heads/initrd/bin/kexec-sign-config
Thierry Laurion 5bc2bc88e4
All scripts and functions: Add DEBUG calling trace on console when CONFIG_DEBUG_OUTPUT is exported in board config
-qemu-coreboot-*whiptail-tpm1(-hotp) boards have 'export CONFIG_DEBUG_OUTPUT=y' by default now
2023-02-18 21:52:44 -05:00

89 lines
2.1 KiB
Bash
Executable File

#!/bin/sh
# Sign a valid directory of kexec params
set -e -o pipefail
. /tmp/config
. /etc/functions
DEBUG "Under /bin/kexec-sign-config"
rollback="n"
update="n"
while getopts "p:c:ur" arg; do
case $arg in
p) paramsdir="$OPTARG" ;;
c) counter="$OPTARG"; rollback="y" ;;
u) update="y" ;;
r) rollback="y" ;;
esac
done
if [ -z "$paramsdir" ]; then
die "Usage: $0 -p /boot [ -u | -c counter ]"
fi
paramsdir="${paramsdir%%/}"
assert_signable
confirm_gpg_card
# update hashes in /boot before signing
if [ "$update" = "y" ]; then
(
cd /boot
find ./ -type f ! -path './kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
if [ -e /boot/kexec_default_hashes.txt ]; then
DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
fi
#also save the file & directory structure to detect added files
print_tree > /boot/kexec_tree.txt
)
[ $? -eq 0 ] || die "$paramsdir: Failed to update hashes."
# Remove any package trigger log files
# We don't need them after the user decides to sign
rm -f /boot/kexec_package_trigger*
fi
if [ "$rollback" = "y" ]; then
rollback_file="$paramsdir/kexec_rollback.txt"
if [ -n "$counter" ]; then
# use existing counter
read_tpm_counter $counter \
|| die "$paramsdir: Unable to read tpm counter '$counter'"
else
# increment counter
check_tpm_counter $rollback_file \
|| die "$paramsdir: Unable to find/create tpm counter"
counter="$TPM_COUNTER"
increment_tpm_counter $counter \
|| die "$paramsdir: Unable to increment tpm counter"
fi
sha256sum /tmp/counter-$counter > $rollback_file \
|| die "$paramsdir: Unable to create rollback file"
fi
param_files=`find $paramsdir/kexec*.txt`
if [ -z "$param_files" ]; then
die "$paramsdir: No kexec parameter files to sign"
fi
for tries in 1 2 3; do
if sha256sum $param_files | gpg \
--detach-sign \
-a \
> $paramsdir/kexec.sig \
; then
# successful - update the validated params
check_config $paramsdir
exit 0
fi
done
die "$paramsdir: Unable to sign kexec hashes"