blob: 8494a5c85d8fa1e11137912c398b1d5b9e76087c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
#!/bin/sh
SIGN_FILE=$(find /usr/lib -name sign-file)
KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
VMLINUZ=$(readlink /boot/vmlinuz)
# All Linux Kernel modules need to be cryptographically signed
find /lib/modules -type f -name \*.ko | while read MODULE; do
modinfo ${MODULE} | grep -q "signer:"
if [ $? != 0 ]; then
echo "E: Module ${MODULE} is not signed!"
read -n 1 -s -r -p "Press any key to continue"
fi
done
if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
else
echo "I: Signing Linux Kernel for Secure Boot"
sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
sbverify --list /boot/${VMLINUZ}
rm -f ${KERNEL_KEY}
fi
for cert in $(ls /var/lib/shim-signed/mok/); do
if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
echo "Found private key - bailing out"
exit 1
fi
done
|
