-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
contrib: add key/cert options and signature check for sbsign #695
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,9 +17,9 @@ | |
# | ||
# SecureBoot: | ||
# SignBackup: true | ||
# DeleteUnsigned: false | ||
# SignMethod: sbctl | ||
# KeyDir: /etc/sbkeys | ||
# KeyFileName: /etc/sbkeys/DB.key | ||
# CrtFileName: /etc/sbkeys/DB.crt | ||
# | ||
# The configuration keys should be self-explanatory. | ||
|
||
|
@@ -47,18 +47,18 @@ | |
my $ESP = $Global->{BootMountPoint}; | ||
|
||
my $SecureBoot = $config->{SecureBoot} or die "No config found, please edit /etc/zfsbootmenu/config.yaml"; | ||
my $KeyDir = $SecureBoot->{KeyDir}; | ||
my $DeleteUnsigned = $SecureBoot->{DeleteUnsigned}; | ||
my $KeyFileName = $SecureBoot->{KeyFileName}; | ||
my $CrtFileName = $SecureBoot->{CrtFileName}; | ||
my $SignBackups = $SecureBoot->{SignBackup}; | ||
$SignMethod = $SecureBoot->{SignMethod}; | ||
|
||
opendir my $ZBM_dir, $ZBM | ||
or die "Cannot open ZBM dir: $ZBM"; | ||
|
||
if ($SignBackups) { | ||
@EFIBins = grep { !/signed\.efi$/i and /\.efi/i } readdir $ZBM_dir; | ||
@EFIBins = sort grep { !/signed\.efi$/i and /\.efi/i } readdir $ZBM_dir; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why sort? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Glad you asked. The Do you see an issue with using sort? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, this is not the place to hack around rEFInd sorting specifics. There is no need to sort unless this script depends on the order of the array, which it does not. |
||
} else { | ||
@EFIBins = grep { !/signed\.efi$/i and !/backup/i and /\.efi/i } readdir $ZBM_dir; | ||
@EFIBins = sort grep { !/signed\.efi$/i and !/backup/i and /\.efi/i } readdir $ZBM_dir; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As above, why sort? |
||
} | ||
|
||
say "Found: @EFIBins"; | ||
|
@@ -72,17 +72,14 @@ | |
if ( $SignMethod eq "sbctl" ) { | ||
system "sbctl sign $ZBM/$_"; | ||
} elsif ( $SignMethod eq "sbsign" ) { | ||
$Unsigned = substr( $_, 0, -4 ); | ||
system "sbsign --key $KeyDir/DB.key --cert $KeyDir/DB.crt $ZBM/$_ --output $ZBM/$Unsigned-signed.efi"; | ||
my $verify_output = "sbverify --cert $CrtFileName $ZBM/$_ 2>&1"; | ||
if ( $verify_output =~ /Signature verification OK/ ) { | ||
say "File $_ is already signed."; | ||
next; | ||
} | ||
system "sbsign --key $KeyFileName --cert $CrtFileName $ZBM/$_ --output $ZBM/$_"; | ||
} else { | ||
die "Sign method $SignMethod not valid."; | ||
} | ||
|
||
if ( $DeleteUnsigned && $SignMethod eq "sbctl" ) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why was this whole block removed? It seems like it will fundamentally change the behavior of this script. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Really? It does only 1 of the 2 things (when
Maybe I should remove the option What am I missing? I see this block of code as no longer needed. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are you sure that sbsign won't corrupt its input if you try to overwrite it with output? Is that the case for several prior versions of sbsign? If it's safe, the better approach would be to replace There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Then I propose
Or you can think of a better boolean var name? Do you still want to offer the option, that is available for the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I proposed, and still prefer, |
||
say "sbctl signs in place, not deleting $_"; | ||
} elsif ( $DeleteUnsigned && $SignMethod ne "sbctl" ) { | ||
say "Deleting unsigned $_"; | ||
system "rm $ZBM/$_"; | ||
} | ||
} | ||
print "---------- FINISHED ----------\n"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
Name
part seems superfluous, andCertFile
would be a bit more readable thanCrtFile
.