12 -0600
Subject: [PATCH] functions: fix handling of checksum update fail

If kexec-sign-config fails due to GPG key not present,
the double die() results in a kernel panic (and if it didn't,
/boot would be left mounted RW). Fix this by removing call to
die() and ensuring /boot remounted RO regardless checksum
update success or failure.

Signed-off-by: Matt DeVillier <matt.devillier@puri.sm>
---
 initrd/etc/functions | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/initrd/etc/functions b/initrd/etc/functions
index 056c3e82..dc3b6765 100755
--- a/initrd/etc/functions
+++ b/initrd/etc/functions
@@ -287,8 +287,10 @@ update_checksums()
 	if [ "$CONFIG_TPM" = "y" ]; then
 	extparam=-u
 	fi
-	kexec-sign-config -p /boot $extparam \
-	|| die "Failed to sign default config"
+	if ! kexec-sign-config -p /boot $extparam ; then
+	  echo "Failed to sign default config; press Enter to continue."
+	  read
+	fi
 
 	# switch back to ro mode
 	mount -o ro,remount /boot