[secure boot]Support arm platform by signing with reggex instead hard…

…-coded platform
davidpil2002 · Jan 25, 2023 · f43f742 · f43f742
1 parent 2f2f1f9
commit f43f742
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 57 deletions.
diff --git a/scripts/efi-sign.sh b/scripts/efi-sign.sh
@@ -33,25 +33,25 @@ if [ $OPTIND -eq 1 ]; then echo "no options were pass"; print_usage; exit 1 ;fi
 
 [ -f "$PRIVATE_KEY_PEM" ] || {
     echo "Error: PRIVATE_KEY_PEM file does not exist: $PRIVATE_KEY_PEM"
-    usage
+    print_usage
     exit 1
 }
 
 [ -f "$CERT_PEM" ] || {
     echo "Error: CERT_PEM file does not exist: $CERT_PEM"
-    usage
+    print_usage
     exit 1
 }
 
 [ -f "$EFI_FILE" ] || {
     echo "Error: File for signing does not exist: $EFI_FILE"
-    usage
+    print_usage
     exit 1
 }
 
 if [ -z ${EFI_FILE_SIGNED} ]; then
     echo "ERROR: no arg named <EFI_FILE_SIGNED> supplied"
-    usage
+    print_usage
     exit 1
 fi
 

diff --git a/scripts/signing_secure_boot_dev.sh b/scripts/signing_secure_boot_dev.sh
@@ -8,7 +8,7 @@ print_usage() {
     cat <<EOF
 
 $0: Usage
-$0 -a <CONFIGURED_ARCH> -r <FS_ROOT> -l <LINUX_KERNEL_VERSION> -c <PEM_CERT> -p <PEM_PRIV_KEY>
+$0 -r <FS_ROOT> -l <LINUX_KERNEL_VERSION> -c <PEM_CERT> -p <PEM_PRIV_KEY>
 
 EOF
 }
@@ -67,61 +67,34 @@ if [ ! -f "${PEM_PRIV_KEY}" ]; then
     exit 1
 fi
 
-ARCH=''
-if [[ $CONFIGURED_ARCH == amd64 ]]; then
-ARCH=x86_64
-EFI_ARCH=x64
-fi
-
 # efi-sign.sh is used to sign: shim, mmx, grub, and kernel (vmlinuz)
 EFI_SIGNING=scripts/efi-sign.sh
 
-######################
-## shim & mmx signing
-######################
-
-# shim dirs
-SHIM_DIR_SRC=$FS_ROOT/usr/lib/shim
-MMX_EFI_SRC=$SHIM_DIR_SRC/mm${EFI_ARCH}.efi
-SHIMX_EFI_SRC=$SHIM_DIR_SRC/shim${EFI_ARCH}.efi
-
-# clean old files
-clean_file ${SHIMX_EFI_SRC}-signed
-clean_file ${MMX_EFI_SRC}-signed
-clean_file $FS_ROOT/boot/shim${EFI_ARCH}.efi
-clean_file $FS_ROOT/boot/mm${EFI_ARCH}.efi
-
-echo "signing shim${EFI_ARCH}.efi & mm${EFI_ARCH}.efi from location: ${SHIM_DIR_SRC} .."
-sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${SHIMX_EFI_SRC} -s ${SHIMX_EFI_SRC}-signed
-sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${MMX_EFI_SRC} -s ${MMX_EFI_SRC}-signed
-
-# cp shim & mmx signed files to boot directory in the fs.
-sudo cp ${SHIMX_EFI_SRC}-signed $FS_ROOT/boot/shim${EFI_ARCH}.efi
-sudo cp ${MMX_EFI_SRC}-signed $FS_ROOT/boot/mm${EFI_ARCH}.efi
-
-# verifying signature of mm & shim efi files.
-sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/shim${EFI_ARCH}.efi  
-sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/mm${EFI_ARCH}.efi
-
-######################
-## grub signing
-######################
-
-GRUB_DIR_SRC=$FS_ROOT/usr/lib/grub/x86_64-efi/monolithic/
-GRUB_EFI_SRC=$GRUB_DIR_SRC/grub${EFI_ARCH}.efi
-
-# clean old files
-clean_file ${GRUB_EFI_SRC}-signed
-clean_file $FS_ROOT/boot/grub${EFI_ARCH}.efi
-
-echo "signing grub${EFI_ARCH}.efi from location: ${GRUB_EFI_SRC} .."
-sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${GRUB_EFI_SRC} -s ${GRUB_EFI_SRC}-signed
-
-# cp signed grub to fs boot dir.
-sudo cp ${GRUB_EFI_SRC}-signed $FS_ROOT/boot/grub${EFI_ARCH}.efi
-
-# verifying signature of grub efi file.
-sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/grub${EFI_ARCH}.efi
+# ######################################
+# Signing EFI files: mm, shim, grub
+# #####################################
+efi_file_list=$(sudo find ${KERNEL_MODULES_DIR} -name "*.efi")
+
+for efi in $efi_file_list
+do
+    # grep filename from full path
+    efi_filename=$(echo $efi | grep -o '[^/]*$')
+
+    if echo $efi_filename | grep -e "shim" -e "grub" -e "mm"; then
+
+        clean_file ${efi}-signed
+
+        echo "signing efi file - full path: ${efi} filename: ${efi_filename}"
+        echo "sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed"
+        sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${efi} -s ${efi}-signed
+
+        # cp shim & mmx signed files to boot directory in the fs.
+        sudo cp ${efi}-signed $FS_ROOT/boot/${efi_filename}
+
+        # verifying signature of mm & shim efi files.
+        sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT/boot/${efi_filename} 
+    fi
+done
 
 ######################
 ## vmlinuz signing