summaryrefslogtreecommitdiff
path: root/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-09-25 20:24:47 +0200
committerGitHub <noreply@github.com>2024-09-25 20:24:47 +0200
commiteff99f5eda19d5ddf324eb01abcc68577d942e62 (patch)
tree0a4256d787fcdda0bea8308f6a76c65ef1e7ad1b /data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
parentfa50a5073b6d3f3bf1f213603c43373f5a980801 (diff)
parentd235b31a095f9b8fdb2d5c231935c8b4b4c3da6c (diff)
downloadvyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.tar.gz
vyos-build-eff99f5eda19d5ddf324eb01abcc68577d942e62.zip
Merge pull request #772 from c-po/kernel-ephemeral-keys
T861: sign all Kernel modules with an ephemeral key
Diffstat (limited to 'data/live-build-config/hooks/live/93-sb-sign-kernel.chroot')
-rwxr-xr-xdata/live-build-config/hooks/live/93-sb-sign-kernel.chroot22
1 files changed, 22 insertions, 0 deletions
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
new file mode 100755
index 00000000..1dc03186
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@@ -0,0 +1,22 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
+MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
+VMLINUZ=$(readlink /boot/vmlinuz)
+
+# All Linux Kernel modules need to be cryptographically signed
+find /lib/modules -type f -name \*.ko | while read MODULE; do
+ modinfo ${MODULE} | grep -q "signer:"
+ if [ $? != 0 ]; then
+ echo "E: Module ${MODULE} is not signed!"
+ read -n 1 -s -r -p "Press any key to continue"
+ fi
+done
+
+if [ ! -f ${MOK_KEY} ]; then
+ echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+ echo "I: Signing Linux Kernel for Secure Boot"
+ sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+ sbverify --list /boot/${VMLINUZ}
+fi