From 4ec37e7bbb99afb0695c1a52a893d88f19f7635c Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Mon, 9 Dec 2024 13:42:58 -0500
Subject: [PATCH] initrd/bin/kexec-sign-config: safeguard ops between
 remounting /boot rw/ro

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/bin/kexec-sign-config | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config
index c34060d0..d0d66c69 100755
--- a/initrd/bin/kexec-sign-config
+++ b/initrd/bin/kexec-sign-config
@@ -27,6 +27,9 @@ assert_signable
 
 confirm_gpg_card
 
+# remount /boot as rw
+mount -o remount,rw /boot
+
 # update hashes in /boot before signing
 if [ "$update" = "y" ]; then
 	(
@@ -81,8 +84,15 @@ for tries in 1 2 3; do
 	; then
 		# successful - update the validated params
 		check_config $paramsdir
+
+		# remount /boot as ro
+		mount -o remount,ro /boot
+
 		exit 0
 	fi
 done
 
+# remount /boot as ro
+mount -o remount,ro /boot
+
 die "$paramsdir: Unable to sign kexec hashes"