git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
path: root/signko
diff options
context:
space:
mode:
Diffstat (limited to 'signko')
-rwxr-xr-xsignko56
1 files changed, 56 insertions, 0 deletions
diff --git a/signko b/signko
new file mode 100755
index 0000000..4114fa1
--- /dev/null
+++ b/signko
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+export KVER="$(uname -r)"
+
+function hayulp {
+ printf "USAGE: %b [ -k KVER ]\\n" "$(basename "$0")"
+ (
+ printf -- "-h:;This help\\n"
+ printf -- "-k:;Sign drivers supplied for KVER\\n"
+ printf " ;KVER equals the version name supplied by the folders in /lib/modules\\n"
+ )|column -ts\;
+}
+
+while getopts :hk: SHOPT;do
+ case "${SHOPT}" in
+ h) hayulp;exit 0;;
+ k) export KVER="${OPTARG}";;
+ *) printf "Unknown parameter: -%b\\n\\n" "$OPTARG" >&2;hayulp;exit 1;;
+ esac
+done
+
+SIGNER="$(grep ^CN x509.cnf|awk -F= '{print $NF}'|sed 's/^\ \+//;s/\ \+$//')"
+[ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1
+
+if [ ! -r private_key.priv ] || [ ! -r public_key.der ];then
+ printf "No signing key and/or certificate found!\\n" >&2
+ exit 1
+fi
+
+#printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$(uname -r)"/extra/nvidia/nvidia{,-uvm}.ko)"
+printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz 2>/dev/null)"
+read -rp "Is this OK? [y/N] " PROEMT
+case "$PROEMT" in
+ "y"|"Y"|"j"|"J") ;;
+ *) exit 1 ;;
+esac
+# shellcheck disable=SC2207
+SGDMODS=( $(ls -aA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz) )
+for i in "${SGDMODS[@]}";do
+ MODSIG=0 MODGOODSIG=0
+ sudo xz -vd "$i"||exit 4
+ MMOD="$(printf "%b" "$i"|sed 's/\.xz$//')"
+ if sudo modinfo "$MMOD"|grep '^sig_id:'|grep 'PKCS#7$' >/dev/null; then MODSIG=1; fi
+ if sudo modinfo "$MMOD"|grep '^signer:'|grep "$SIGNER\$" > /dev/null; then MODGOODSIG=1; fi
+ if [ "$MODSIG" -ne 1 ] || [ "$MODGOODSIG" -ne 1 ];then
+ printf "Signing %b..." "$i"
+ sudo /usr/src/kernels/"$KVER"/scripts/sign-file sha256 private_key.priv public_key.der "$MMOD"
+ case "$?" in
+ 0) printf " OK.\n";;
+ *) printf "FAILED!\n";exit 3;;
+ esac
+ else
+ printf "%b is already properly signed.\n" "$(basename "$i")"
+ fi
+ sudo xz -v "$MMOD"||exit 5
+done