diff options
author | Christian Breunig <christian@breunig.cc> | 2024-09-25 20:24:47 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-09-25 20:24:47 +0200 |
commit | eff99f5eda19d5ddf324eb01abcc68577d942e62 (patch) | |
tree | 0a4256d787fcdda0bea8308f6a76c65ef1e7ad1b /data/live-build-config/hooks/live/93-sb-sign-kernel.chroot | |
parent | fa50a5073b6d3f3bf1f213603c43373f5a980801 (diff) | |
parent | d235b31a095f9b8fdb2d5c231935c8b4b4c3da6c (diff) | |
download | vyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.tar.gz vyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.zip |
Merge pull request #772 from c-po/kernel-ephemeral-keys
T861: sign all Kernel modules with an ephemeral key
Diffstat (limited to 'data/live-build-config/hooks/live/93-sb-sign-kernel.chroot')
-rwxr-xr-x | data/live-build-config/hooks/live/93-sb-sign-kernel.chroot | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot new file mode 100755 index 00000000..1dc03186 --- /dev/null +++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot @@ -0,0 +1,22 @@ +#!/bin/sh +SIGN_FILE=$(find /usr/lib -name sign-file) +MOK_KEY="/var/lib/shim-signed/mok/MOK.key" +MOK_CERT="/var/lib/shim-signed/mok/MOK.pem" +VMLINUZ=$(readlink /boot/vmlinuz) + +# All Linux Kernel modules need to be cryptographically signed +find /lib/modules -type f -name \*.ko | while read MODULE; do + modinfo ${MODULE} | grep -q "signer:" + if [ $? != 0 ]; then + echo "E: Module ${MODULE} is not signed!" + read -n 1 -s -r -p "Press any key to continue" + fi +done + +if [ ! -f ${MOK_KEY} ]; then + echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" +else + echo "I: Signing Linux Kernel for Secure Boot" + sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} + sbverify --list /boot/${VMLINUZ} +fi |