From fd1e5c6c549c8a783ad984f4b0ba560c6f4757d1 Mon Sep 17 00:00:00 2001 From: Juerg Haefliger Date: Fri, 29 Jul 2022 10:49:20 +0200 Subject: [PATCH] UBUNTU: [Packaging] Introduce debian/scripts/sign-module Move the logic that determines if a module needs to be signed to a script and extend it to also check the signature-inclusion list of derivatives. Signed-off-by: Juerg Haefliger Signed-off-by: Andrea Righi --- debian/scripts/sign-module | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100755 debian/scripts/sign-module diff --git a/debian/scripts/sign-module b/debian/scripts/sign-module new file mode 100755 index 000000000000..03ce543de7f8 --- /dev/null +++ b/debian/scripts/sign-module @@ -0,0 +1,40 @@ +#!/bin/bash -eu +# +# Staging drivers must not be signed if they are not listed in a +# signature-inclusion file to prevent loading of 'unsafe' drivers in a +# Secure Boot environment. +# +# Exit with status 0 if the provided module needs to be signed, 1 otherwise +# + +mod=${1} + +# Sign the module if not a staging driver +if [ "${mod/\/drivers\/staging\//}" = "${mod}" ] ; then + exit 0 +fi + +root=$(dirname "$(realpath -e "${0}")")/../.. +. "${root}"/debian/debian.env + +# Collect the signature-inclusion files +sig_incls=() +for d in debian "${DEBIAN}" ; do + if [ -f "${root}"/"${d}"/signature-inclusion ] ; then + sig_incls+=("${root}"/"${d}"/signature-inclusion) + fi +done + +# Sign the module if no signature-inclusion files +if [ ${#sig_incls[@]} -eq 0 ] ; then + exit 0 +fi + +# Sign the module if listed in signature-inclusion files +if grep -qFx "${mod##*/}" "${sig_incls[@]}" ; then + exit 0 +fi + +# Don't sign the module +echo "UBUNTU: Not signing ${1}" +exit 1