mirror of
https://github.com/linuxboot/heads.git
synced 2024-12-19 04:57:55 +00:00
a221321b6a
EC signatures requires that the digest has the corresponding length. Removing the hardcoded sha2-256 hash function and adding support of sha2-384 and sha2-512 should allow using EC crypto.
81 lines
1.8 KiB
Bash
Executable File
81 lines
1.8 KiB
Bash
Executable File
#!/bin/sh
|
|
# Sign a valid directory of kexec params
|
|
set -e -o pipefail
|
|
. /tmp/config
|
|
. /etc/functions
|
|
|
|
rollback="n"
|
|
update="n"
|
|
while getopts "p:c:ur" arg; do
|
|
case $arg in
|
|
p) paramsdir="$OPTARG" ;;
|
|
c) counter="$OPTARG"; rollback="y" ;;
|
|
u) update="y" ;;
|
|
r) rollback="y" ;;
|
|
esac
|
|
done
|
|
|
|
if [ -z "$paramsdir" ]; then
|
|
die "Usage: $0 -p /boot [ -u | -c counter ]"
|
|
fi
|
|
|
|
paramsdir="${paramsdir%%/}"
|
|
|
|
confirm_gpg_card
|
|
|
|
# update hashes in /boot before signing
|
|
if [ "$update" = "y" ]; then
|
|
(
|
|
cd /boot
|
|
find ./ -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
|
|
if [ -e /boot/kexec_default_hashes.txt ]; then
|
|
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
|
|
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
|
|
fi
|
|
)
|
|
|
|
# Remove any package trigger log files
|
|
# We don't need them after the user decides to sign
|
|
rm -f /boot/kexec_package_trigger*
|
|
fi
|
|
|
|
if [ "$rollback" = "y" ]; then
|
|
rollback_file="$paramsdir/kexec_rollback.txt"
|
|
|
|
if [ -n "$counter" ]; then
|
|
# use existing counter
|
|
read_tpm_counter $counter \
|
|
|| die "$paramsdir: Unable to read tpm counter '$counter'"
|
|
else
|
|
# increment counter
|
|
check_tpm_counter $rollback_file \
|
|
|| die "$paramsdir: Unable to find/create tpm counter"
|
|
counter="$TPM_COUNTER"
|
|
|
|
increment_tpm_counter $counter \
|
|
|| die "$paramsdir: Unable to increment tpm counter"
|
|
fi
|
|
|
|
sha256sum /tmp/counter-$counter > $rollback_file \
|
|
|| die "$paramsdir: Unable to create rollback file"
|
|
fi
|
|
|
|
param_files=`find $paramsdir/kexec*.txt`
|
|
if [ -z "$param_files" ]; then
|
|
die "$paramsdir: No kexec parameter files to sign"
|
|
fi
|
|
|
|
for tries in 1 2 3; do
|
|
if sha256sum $param_files | gpg \
|
|
--detach-sign \
|
|
-a \
|
|
> $paramsdir/kexec.sig \
|
|
; then
|
|
# successful - update the validated params
|
|
check_config $paramsdir
|
|
exit 0
|
|
fi
|
|
done
|
|
|
|
die "$paramsdir: Unable to sign kexec hashes"
|