forked from thopiekar/rcraid-dkms
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmk_certs
More file actions
executable file
·147 lines (141 loc) · 5.81 KB
/
mk_certs
File metadata and controls
executable file
·147 lines (141 loc) · 5.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/bash
#
# Copyright (c) 2020, Advanced Micro Devices, Inc. All rights reserved.
#
# Use of this software is subject to the terms and conditions of the written
# software license agreement between you and AMD (the "License"),
# including, without limitation, the following (as further elaborated in the
# License): (i) THIS SOFTWARE IS PROVIDED "AS IS", AND AMD DISCLAIMS
# ANY AND ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY,
# BY CONDUCT, OR OTHERWISE; (ii) this software may be used only in connection
# with the integrated circuit product and storage software with which it was
# designed to be used; (iii) this source code is the confidential information
# of AMD and may not be disclosed to any third party; and (iv) you may not
# make any modification or take any action that would cause this software,
# or any other Advanced Micro Devices software, to fall under any GPL license
# or any other open source license.
#
# Script to create local machine signing certificate for use with AMD RAID
# and Secure Boot when rebuilding the rcraid.ko module after initial OS install.
#
SIGN_TOOL=$1
RCMODULE=$2
RCCERT=$3
KVERS=$4
sha_arr="SHA512 SHA256"
config_file="/boot/config-$KVERS"
SIGNFAIL="0"
if [ ! -e $config_file ]; then
echo "#"
echo "# Config file does not exist for the specified kernel."
echo "# Using config file of running kernel"
echo "#"
config_file="/boot/config-$(uname -r)"
fi
if [ `id -u` -ne 0 ]; then
echo "#"
echo "# ERROR:"
echo "#"
echo "# Signing certificates must be created as root."
echo "# Please rerun last command as root."
echo "#"
exit 1;
fi
if [ ! -d "$RCCERT" ]; then
mkdir -pm 0700 $RCCERT
fi
if [ ! -f $RCCERT/x509.genkey ]; then
echo "[ req ]" > $RCCERT/x509.genkey
echo "default_bits = 4096" >> $RCCERT/x509.genkey
echo "distinguished_name = req_distinguished_name" >> $RCCERT/x509.genkey
echo "prompt = no" >> $RCCERT/x509.genkey
echo "string_mask = utf8only" >> $RCCERT/x509.genkey
echo "x509_extensions = myexts" >> $RCCERT/x509.genkey
echo "" >> $RCCERT/x509.genkey
echo "[ req_distinguished_name ]" >> $RCCERT/x509.genkey
echo "O = Local Machine Owner" >> $RCCERT/x509.genkey
echo "CN = Build time autogenerated module signing key for rcraid module" >> $RCCERT/x509.genkey
echo "emailAddress = root@localhost" >> $RCCERT/x509.genkey
echo "" >> $RCCERT/x509.genkey
echo "[ myexts ]" >> $RCCERT/x509.genkey
echo "basicConstraints=critical,CA:FALSE" >> $RCCERT/x509.genkey
echo "keyUsage=digitalSignature" >> $RCCERT/x509.genkey
echo "subjectKeyIdentifier=hash" >> $RCCERT/x509.genkey
echo "authorityKeyIdentifier=keyid" >> $RCCERT/x509.genkey
fi
if [ ! -f $RCCERT/module_signing_key.der ]; then
echo "#"
echo "# When prompted for 'Password', please enter a"
echo "# password to be used when installing signing"
echo "# certificate. Do NOT use login password or root"
echo "# password!"
echo "#"
echo "# You may be prompted to enter this password the"
echo "# next time your system reboots in order to enroll"
echo "# the signing certificate in the BIOS key table."
echo "#"
openssl req -new -x509 -batch -config $RCCERT/x509.genkey \
-outform DEV -keyout $RCCERT/module_signing_key.priv \
-out $RCCERT/module_signing_key.der -days 3650 -nodes -sha256
if [ $? -ne 0 ]; then
echo "Key Generation Failed"
/usr/bin/rm $RCCERT/module_signing_key.der
else
mokutil --import $RCCERT/module_signing_key.der
if [ $? -ne 0 ]; then
echo "Import key Failed"
fi
fi
fi
if [ -f $RCMODULE ]; then
echo "$sha_arr" | tr ' ' '\n' | while read i; do
if grep -xq "CONFIG_CRYPTO_$i=y" $config_file; then
SHA=$(echo "$i" | tr '[:upper:]' '[:lower:]')
echo "Chosen "$SHA" for signing"
if [ -f "/usr/src/linux-headers-$KVERS/scripts/sign-file" ]; then
SIGN_TOOL=/usr/src/linux-headers-$KVERS/scripts/sign-file
elif [ -f "/target/usr/src/linux-headers-$KVERS/scripts/sign-file" ]; then
SIGN_TOOL=/target/usr/src/linux-headers-$KVERS/scripts/sign-file
elif [ -f "/usr/lib/modules/$KVERS/build/scripts/sign-file" ]; then
SIGN_TOOL=/usr/lib/modules/$KVERS/build/scripts/sign-file
fi
$SIGN_TOOL $SHA $RCCERT/module_signing_key.priv $RCCERT/module_signing_key.der $RCMODULE
if [ $? -ne 0 ]; then
echo "#"
echo "# ERROR:"
echo "#"
echo "# Signing certificate ../certs/module_signing_key.der does not exist!"
echo "# Module NOT signed -- installing unsigned module will cause reboot to fail!"
echo "#"
else
echo "Signing $RCMODULE Success"
SIGNFAIL="1"
fi
break
fi
done
if [ "$SIGNFAIL" = "0" ]; then
echo "RETRYING WITH sha256"
if [ -f "/usr/src/linux-headers-$KVERS/scripts/sign-file" ]; then
SIGN_TOOL=/usr/src/linux-headers-$KVERS/scripts/sign-file
elif [ -f "/target/usr/src/linux-headers-$KVERS/scripts/sign-file" ]; then
SIGN_TOOL=/target/usr/src/linux-headers-$KVERS/scripts/sign-file
elif [ -f "/usr/lib/modules/$KVERS/build/scripts/sign-file" ]; then
SIGN_TOOL=/usr/lib/modules/$KVERS/build/scripts/sign-file
fi
$SIGN_TOOL sha256 $RCCERT/module_signing_key.priv $RCCERT/module_signing_key.der $RCMODULE
if [ $? -ne 0 ]; then
echo "#"
echo "# RETRY ERROR:"
echo "#"
echo "# Signing certificate ../certs/module_signing_key.der does not exist!"
echo "# Module NOT signed -- installing unsigned module will cause reboot to fail!"
echo "#"
else
echo "RETRY Signing $RCMODULE Success"
fi
fi
else
echo "FAILED in Signing Module $RCMODULE Not Present"
fi
exit 0