mirror of
https://github.com/linuxboot/heads.git
synced 2025-01-31 08:25:37 +00:00
46 lines
762 B
Bash
Executable File
46 lines
762 B
Bash
Executable File
#!/bin/sh
|
|
# Update the /boot partition signatures
|
|
set -o pipefail
|
|
. /etc/functions
|
|
|
|
XEN="$1"
|
|
KERNEL="$2"
|
|
INITRD="$3"
|
|
BOOT_HASHES="/boot/boot.hashes"
|
|
|
|
if [ -z "$XEN" -o -z "$KERNEL" -o -z "$INITRD" ]; then
|
|
die "Usage: $0 /boot/xen... /boot/vmlinuz... /boot/initramfs..."
|
|
fi
|
|
|
|
confirm_gpg_card
|
|
|
|
check_tpm_counter $BOOT_HASHES
|
|
|
|
mount -o rw,remount /boot \
|
|
|| die "Could not remount /boot"
|
|
|
|
increment_tpm_counter $TPM_COUNTER
|
|
|
|
sha256sum \
|
|
"$XEN" \
|
|
"$KERNEL" \
|
|
"$INITRD" \
|
|
"/tmp/counter-$TPM_COUNTER" \
|
|
| tee "$BOOT_HASHES"
|
|
|
|
for tries in 1 2 3; do
|
|
if gpg \
|
|
--digest-algo SHA256 \
|
|
--detach-sign \
|
|
-a \
|
|
"$BOOT_HASHES" \
|
|
; then
|
|
mount -o ro,remount /boot
|
|
exit 0
|
|
fi
|
|
done
|
|
|
|
warn "$BOOT_HASHES: Unable to sign boot hashes"
|
|
mount -o ro,remount /boot
|
|
exit 1
|