blob: ee02807648d75d75d0af3b97c8a786b40b65494f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
#!/usr/bin/env bash
export KVER="$(uname -r)"
SKMDIR="$(mktemp -p /tmp -d skmod.XXXXXX)"||exit 1
export SKMDIR
function hayulp {
printf "USAGE: %b [ -k KVER ]\\n" "$(basename "$0")"
(
printf -- "-h:;This help\\n"
printf -- "-k:;Sign drivers supplied for KVER\\n"
printf " ;KVER equals the version name supplied by the folders in /lib/modules\\n"
)|column -ts\;
}
while getopts :hk: SHOPT;do
case "${SHOPT}" in
h) hayulp;exit 0;;
k) export KVER="${OPTARG}";;
*) printf "Unknown parameter: -%b\\n\\n" "$OPTARG" >&2;hayulp;exit 1;;
esac
done
SIGNER="$(grep ^CN x509.cnf|awk -F= '{print $NF}'|sed 's/^\ \+//;s/\ \+$//')"
[ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1
if [ ! -r private_key.priv ] || [ ! -r public_key.der ];then
printf "No signing key and/or certificate found!\\n" >&2
exit 1
fi
#printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$(uname -r)"/extra/nvidia/nvidia{,-uvm}.ko)"
printf "We will sign following kernel modules:\\n%b.\n" "$(ls -amA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz 2>/dev/null)"
read -rp "Is this OK? [y/N] " PROEMT
case "$PROEMT" in
"y"|"Y"|"j"|"J") ;;
*) exit 1 ;;
esac
# shellcheck disable=SC2207
SGDMODS=( $(ls -aA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko 2>/dev/null) )
MSGND=0
MSKIP=0
IBAS="/dev/null"
for i in "${SGDMODS[@]}";do
if ! sudo id -u 2>/dev/null|grep -P '^0$' >/dev/null;then
printf "Can't elevate to root.\\n" >&2
exit 23
fi
MODSIG=0 MODGOODSIG=0
IBAS="$(basename "$i")"
MMOD="$(printf "%b" "$i"|sed 's/\.xz$//')"
COMPR=0
if printf "%b" "$i"|grep -P '\.ko\.xz$' >/dev/null;then
COMPR=1
printf "[....] Extracting module %b\\033[s..." "$IBAS"
if sudo rm -f "$MMOD" >/dev/null 2>&1 && sudo xz -kd "$i" >/dev/null 2>&1;then
printf "\\033[666D[ \\033[32mOK\\033[0m ]\\033[u\\033[K.\\n"
else
printf "\\033[666D[\\033[31mFAIL\\033[0m]\\033[u\\033[K.\\n"
exit 4
fi
fi
printf "[....] Signing module %b\\033[s..." "$IBAS"
if sudo modinfo "$MMOD"|grep '^sig_id:'|grep 'PKCS#7$' >/dev/null; then MODSIG=1; fi
if sudo modinfo "$MMOD"|grep '^signer:'|grep "$SIGNER\$" > /dev/null; then MODGOODSIG=1; fi
if [ "$MODSIG" -ne 1 ] || [ "$MODGOODSIG" -ne 1 ];then
sudo /usr/src/kernels/"$KVER"/scripts/sign-file sha256 private_key.priv public_key.der "$MMOD"
case "$?" in
0)
MSGND="$((MSGND+1))"
printf "\\033[666D[ \\033[32mOK\\033[0m ]\\033[u\\033[K.\\n"
;;
*)
printf "\\033[666D[\\033[31mFAIL\\033[0m]\\033[u\\033[K.\\n"
exit 3
;;
esac
else
MSKIP="$((MSKIP+1))"
printf "\\033[666D[\\033[1;30mSKIP\\033[0m]\\033[u\\033[K (already signed)\\n"
fi
if [ "$COMPR" -eq 1 ];then
if [ "$MODSIG" -ne 1 ] || [ "$MODGOODSIG" -ne 1 ];then
printf "[....] Compressing module %b\\033[s..." "$IBAS"
if sudo rm -f "$i" >/dev/null 2>&1 && sudo xz "$MMOD" >/dev/null 2>&1;then
printf "\\033[666D[ \\033[32mOK\\033[0m ]\\033[u\\033[K.\\n"
else
printf "\\033[666D[\\033[31mFAIL\\033[0m]\\033[u\\033[K.\\n"
exit 5
fi
else
sudo rm -f "$MMOD"||exit 117
fi
fi
done
printf "Summary:\\n"
(
printf "Signed:;%b\\n" "$MSGND"
printf "Skipped:;%b\\n" "$MSKIP"
)|column -ts\;
|
