Core
/
melawy-dracut-ukify
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update

This commit is contained in:
Valeria Fadeeva 2023-10-14 18:18:04 +05:00
parent 8e4dddc54e
commit caa2f9fa42
1 changed files with 66 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
dracut-ukify
View File

@ -1,4 +1,4 @@
#!/bin/bash -e #!/bin/bash
function usage { function usage {
echo "$(basename "$0") [OPTIONS]" echo "$(basename "$0") [OPTIONS]"
@ -39,6 +39,68 @@ else
fi fi
ukify_conf="/etc/kernel/uki.conf"
keys_count=0
function check_uki_conf_and_keys_and_gen_keys {
if [ ! -f "${ukify_conf}" ]; then
echo "Create ${ukify_conf}"
cat >"${ukify_conf}" <<EOF
[UKI]
SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
SignKernel=yes
PCRBanks=sha384,sha512
SBAT="sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html"
[PCRSignature:initrd]
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
Phases=enter-initrd
[PCRSignature:system]
PCRPrivateKey=/etc/kernel/pcr-system.key.pem
PCRPublicKey=/etc/kernel/pcr-system.pub.pem
Phases=enter-initrd:leave-initrd
enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready
EOF
fi
echo "Check Secure Boot keys"
declare -a keys=("/etc/kernel/secure-boot.key.pem" "/etc/kernel/secure-boot.cert.pem" "/etc/kernel/pcr-initrd.key.pem" "/etc/kernel/pcr-initrd.pub.pem" "/etc/kernel/pcr-system.key.pem" "/etc/kernel/pcr-system.pub.pem")
for i in ${keys[@]}
do
if [ -f "${i}" ]
then
echo "${i} exist"
keys_count=$(expr $keys_count + 1)
fi
done
if [[ $keys_count < 6 ]]
then
for i in ${keys[@]}
do
if [ -f "${i}" ]
then
echo "${i} remove"
rm "${i}"
keys_count=$(expr $keys_count - 1)
fi
done
fi
echo "Keys = $keys_count"
if [ -f "${ukify_conf}" ] && [[ $keys_count == 0 ]]
then
echo "Generate keys"
/usr/lib/systemd/ukify genkey --config "${ukify_conf}"
fi
}
declare -A kernels declare -A kernels
update_all=0 update_all=0
@ -102,7 +164,7 @@ while getopts ":hag:xyz" arg; do
kernels["${kernel_name}"]="${BASH_REMATCH[1]}" kernels["${kernel_name}"]="${BASH_REMATCH[1]}"
else else
update_all=1 update_all=1
break break
fi fi
done done
;; ;;
@ -131,57 +193,11 @@ if (( update_all )); then
fi fi
ukify_conf="/etc/kernel/uki.conf"
if [ ! -f "${ukify_conf}" ]; then
cat >"${ukify_conf}" <<EOF
[UKI]
SecureBootPrivateKey=/etc/kernel/secure-boot.key.pem
SecureBootCertificate=/etc/kernel/secure-boot.cert.pem
SignKernel=yes
PCRBanks=sha384,sha512
SBAT=sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
uki.author.myimage,1,UKI for System,uki.author.myimage,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.html
[PCRSignature:initrd]
PCRPrivateKey=/etc/kernel/pcr-initrd.key.pem
PCRPublicKey=/etc/kernel/pcr-initrd.pub.pem
Phases=enter-initrd
[PCRSignature:system]
PCRPrivateKey=/etc/kernel/pcr-system.key.pem
PCRPublicKey=/etc/kernel/pcr-system.pub.pem
Phases=enter-initrd:leave-initrd
enter-initrd:leave-initrd:sysinit
enter-initrd:leave-initrd:sysinit:ready
EOF
fi
declare -a keys=("/etc/kernel/secure-boot.key.pem" "/etc/kernel/secure-boot.cert.pem" "/etc/kernel/pcr-initrd.key.pem" "/etc/kernel/pcr-initrd.pub.pem" "/etc/kernel/pcr-system.key.pem" "/etc/kernel/pcr-system.pub.pem")
keys_count=0
for i in ${keys[@]}
do
if [ -f "${i}" ]; then
keys_count=$(expr $keys_count + 1)
fi
done
if [[ $keys_count < 6 ]]; then
for i in ${keys[@]}
do
if [ -f "${i}" ]; then
rm "${i}"
keys_count=$(expr $keys_count - 1)
fi
done
fi
if [ -f "${ukify_conf}" ] && [ $keys_count == 0 ]; then
/usr/lib/systemd/ukify genkey --config "${ukify_conf}"
fi
function gen_image() { function gen_image() {
check_root check_root
check_uki_conf_and_keys_and_gen_keys
kernel_name="$1" kernel_name="$1"
kernel_version="$2" kernel_version="$2"