From: sgn <sgn@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] sbsigntool: rewrite post-install kernel hook
Date: Wed, 22 Jul 2020 01:16:21 +0200 [thread overview]
Message-ID: <20200721231621.MDnNhiieNY9YkiYr8S28HmnyKK2ds6rZxam9f16o9uk@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-23688@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
There is an updated pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 4702 bytes --]
From f00e6fee1245833be7de14002bbdab50b76e3fa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..ef379afecb7 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel"; then
+ return 0
+ fi
+ if ! sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign boot/vmlinuz-$VERSION"
+ return 1
+ fi
+ if ! sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
next prev parent reply other threads:[~2020-07-21 23:16 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-21 14:21 [PR PATCH] " sgn
2020-07-21 17:56 ` Duncaen
2020-07-21 17:59 ` Duncaen
2020-07-21 23:12 ` sgn
2020-07-21 23:16 ` sgn [this message]
2020-07-22 0:13 ` ericonr
2020-07-23 13:57 ` sgn
2020-07-23 13:59 ` ericonr
2020-07-23 13:59 ` ericonr
2020-08-06 2:03 ` [PR PATCH] [Updated] " sgn
2020-08-06 2:06 ` sgn
2020-08-06 12:09 ` sgn
2020-08-06 12:13 ` sgn
2020-08-06 12:40 ` sgn
2020-08-07 13:05 ` [PR PATCH] [Closed]: " ahesford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200721231621.MDnNhiieNY9YkiYr8S28HmnyKK2ds6rZxam9f16o9uk@z \
--to=sgn@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).