heads/initrd/bin/kexec-sign-config

#!/bin/sh
# Sign a valid directory of kexec params
set -e -o pipefail
. /tmp/config
. /etc/functions

rollback="n"
update="n"
while getopts "p:c:u:r" arg; do
	case $arg in
		p) paramsdir="$OPTARG" ;;
		c) counter="$OPTARG"; rollback="y" ;;
		u) update="y" ;;
		r) rollback="y" ;;
	esac
done

if [ -z "$paramsdir" ]; then
	die "Usage: $0 -p /boot [ -u | -c counter ]"
fi

paramsdir="${paramsdir%%/}"

confirm_gpg_card

# update hashes in /boot before signing
if [ "$update" = "y" ]; then
	(
		cd /boot
		find ./ -type f ! -name '*kexec*' -print0 | xargs -0 sha256sum > /boot/kexec_hashes.txt
		if [ -e /boot/kexec_default_hashes.txt ]; then
			DEFAULT_FILES=$(cat /boot/kexec_default_hashes.txt | cut -f3 -d ' ')
			echo $DEFAULT_FILES | xargs sha256sum > /boot/kexec_default_hashes.txt
		fi
	)

	# Remove any package trigger log files
	# We don't need them after the user decides to sign
	rm -f /boot/kexec_package_trigger*
fi

if [ "$rollback" = "y" ]; then
	rollback_file="$paramsdir/kexec_rollback.txt"

	if [ -n "$counter" ]; then
		# use existing counter
		read_tpm_counter $counter \
		|| die "$paramsdir: Unable to read tpm counter '$counter'"
	else
		# increment counter
		check_tpm_counter $rollback_file \
		|| die "$paramsdir: Unable to find/create tpm counter"
		counter="$TPM_COUNTER"

		increment_tpm_counter $counter \
		|| die "$paramsdir: Unable to increment tpm counter"
	fi

	sha256sum /tmp/counter-$counter > $rollback_file \
	|| die "$paramsdir: Unable to create rollback file"
fi

param_files=`find $paramsdir/kexec*.txt`
if [ -z "$param_files" ]; then
	die "$paramsdir: No kexec parameter files to sign"
fi

for tries in 1 2 3; do
	if sha256sum $param_files | gpg \
		--digest-algo SHA256 \
		--detach-sign \
		-a \
		> $paramsdir/kexec.sig \
	; then
		# successful - update the validated params
		check_config $paramsdir
		exit 0
	fi
done

die "$paramsdir: Unable to sign kexec hashes"