From 94a539680962cecde6f0f9ab75d9c473877ab252 Mon Sep 17 00:00:00 2001 From: dkwo Date: Sun, 17 Sep 2023 09:43:11 -0400 Subject: [PATCH] sbctl: update to 0.11, patch, add kernel hooks --- srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++++++ srcpkgs/sbctl/files/kernel-hook-postrm | 17 +++++++++++++++++ srcpkgs/sbctl/files/kernel-hook.confd | 3 +++ srcpkgs/sbctl/patches/keyusage.patch | 17 +++++++++++++++++ srcpkgs/sbctl/template | 9 ++++++--- 5 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd create mode 100644 srcpkgs/sbctl/patches/keyusage.patch diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst new file mode 100644 index 0000000000000..c49ece0d0bedb --- /dev/null +++ b/srcpkgs/sbctl/files/kernel-hook-postinst @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Kernel post-install hook for sbctl. +# +# Arguments passed to this script: $1 pkgname, $2 version. +# + +[ -x usr/bin/sbctl ] || exit 0 + +PKGNAME="$1" +VERSION="$2" + +. "${ROOTDIR}/etc/default/sbctl-kernel-hook" + +[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0 +[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION} +[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION} diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm new file mode 100644 index 0000000000000..2fe43327ef72f --- /dev/null +++ b/srcpkgs/sbctl/files/kernel-hook-postrm @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Kernel post-remove hook for sbctl. +# +# Arguments passed to this script: $1 pkgname, $2 version. +# + +[ -x usr/bin/sbctl ] || exit 0 + +PKGNAME="$1" +VERSION="$2" + +. "${ROOTDIR}/etc/default/sbctl-kernel-hook" + +[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0 +[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION} +[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION} diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd new file mode 100644 index 0000000000000..59a52c91c7de2 --- /dev/null +++ b/srcpkgs/sbctl/files/kernel-hook.confd @@ -0,0 +1,3 @@ +# Options for the kernel hook script installed by the sbctl package. +# SBCTL_SIGN_KERNEL=yes +# To let sbctl sign new kernel images, set it to 'yes' diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch new file mode 100644 index 0000000000000..cf2d33ef91205 --- /dev/null +++ b/srcpkgs/sbctl/patches/keyusage.patch @@ -0,0 +1,17 @@ +omit the keyUsage bitfield, so that the certificate is accepted by the +firmware of certain thinkpad laptops + +fixes https://github.com/Foxboron/sbctl/issues/102 + +diff --git a/keys.go b/keys.go +index ffc7858..61c2db6 100644 +--- a/keys.go ++++ b/keys.go +@@ -58,7 +58,6 @@ + SignatureAlgorithm: x509.SHA256WithRSA, + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(5, 0, 0), +- KeyUsage: x509.KeyUsageDigitalSignature, + Subject: pkix.Name{ + Country: []string{name}, + CommonName: name, diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template index 5d181cd62da0d..ce09dbede1835 100644 --- a/srcpkgs/sbctl/template +++ b/srcpkgs/sbctl/template @@ -1,7 +1,7 @@ # Template file for 'sbctl' pkgname=sbctl -version=0.10 -revision=3 +version=0.11 +revision=1 build_style=go go_import_path="github.com/foxboron/sbctl" hostmakedepends="asciidoc" @@ -10,7 +10,7 @@ maintainer="Érico Nogueira " license="MIT" homepage="https://github.com/Foxboron/sbctl" distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz" -checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774 +checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75 do_build() { make @@ -23,4 +23,7 @@ do_install() { post_install() { vlicense LICENSE + vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl + vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl + vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook }