From: ahesford <ahesford@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] Improve consistency of relative paths in kernel hooks
Date: Fri, 07 Aug 2020 04:43:44 +0200 [thread overview]
Message-ID: <20200807024344.zuvTe6WgPkdYxymGdXzk9_xFUJU2CzENUeOedjM5WaM@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-24079@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1417 bytes --]
There is an updated pull request by ahesford against master on the void-packages repository
https://github.com/ahesford/void-packages hooks
https://github.com/void-linux/void-packages/pull/24079
Improve consistency of relative paths in kernel hooks
Motivated by a breakage in the `dracut` removal hook as called from `vkpurge`, I cleaned up several packages that install kernel hooks to try to make their behavior more consistent. The XBPS trigger runs hooks from the target root directory with `ROOTDIR` set, so hooks should accommodate this if possible. `vkpurge` now changes to `/` and sets `ROOTDIR` to make sure any hooks it calls work as expected. It would be good to verify correct operation of all hooks after these changes, but `dkms` and `dracut` seem to be the most critical.
- [x] base-files
- [x] dkms
- [x] dracut
- [ ] gummiboot
- [ ] mkinitcpio
- [ ] refind
- [x] sbsigntool
**Note 1**: `dracut` now uses `--sysroot .` to (hopefully) operate properly in a relative environment.
**Note 2**: `dkms` makes a lot of assumptions about running in the system root that are trickier to override, and the hook already made a lot of absolute path references, so I went all-in on absolute paths in the `dkms` hooks.
Affected maintainers: @Gottox @q66 @thypon @sgn
General interest: @ericonr @duncaen
A patch file from https://github.com/void-linux/void-packages/pull/24079.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-hooks-24079.patch --]
[-- Type: text/x-diff, Size: 20790 bytes --]
From 5600f36562ab91513b2e7b44093e297c6a1fad66 Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 5 Aug 2020 12:13:08 -0400
Subject: [PATCH 1/7] base-files: improve consistency of relative paths in
kernel hooks
---
srcpkgs/base-files/files/vkpurge | 4 +++-
srcpkgs/base-files/template | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/srcpkgs/base-files/files/vkpurge b/srcpkgs/base-files/files/vkpurge
index 92098ec736e..5519147b905 100644
--- a/srcpkgs/base-files/files/vkpurge
+++ b/srcpkgs/base-files/files/vkpurge
@@ -39,10 +39,12 @@ list_kernels() {
run_hooks() {
dir="$1"
kver="$2"
+
for d in /etc/kernel.d/"${dir}"/*; do
[ -x "$d" ] || continue
printf "Running %s kernel hook: %s...\n" "$dir" "${d##*/}"
- "$d" kernel "$kver"
+ # Hooks assume they run from the root
+ (cd / && ROOTDIR=. "$d" kernel "$kver")
done
}
diff --git a/srcpkgs/base-files/template b/srcpkgs/base-files/template
index d608bc81f57..6b503690606 100644
--- a/srcpkgs/base-files/template
+++ b/srcpkgs/base-files/template
@@ -1,7 +1,7 @@
# Template file for 'base-files'
pkgname=base-files
version=0.141
-revision=1
+revision=2
bootstrap=yes
depends="xbps-triggers"
short_desc="Void Linux base system files"
From 95c237bb582abdf30378d96ebfd17b87fc343f95 Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 5 Aug 2020 12:13:08 -0400
Subject: [PATCH 2/7] dkms: improve consistency of relative paths in kernel
hooks
---
srcpkgs/dkms/files/kernel.d/dkms.postinst | 34 ++++++++++++-----------
srcpkgs/dkms/files/kernel.d/dkms.prerm | 6 ++--
srcpkgs/dkms/template | 2 +-
3 files changed, 22 insertions(+), 20 deletions(-)
diff --git a/srcpkgs/dkms/files/kernel.d/dkms.postinst b/srcpkgs/dkms/files/kernel.d/dkms.postinst
index 5cfc630de1c..ef2a10bac28 100644
--- a/srcpkgs/dkms/files/kernel.d/dkms.postinst
+++ b/srcpkgs/dkms/files/kernel.d/dkms.postinst
@@ -8,7 +8,7 @@ PKGNAME="$1"
VERSION="$2"
ARCH=$(uname -m)
-if [ ! -x /usr/sbin/dkms ]; then
+if [ ! -x /usr/bin/dkms ]; then
exit 0
fi
@@ -59,16 +59,16 @@ while [ $# -gt 1 ]; do
# If adding a module, depmod is necessary unless dkms runs it
do_depmod="yes"
- status=$(dkms status -m ${module} -v ${modulever} -k ${VERSION})
+ status=$(/usr/bin/dkms status -m ${module} -v ${modulever} -k ${VERSION})
if [ $(echo "$status"|grep -c ": built") -eq 0 ]; then
# Check if the module is still there.
- if [ ! -f usr/src/${module}-${modulever}/dkms.conf ]; then
+ if [ ! -f /usr/src/${module}-${modulever}/dkms.conf ]; then
echo "Skipping nonexistent DKMS module: ${module}-${modulever}."
continue
fi
# Build the module
echo -n "Building DKMS module: ${module}-${modulever}... "
- dkms build -q -m ${module} -v ${modulever} -k ${VERSION} -a ${ARCH}
+ /usr/bin/dkms build -q -m ${module} -v ${modulever} -k ${VERSION} -a ${ARCH}
rval=$?
# If the module was skipped or failed, go to the next module.
if [ $rval -eq 0 ]; then
@@ -80,14 +80,14 @@ while [ $# -gt 1 ]; do
echo "FAILED!"
continue
fi
- status=$(dkms status -m ${module} -v ${modulever} -k ${VERSION})
+ status=$(/usr/bin/dkms status -m ${module} -v ${modulever} -k ${VERSION})
fi
# If the module is built (either pre-built or just now), install it
if [ $(echo "$status"|grep -c ": built") -eq 1 ] &&
[ $(echo "$status"|grep -c ": installed") -eq 0 ]; then
echo -n "Installing DKMS module: ${module}-${modulever}... "
- dkms install -q -m ${module} -v ${modulever} -k ${VERSION} -a ${ARCH}
+ /usr/bin/dkms install -q -m ${module} -v ${modulever} -k ${VERSION} -a ${ARCH}
rval=$?
# If the module failed installation, go to the next module.
if [ $rval -eq 0 ]; then
@@ -101,16 +101,18 @@ while [ $# -gt 1 ]; do
fi
done
-if [ -n "$do_depmod" ]; then
- echo -n "Generating kernel module dependency lists... "
- depmod -a ${VERSION}
- rval=$?
- if [ $rval -eq 0 ]; then
- echo "done."
- else
- echo "FAILED!"
- exit $rval
- fi
+if [ -z "$do_depmod" ] || [ ! -x /usr/bin/depmod ]; then
+ exit 0
+fi
+
+echo -n "Generating kernel module dependency lists... "
+/usr/bin/depmod -a ${VERSION}
+rval=$?
+if [ $rval -eq 0 ]; then
+ echo "done."
+else
+ echo "FAILED!"
+ exit $rval
fi
exit 0
diff --git a/srcpkgs/dkms/files/kernel.d/dkms.prerm b/srcpkgs/dkms/files/kernel.d/dkms.prerm
index 0307e895311..155e9734aee 100644
--- a/srcpkgs/dkms/files/kernel.d/dkms.prerm
+++ b/srcpkgs/dkms/files/kernel.d/dkms.prerm
@@ -4,14 +4,14 @@
PKGNAME="$1"
VERSION="$2"
-if [ -x /usr/sbin/dkms ]; then
+if [ -x /usr/bin/dkms ]; then
while read line; do
name=`echo "$line" | awk '{print $1}' | sed 's/,$//'`
vers=`echo "$line" | awk '{print $2}' | sed 's/,$//'`
arch=`echo "$line" | awk '{print $4}' | sed 's/:$//'`
echo "dkms: removing: $name $vers (${PKGNAME}-${VERSION}) ($arch)" >&2
- dkms remove -q -m $name -v $vers -k ${VERSION} -a $arch
-done < <(dkms status -k ${VERSION} 2>/dev/null | grep ": installed")
+ /usr/bin/dkms remove -q -m $name -v $vers -k ${VERSION} -a $arch
+done < <(/usr/bin/dkms status -k ${VERSION} 2>/dev/null | grep ": installed")
fi
rmdir \
diff --git a/srcpkgs/dkms/template b/srcpkgs/dkms/template
index 4365bc5a7d7..f6b5035e8a0 100644
--- a/srcpkgs/dkms/template
+++ b/srcpkgs/dkms/template
@@ -1,7 +1,7 @@
# Template file for 'dkms'
pkgname=dkms
version=2.8.3
-revision=1
+revision=2
conf_files="/etc/dkms/framework.conf"
depends="bash kmod gcc make coreutils linux-headers"
short_desc="Dynamic Kernel Modules System"
From 490fd3d0ff0709134e758b9af4afdf7b5e9434af Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 5 Aug 2020 12:13:08 -0400
Subject: [PATCH 3/7] dracut: improve consistency of relative paths in kernel
hooks
---
srcpkgs/dracut/files/kernel-hook-postinst | 4 ++--
srcpkgs/dracut/files/kernel-hook-postrm | 4 +---
srcpkgs/dracut/files/kernel-uefi-hook-postinst | 5 +++--
srcpkgs/dracut/files/kernel-uefi-hook-postrm | 4 +---
srcpkgs/dracut/template | 2 +-
5 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/srcpkgs/dracut/files/kernel-hook-postinst b/srcpkgs/dracut/files/kernel-hook-postinst
index a9d265b6ed6..537af549796 100644
--- a/srcpkgs/dracut/files/kernel-hook-postinst
+++ b/srcpkgs/dracut/files/kernel-hook-postinst
@@ -7,9 +7,9 @@
PKGNAME="$1"
VERSION="$2"
-if [ ! -x bin/dracut ]; then
+if [ ! -x usr/bin/dracut ]; then
exit 0
fi
-dracut -q --force boot/initramfs-${VERSION}.img ${VERSION}
+usr/bin/dracut -q --force --sysroot . boot/initramfs-${VERSION}.img ${VERSION}
exit $?
diff --git a/srcpkgs/dracut/files/kernel-hook-postrm b/srcpkgs/dracut/files/kernel-hook-postrm
index f99458a4bfa..c338cf617a7 100644
--- a/srcpkgs/dracut/files/kernel-hook-postrm
+++ b/srcpkgs/dracut/files/kernel-hook-postrm
@@ -7,7 +7,5 @@
PKGNAME="$1"
VERSION="$2"
-if [ -f boot/initramfs-${VERSION}.img ]; then
- rm -f boot/initramfs-${VERSION}.img
-fi
+rm -f boot/initramfs-${VERSION}.img
exit $?
diff --git a/srcpkgs/dracut/files/kernel-uefi-hook-postinst b/srcpkgs/dracut/files/kernel-uefi-hook-postinst
index d623c3f86df..f1098a48a81 100644
--- a/srcpkgs/dracut/files/kernel-uefi-hook-postinst
+++ b/srcpkgs/dracut/files/kernel-uefi-hook-postinst
@@ -12,12 +12,13 @@ if [ -z "${CREATE_UEFI_BUNDLES}" ]; then
exit 0
fi
-if [ ! -x bin/dracut ]; then
+if [ ! -x usr/bin/dracut ]; then
exit 0
fi
mkdir -p ${UEFI_BUNDLE_DIR:=boot/efi/EFI/void}
-dracut -q --force ${KERNEL_CMDLINE:+--kernel-cmdline="${KERNEL_CMDLINE}"} ${DRACUT_OPTIONS} \
+usr/bin/dracut -q --force --sysroot . ${DRACUT_OPTIONS} \
+ ${KERNEL_CMDLINE:+--kernel-cmdline="${KERNEL_CMDLINE}"} \
--uefi ${UEFI_BUNDLE_DIR}/linux-${VERSION}.efi ${VERSION}
exit $?
diff --git a/srcpkgs/dracut/files/kernel-uefi-hook-postrm b/srcpkgs/dracut/files/kernel-uefi-hook-postrm
index 8183bb26f08..63b25498789 100644
--- a/srcpkgs/dracut/files/kernel-uefi-hook-postrm
+++ b/srcpkgs/dracut/files/kernel-uefi-hook-postrm
@@ -11,7 +11,5 @@ VERSION="$2"
: "${UEFI_BUNDLE_DIR:=boot/efi/EFI/void}"
-if [ -f "${UEFI_BUNDLE_DIR}/linux-${VERSION}.efi" ]; then
- rm -fv "${UEFI_BUNDLE_DIR}/linux-${VERSION}.efi"
-fi
+rm -fv "${UEFI_BUNDLE_DIR}/linux-${VERSION}.efi"
exit $?
diff --git a/srcpkgs/dracut/template b/srcpkgs/dracut/template
index 8fb41d17a72..232f70a0d4a 100644
--- a/srcpkgs/dracut/template
+++ b/srcpkgs/dracut/template
@@ -1,7 +1,7 @@
# Template file for 'dracut'
pkgname=dracut
version=050
-revision=5
+revision=6
build_style=configure
configure_args="--prefix=/usr --sysconfdir=/etc"
conf_files="/etc/dracut.conf"
From fa368c1ad2cfd2ae84a90247535d918f759b368d Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 5 Aug 2020 12:13:08 -0400
Subject: [PATCH 4/7] gummiboot: improve consistency of relative paths in
kernel hooks
---
.../files/kernel.d/gummiboot.post-install | 28 +++++++++----------
.../files/kernel.d/gummiboot.post-remove | 16 +++++------
srcpkgs/gummiboot/template | 2 +-
3 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-install b/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-install
index 7f4d27e985d..2517421e3e5 100644
--- a/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-install
+++ b/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-install
@@ -13,33 +13,33 @@ if [ "$GUMMIBOOT_DISABLE" ]; then
exit 0
fi
-boot=$ROOTDIR/boot
-entries=$boot/loader/entries
-name=void-$VERSION
-entry=$entries/$name.conf
-options=$boot/loader/void-options.conf
-loader=$boot/loader/loader.conf
+boot="$ROOTDIR/boot"
+entries="$boot/loader/entries"
+name="void-$VERSION"
+entry="$entries/$name.conf"
+options="$boot/loader/void-options.conf"
+loader="$boot/loader/loader.conf"
-[ -d $boot ] || exit 0
+[ -d "$boot" ] || exit 0
-mkdir -p $entries
+mkdir -p "$entries"
-cat <<-EOF > $entry
+cat <<-EOF > "$entry"
title Void Linux
version $VERSION
linux /vmlinuz-$VERSION
initrd /initramfs-$VERSION.img
EOF
-if [ -r $options ]; then
+if [ -r "$options" ]; then
# Add user provided options from /boot/loader/void-options.conf:
- printf 'options %s\n' "$(cat $options | sed '/^#/d;/^$/d')" >> $entry
+ printf 'options %s\n' "$(cat "$options" | sed '/^#/d;/^$/d')" >> "$entry"
fi
-if grep -q ^default $loader 2>/dev/null; then
+if grep -q ^default "$loader" 2>/dev/null; then
# Replace existing default entry with this entry:
- sed -i "s/default.*/default $name/" $loader
+ sed -i "s/default.*/default $name/" "$loader"
else
# Add this entry as the default:
- printf 'default %s\n' $name >>$loader
+ printf 'default %s\n' $name >>"$loader"
fi
diff --git a/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-remove b/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-remove
index b946d62456a..a207b2d362c 100644
--- a/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-remove
+++ b/srcpkgs/gummiboot/files/kernel.d/gummiboot.post-remove
@@ -7,15 +7,15 @@
PKGNAME="$1"
VERSION="$2"
-boot=$ROOTDIR/boot
-entries=$boot/loader/entries
-name=void-$VERSION
-entry=$entries/$name.conf
-loader=$boot/loader/loader.conf
+boot="$ROOTDIR/boot"
+entries="$boot/loader/entries"
+name="void-$VERSION"
+entry="$entries/$name.conf"
+loader="$boot/loader/loader.conf"
-[ -d $boot ] || exit 0
+[ -d "$boot" ] || exit 0
-rm -f $entry
+rm -f "$entry"
# No default entry if the removed entry was the default:
-sed -i "/^default $name\$/d" $loader
+[ -e "$loader" ] && sed -i "/^default $name\$/d" "$loader"
diff --git a/srcpkgs/gummiboot/template b/srcpkgs/gummiboot/template
index a824e27c021..052776fe7ff 100644
--- a/srcpkgs/gummiboot/template
+++ b/srcpkgs/gummiboot/template
@@ -1,7 +1,7 @@
# Template file for 'gummiboot'
pkgname=gummiboot
version=48.1
-revision=5
+revision=6
archs="i686* x86_64* aarch64*"
build_style=gnu-configure
conf_files="/etc/default/gummiboot"
From ff37dc33abae07b7bf4bcfcec8dddf7ee81da0a9 Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 5 Aug 2020 12:13:09 -0400
Subject: [PATCH 5/7] mkinitcpio: improve consistency of relative paths in
kernel hooks
---
srcpkgs/mkinitcpio/files/kernel-hook-postinst | 4 ++--
srcpkgs/mkinitcpio/files/kernel-hook-postrm | 4 +---
srcpkgs/mkinitcpio/template | 2 +-
3 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/srcpkgs/mkinitcpio/files/kernel-hook-postinst b/srcpkgs/mkinitcpio/files/kernel-hook-postinst
index 31fe5705812..c6f2ab81264 100644
--- a/srcpkgs/mkinitcpio/files/kernel-hook-postinst
+++ b/srcpkgs/mkinitcpio/files/kernel-hook-postinst
@@ -7,9 +7,9 @@
PKGNAME="$1"
VERSION="$2"
-if [ ! -x bin/mkinitcpio ]; then
+if [ ! -x usr/bin/mkinitcpio ]; then
exit 0
fi
-mkinitcpio -g boot/initramfs-${VERSION}.img -k ${VERSION}
+usr/bin/mkinitcpio -g boot/initramfs-${VERSION}.img -k ${VERSION}
exit $?
diff --git a/srcpkgs/mkinitcpio/files/kernel-hook-postrm b/srcpkgs/mkinitcpio/files/kernel-hook-postrm
index f099aba66ca..028fd097b87 100644
--- a/srcpkgs/mkinitcpio/files/kernel-hook-postrm
+++ b/srcpkgs/mkinitcpio/files/kernel-hook-postrm
@@ -7,7 +7,5 @@
PKGNAME="$1"
VERSION="$2"
-if [ -f /boot/initramfs-${VERSION}.img ]; then
- rm -f /boot/initramfs-${VERSION}.img
-fi
+rm -f boot/initramfs-${VERSION}.img
exit $?
diff --git a/srcpkgs/mkinitcpio/template b/srcpkgs/mkinitcpio/template
index 303905d0f1f..a0f44360db4 100644
--- a/srcpkgs/mkinitcpio/template
+++ b/srcpkgs/mkinitcpio/template
@@ -1,7 +1,7 @@
# Template file for 'mkinitcpio'
pkgname=mkinitcpio
version=27
-revision=1
+revision=2
archs=noarch
build_style=gnu-makefile
depends="busybox-static bsdtar bash"
From 16c2057a4bf699602153bfd25aa27511e632256e Mon Sep 17 00:00:00 2001
From: "Andrew J. Hesford" <ajh@sideband.org>
Date: Wed, 5 Aug 2020 12:13:09 -0400
Subject: [PATCH 6/7] refind: improve consistency of relative paths in kernel
hooks
---
srcpkgs/refind/files/kernel.post-install | 10 +++-------
srcpkgs/refind/files/kernel.post-remove | 4 +++-
srcpkgs/refind/template | 2 +-
3 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/srcpkgs/refind/files/kernel.post-install b/srcpkgs/refind/files/kernel.post-install
index 88b261aaacd..fd18f9c45ff 100755
--- a/srcpkgs/refind/files/kernel.post-install
+++ b/srcpkgs/refind/files/kernel.post-install
@@ -12,22 +12,18 @@ if [ "z$UPDATE_REFIND_CONF" != "z1" ]; then
exit 0;
fi
-# Default refind.conf
-: "${REFIND_CONF:=/boot/EFI/refind/refind.conf}"
+: ${REFIND_CONF:=boot/EFI/refind/refind.conf}
+REFIND_CONF="${REFIND_CONF#/}"
-zrefind_dir="${REFIND_CONF%/*}"
-mkdir -p "$zrefind_dir"
+mkdir -p "${REFIND_CONF%/*}"
touch "$REFIND_CONF"
tmpfile=$(mktemp /tmp/refind.XXXXXXX)
-zefi_mountpoint=$(df -P "$REFIND_CONF" | awk 'NR==2{print $6}')
-zicon="${zrefind_dir#$zefi_mountpoint}/icons/os_void.png"
zversion=$(echo "$VERSION" | sed 's/[.]/[.]/g')
zentry=$(cat <<EOF
menuentry "Void Linux $VERSION" {
- icon $zicon
volume "Void Linux"
loader /vmlinuz-$VERSION
initrd /initramfs-$VERSION.img
diff --git a/srcpkgs/refind/files/kernel.post-remove b/srcpkgs/refind/files/kernel.post-remove
index efb3786396c..58881766e4d 100755
--- a/srcpkgs/refind/files/kernel.post-remove
+++ b/srcpkgs/refind/files/kernel.post-remove
@@ -13,7 +13,9 @@ if [ "z$UPDATE_REFIND_CONF" != "z1" ]; then
fi
# Default refind.conf
-: "${REFIND_CONF:=/boot/EFI/refind/refind.conf}"
+: "${REFIND_CONF:=boot/EFI/refind/refind.conf}"
+# Make sure paths are relative
+REFIND_CONF="${REFIND_CONF#/}"
[ -f "$REFIND_CONF" ] || exit 0
diff --git a/srcpkgs/refind/template b/srcpkgs/refind/template
index 5e9865b9667..d7f8f2fba1c 100644
--- a/srcpkgs/refind/template
+++ b/srcpkgs/refind/template
@@ -1,7 +1,7 @@
# Template file for 'refind'
pkgname=refind
version=0.12.0
-revision=1
+revision=2
archs="x86_64* i686* aarch64*"
makedepends="gnu-efi-libs"
depends="bash dosfstools efibootmgr"
From 307578870b871b9d3deef5923dd34755beb1202d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH 7/7] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
Closes #23688.
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..70918527711 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel" >/dev/null 2>&1; then
+ return 0
+ fi
+ if ! usr/bin/sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign $_kernel"
+ return 1
+ fi
+ if ! usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ! ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
next prev parent reply other threads:[~2020-08-07 2:43 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-05 16:34 [PR PATCH] " ahesford
2020-08-05 19:27 ` [PR REVIEW] " ericonr
2020-08-05 19:27 ` ericonr
2020-08-05 19:27 ` ericonr
2020-08-05 19:27 ` ericonr
2020-08-05 19:27 ` ericonr
2020-08-05 20:06 ` [PR PATCH] [Updated] " ahesford
2020-08-05 20:06 ` ahesford
2020-08-05 20:26 ` ericonr
2020-08-06 1:09 ` [PR REVIEW] " sgn
2020-08-06 1:12 ` sgn
2020-08-06 1:49 ` ahesford
2020-08-06 2:09 ` sgn
2020-08-06 3:18 ` ahesford
2020-08-06 3:31 ` [PR PATCH] [Updated] " ahesford
2020-08-06 3:32 ` ahesford
2020-08-06 11:42 ` sgn
2020-08-06 11:52 ` sgn
2020-08-06 12:05 ` sgn
2020-08-06 12:10 ` sgn
2020-08-06 12:14 ` sgn
2020-08-06 12:41 ` sgn
2020-08-07 2:43 ` ahesford [this message]
2020-08-07 2:45 ` ahesford
2020-08-07 5:49 ` [PR REVIEW] " ericonr
2020-08-07 11:12 ` sgn
2020-08-07 13:05 ` [PR PATCH] [Closed]: " ahesford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200807024344.zuvTe6WgPkdYxymGdXzk9_xFUJU2CzENUeOedjM5WaM@z \
--to=ahesford@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).