Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sbsigntool: rewrite post-install kernel hook #23688

Closed
wants to merge 2 commits into from
Closed

sbsigntool: rewrite post-install kernel hook #23688

wants to merge 2 commits into from

Conversation

sgn
Copy link
Member

@sgn sgn commented Jul 21, 2020

  • run the hook on target filesystem
  • Use ls | awk to check ownership and permission, instead of relying on
    GNU-stat.
  • libify signing code, in order to support uefi bundle in the future
  • Stop append signature to the efi signed by current key/cert.

While we're at it,

  • add post-remove script to remove unsigned file if exist

@ericonr @ahesford I think you may be interested on this.

ahesford
ahesford reviewed Jul 21, 2020
View reviewed changes
Copy link
Member

@ahesford ahesford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't do secure boot, but this looks fine to me.

@Duncaen
Copy link
Member

Duncaen commented Jul 21, 2020
edited

Is it possible to change the options to set/unset instead of checking for 1 to make all the hooks more uniform, without breaking compatibility?

Edit: nvm, not possible and this seems to have started with the x1 stuff with the really bad efibootmgr hook, its bad but doesn't really matter too much.

@sgn
Copy link
Member Author

sgn commented Jul 21, 2020

Yes, at the time, I started sbsigntool, I mostly copy from efibootmgr.
It's too late now.

@sgn sgn force-pushed the sbsigntool-rewrite-hook branch from f00e6fe to 956c3f8 Compare July 21, 2020 23:16
@ericonr
Copy link
Member

ericonr commented Jul 22, 2020

Could we add support for the UEFI bundles already? Source dracut-uefi-hook and check if they are being built, then try to sign them.

@sgn
Copy link
Member Author

sgn commented Jul 23, 2020

Could we add support for the UEFI bundles already? Source dracut-uefi-hook and check if they are being built, then try to sign them.

Sure, will do in the weekend. Have we decided stable variable name for that hook, yet?

@ericonr
Copy link
Member

ericonr commented Jul 23, 2020

I don't think so. It's in #22484.

@ericonr
Copy link
Member

ericonr commented Jul 23, 2020

There weren't complaints about the filename, but there were some comments regarding the variables themselves. I think they are solved, though.

@ericonr ericonr mentioned this pull request Jul 28, 2020
Closed
@sgn
sbsigntool: rewrite post-install kernel hook
4bd83bc 
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
  GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.

While we're at it,
* add post-remove script to remove unsigned file if exist
@sgn sgn mentioned this pull request Aug 6, 2020
Closed
7 tasks
ahesford pushed a commit to ahesford/void-packages that referenced this pull request Aug 6, 2020
@sgn @ahesford
sbsigntool: rewrite post-install kernel hook
ec2aaca 
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
  GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.

While we're at it,
* add post-remove script to remove unsigned file if exist

Closes void-linux#23688.
@sgn
refind: rewrite kernel post-install hook
53bdcc8 
- refind-install only supports installing into
{/boot,/boot/efi,/efi}/EFI/{BOOT,refind}/refind.conf, there're no point
trying to fiddling with anything else.

- That configuration file should always exist, simplify all logic behind
  that decision.
ahesford pushed a commit to ahesford/void-packages that referenced this pull request Aug 7, 2020
@sgn @ahesford
sbsigntool: rewrite post-install kernel hook
3075788 
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
  GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.

While we're at it,
* add post-remove script to remove unsigned file if exist

Closes void-linux#23688.
@ahesford ahesford closed this in dd72186 Aug 7, 2020
MGlolenstine pushed a commit to MGlolenstine/void-packages that referenced this pull request Aug 14, 2020
@sgn @MGlolenstine
sbsigntool: rewrite post-install kernel hook
8098af3 
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
  GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.

While we're at it,
* add post-remove script to remove unsigned file if exist

Closes void-linux#23688.
Closes void-linux#24079.
@sgn sgn deleted the sbsigntool-rewrite-hook branch August 22, 2020 11:14
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 2, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ahesford ahesford ahesford left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sgn @Duncaen @ericonr @ahesford