heads/initrd/bin/kexec-sign-config

#!/bin/sh
# Sign a valid directory of kexec params
. /etc/functions

MEDIA="$1"

if [ -z "$MEDIA" ]; then
	die "Usage: $0 /boot "
fi

# setup the USB so we can reach the GPG card
if ! lsmod | grep -q ehci_hcd; then
	insmod /lib/modules/ehci-hcd.ko \
	|| die "ehci_hcd: module load failed"
fi
if ! lsmod | grep -q ehci_pci; then
	insmod /lib/modules/ehci-pci.ko \
	|| die "ehci_pci: module load failed"
fi
if ! lsmod | grep -q xhci_hcd; then
	insmod /lib/modules/xhci-hcd.ko \
	|| die "ehci_hcd: module load failed"
fi
if ! lsmod | grep -q xhci_pci; then
	insmod /lib/modules/xhci-pci.ko \
	|| die "ehci_pci: module load failed"
	sleep 2
fi

gpg --card-status \
|| die "gpg card read failed"

for tries in 1 2 3; do
	if sha256sum `find $MEDIA/kexec*.txt` | gpg \
		--digest-algo SHA256 \
		--detach-sign \
		-a \
		> $MEDIA/kexec.sig \
	; then
		exit 0
	fi
done

warn "$MEDIA: Unable to sign boot hashes"
exit 1