-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sbsigntool: rewrite post-install kernel hook #23688
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't do secure boot, but this looks fine to me.
Is it possible to change the options to set/unset instead of checking for 1 to make all the hooks more uniform, without breaking compatibility? Edit: nvm, not possible and this seems to have started with the x1 stuff with the really bad efibootmgr hook, its bad but doesn't really matter too much. |
Yes, at the time, I started |
f00e6fe
to
956c3f8
Compare
Could we add support for the UEFI bundles already? Source |
Sure, will do in the weekend. Have we decided stable variable name for that hook, yet? |
I don't think so. It's in #22484. |
There weren't complaints about the filename, but there were some comments regarding the variables themselves. I think they are solved, though. |
956c3f8
to
5c3284c
Compare
* run the hook on target filesystem * Use ls | awk to check ownership and permission, instead of relying on GNU-stat. * libify signing code, in order to support uefi bundle in the future * Stop append signature to the efi signed by current key/cert. While we're at it, * add post-remove script to remove unsigned file if exist
5c3284c
to
4bd83bc
Compare
* run the hook on target filesystem * Use ls | awk to check ownership and permission, instead of relying on GNU-stat. * libify signing code, in order to support uefi bundle in the future * Stop append signature to the efi signed by current key/cert. While we're at it, * add post-remove script to remove unsigned file if exist Closes void-linux#23688.
eeeaea4
to
6fac00c
Compare
- refind-install only supports installing into {/boot,/boot/efi,/efi}/EFI/{BOOT,refind}/refind.conf, there're no point trying to fiddling with anything else. - That configuration file should always exist, simplify all logic behind that decision.
6fac00c
to
53bdcc8
Compare
* run the hook on target filesystem * Use ls | awk to check ownership and permission, instead of relying on GNU-stat. * libify signing code, in order to support uefi bundle in the future * Stop append signature to the efi signed by current key/cert. While we're at it, * add post-remove script to remove unsigned file if exist Closes void-linux#23688.
* run the hook on target filesystem * Use ls | awk to check ownership and permission, instead of relying on GNU-stat. * libify signing code, in order to support uefi bundle in the future * Stop append signature to the efi signed by current key/cert. While we're at it, * add post-remove script to remove unsigned file if exist Closes void-linux#23688. Closes void-linux#24079.
GNU-stat.
While we're at it,
@ericonr @ahesford I think you may be interested on this.