path: root/signko

#!/usr/bin/env bash

export KVER="$(uname -r)"

function hayulp {
	printf "USAGE: %b [ -k KVER ]\\n" "$(basename "$0")"
	(
	 printf -- "-h:;This help\\n"
	 printf -- "-k:;Sign drivers supplied for KVER\\n"
	 printf " ;KVER equals the version name supplied by the folders in /lib/modules\\n"
	)|column -ts\;
}

while getopts :hk: SHOPT;do
	case "${SHOPT}" in
		h) hayulp;exit 0;;
		k) export KVER="${OPTARG}";;
		*) printf "Unknown parameter: -%b\\n\\n" "$OPTARG" >&2;hayulp;exit 1;;
	esac
done

SIGNER="$(grep ^CN x509.cnf|awk -F= '{print $NF}'|sed 's/^\ \+//;s/\ \+$//')"
[ "${PIPESTATUS[0]}" -ne 0 ]&&exit 1

if [ ! -r private_key.priv ] || [ ! -r public_key.der ];then
	printf "No signing key and/or certificate found!\\n" >&2
	exit 1
fi

#printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$(uname -r)"/extra/nvidia/nvidia{,-uvm}.ko)"
printf "We will sign following kernel modules: %b.\n" "$(ls -amA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz 2>/dev/null)"
read -rp "Is this OK? [y/N] " PROEMT
case "$PROEMT" in
	"y"|"Y"|"j"|"J") ;;
	*) exit 1 ;;
esac
# shellcheck disable=SC2207
SGDMODS=( $(ls -aA /usr/lib/modules/"$KVER"/extra/nvidia/nvidia*.ko.xz) )
for i in "${SGDMODS[@]}";do
	MODSIG=0 MODGOODSIG=0
	sudo xz -vd "$i"||exit 4
	MMOD="$(printf "%b" "$i"|sed 's/\.xz$//')"
	if sudo modinfo "$MMOD"|grep '^sig_id:'|grep 'PKCS#7$' >/dev/null; then MODSIG=1; fi
	if sudo modinfo "$MMOD"|grep '^signer:'|grep "$SIGNER\$" > /dev/null; then MODGOODSIG=1; fi
	if [ "$MODSIG" -ne 1 ] || [ "$MODGOODSIG" -ne 1 ];then
		printf "Signing %b..." "$i"
		sudo /usr/src/kernels/"$KVER"/scripts/sign-file sha256 private_key.priv public_key.der "$MMOD"
		case "$?" in
			0) printf " OK.\n";;
			*) printf "FAILED!\n";exit 3;;
		esac
	else
		printf "%b is already properly signed.\n" "$(basename "$i")"
	fi
	sudo xz -v "$MMOD"||exit 5
done