From 69f1bdba2b4eb0383d3cbbafe1a4d90a352f3f19 Mon Sep 17 00:00:00 2001 From: Harald Pfeiffer Date: Thu, 28 Jan 2021 07:26:08 +0100 Subject: initial commit --- signko | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100755 signko (limited to 'signko') diff --git a/signko b/signko new file mode 100755 index 0000000..4114fa1 --- /dev/null +++ b/signko @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +export KVER="$(uname -r)" + +function hayulp { + printf "USAGE: %b [ -k KVER ]\\n" "$(basename "$0")" + ( + printf -- "-h:;This help\\n" + printf -- "-k:;Sign drivers supplied for KVER\\n" + printf " ;KVER equals the version name supplied by the folders in /lib/modules\\n" + )|column -ts\; +} + +while getopts :hk: SHOPT;do + case "${SHOPT}" in + h) hayulp;exit 0;; + k) export KVER="${OPTARG}";; + *) printf "Unknown parameter: -%b\\n\\n" "$OPTARG" >&2;hayulp;exit 1;; + esac +done + +SIGNER="$(grep ^CN x509.cnf|awk -F= '{print $NF}'|sed 's/^\ \+//;s/\ \+$//')" +[ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1 + +if [ ! -r private_key.priv ] || [ ! -r public_key.der ];then + printf "No signing key and/or certificate found!\\n" >&2 + exit 1 +fi + +#printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$(uname -r)"/extra/nvidia/nvidia{,-uvm}.ko)" +printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz 2>/dev/null)" +read -rp "Is this OK? [y/N] " PROEMT +case "$PROEMT" in + "y"|"Y"|"j"|"J") ;; + *) exit 1 ;; +esac +# shellcheck disable=SC2207 +SGDMODS=( $(ls -aA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz) ) +for i in "${SGDMODS[@]}";do + MODSIG=0 MODGOODSIG=0 + sudo xz -vd "$i"||exit 4 + MMOD="$(printf "%b" "$i"|sed 's/\.xz$//')" + if sudo modinfo "$MMOD"|grep '^sig_id:'|grep 'PKCS#7$' >/dev/null; then MODSIG=1; fi + if sudo modinfo "$MMOD"|grep '^signer:'|grep "$SIGNER\$" > /dev/null; then MODGOODSIG=1; fi + if [ "$MODSIG" -ne 1 ] || [ "$MODGOODSIG" -ne 1 ];then + printf "Signing %b..." "$i" + sudo /usr/src/kernels/"$KVER"/scripts/sign-file sha256 private_key.priv public_key.der "$MMOD" + case "$?" in + 0) printf " OK.\n";; + *) printf "FAILED!\n";exit 3;; + esac + else + printf "%b is already properly signed.\n" "$(basename "$i")" + fi + sudo xz -v "$MMOD"||exit 5 +done -- cgit v1.2.3