From 62c7e2a4a3fd8c707b0aef9d044b7c3835a201b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakobus=20Sch=C3=BCrz?= Date: Thu, 28 Feb 2019 10:19:53 +0100 Subject: [PATCH] =?UTF-8?q?angabe=20der=20module=20in=20file=20m=C3=B6glic?= =?UTF-8?q?h,=20kernel=20wird=20automatisch=20entdeckt,=20neuer=20kernel?= =?UTF-8?q?=20kann=20manuell=20angegeben=20werden?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- sign-modules.sh | 85 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100755 sign-modules.sh diff --git a/sign-modules.sh b/sign-modules.sh new file mode 100755 index 0000000..1291287 --- /dev/null +++ b/sign-modules.sh @@ -0,0 +1,85 @@ +#!/bin/sh + +MOK=modules_signing +#declare -A MODULES + +help() { + cat << EOF + + Usage create key-pair: + $0 -c + + creates a key-pair to sign kernel-modules and registers it in UEFI to allow self signed kernel-modules for secure-boot + + Usage sign modules: + $0 [] []... + $0 -k [] []... + $0 -k -f + $0 -f + + -k output of »uname -r« + if not given, it takes current kernelversion + + -f plaintext file with newlineseparated list of modules to sign + + signs a list of modules with the created and registered key for secureboot +EOF +} + +set -- $(getopt "hck:f:" "$@") + +while : +do + case $1 in + -h) + help + exit 0 + ;; + -c) + shift + echo create key-pair for signing the modules + + if [ -e $MOK.priv ] ;then + : + else + openssl req -new -x509 -newkey rsa:2048 -keyout $MOK.priv -outform DER -out $MOK.der -nodes -days 36500 -subj "/CN=Jakobus Schuerz/" + fi + sudo mokutil --import $MOK.der + exit 0 + ;; + -k) + shift + KVERS=$1 + shift + ;; + -f) + shift + MODULES=($(cat $1)) + shift + ;; + --) + shift + break + ;; + *) + echo "wrong option" + help + exit 1 + ;; + esac +done + +if [ -z ${KVERS+x} ]; then + KVERS=$(uname -r) +fi + +if [ -z ${MODULES+x} ]; then + MODULES=($@) +fi + +echo "Sign kernel modules »${MODULES[*]}« for kernel-version ${KVERS}" +for i in ${MODULES[*]}; do + echo sign $i + echo sudo /usr/src/kernels/${KVERS}/scripts/sign-file sha256 ./$MOK.priv ./$MOK.der $(modinfo -n ${i}) + sudo /usr/src/kernels/${KVERS}/scripts/sign-file sha256 ./$MOK.priv ./$MOK.der $(modinfo -n ${i}) +done