44# # Enable debug output for script & exit code when failing occurs
55set -x -e
66
7- usage () {
7+ print_usage () {
88 cat << EOF
99
1010$0 : Usage
11- $0 <CONFIGURED_ARCH> <FS_ROOT> <LINUX_KERNEL_VERSION> <PEM_CERT> <PEM_PRIV_KEY>
12- Usage example: efi-sign.sh priv-key.pem pub-key.pem shimx64.efi shimx64-signed.efi
11+ $0 -a <CONFIGURED_ARCH> -r <FS_ROOT> -l <LINUX_KERNEL_VERSION> -c <PEM_CERT> -p <PEM_PRIV_KEY>
1312
1413EOF
1514}
1615
1716clean_file () {
1817 if [ -f $1 ]; then
1918 echo " clean old file named: $1 "
20- echo " sudo rm $1 "
21- sudo rm $1
22- echo " $? "
23- exit 1
19+ echo " sudo rm -f $1 "
20+ sudo sudo rm -f $1
2421 fi
2522}
2623
24+ while getopts ' a:r:l:c:p:hv' flag; do
25+ case " ${flag} " in
26+ a) CONFIGURED_ARCH=" ${OPTARG} " ;;
27+ r) FS_ROOT=" ${OPTARG} " ;;
28+ l) LINUX_KERNEL_VERSION=" ${OPTARG} " ;;
29+ c) PEM_CERT=" ${OPTARG} " ;;
30+ p) PEM_PRIV_KEY=" ${OPTARG} " ;;
31+ v) VERBOSE=' true' ;;
32+ h) print_usage
33+ exit 1 ;;
34+ esac
35+ done
36+ if [ $OPTIND -eq 1 ]; then echo " no options were pass" ; print_usage; exit 1 ; fi
37+
2738echo " $0 signing & verifying EFI files and Kernel Modules start ..."
28- CONFIGURED_ARCH=" $1 "
29- FS_ROOT=" $2 "
30- LINUX_KERNEL_VERSION=" $3 "
31- PEM_CERT=" $4 "
32- PEM_PRIV_KEY=" $5 "
3339
3440if [ -z ${CONFIGURED_ARCH} ]; then
3541 echo " ERROR: CONFIGURED_ARCH=${CONFIGURED_ARCH} is empty"
@@ -85,13 +91,9 @@ clean_file ${MMX_EFI_SRC}-signed
8591clean_file $FS_ROOT /boot/shim${EFI_ARCH} .efi
8692clean_file $FS_ROOT /boot/mm${EFI_ARCH} .efi
8793
88- # clean old shim & mmx files in the env
89- sudo rm -f ${SHIMX_EFI_SRC} -signed ${MMX_EFI_SRC} -signed \
90- $FS_ROOT /boot/shim${EFI_ARCH} .efi $FS_ROOT /boot/mm${EFI_ARCH} .efi
91-
9294echo " signing shim${EFI_ARCH} .efi & mm${EFI_ARCH} .efi from location: ${SHIM_DIR_SRC} .."
93- sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${SHIMX_EFI_SRC} ${SHIMX_EFI_SRC} -signed
94- sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${MMX_EFI_SRC} ${MMX_EFI_SRC} -signed
95+ sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${SHIMX_EFI_SRC} -s ${SHIMX_EFI_SRC} -signed
96+ sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${MMX_EFI_SRC} -s ${MMX_EFI_SRC} -signed
9597
9698# cp shim & mmx signed files to boot directory in the fs.
9799sudo cp ${SHIMX_EFI_SRC} -signed $FS_ROOT /boot/shim${EFI_ARCH} .efi
@@ -105,18 +107,15 @@ sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e $FS_ROOT
105107# # grub signing
106108# #####################
107109
108- # clean old files
109- clean_file ${GRUB_EFI_SRC} -signed
110- clean_file $FS_ROOT /boot/grub${EFI_ARCH} .efi
111-
112110GRUB_DIR_SRC=$FS_ROOT /usr/lib/grub/x86_64-efi/monolithic/
113111GRUB_EFI_SRC=$GRUB_DIR_SRC /grub${EFI_ARCH} .efi
114112
115- # clean old grub files in the env
116- sudo rm -f ${GRUB_EFI_SRC} -signed $FS_ROOT /boot/grub${EFI_ARCH} .efi
113+ # clean old files
114+ clean_file ${GRUB_EFI_SRC} -signed
115+ clean_file $FS_ROOT /boot/grub${EFI_ARCH} .efi
117116
118117echo " signing grub${EFI_ARCH} .efi from location: ${GRUB_EFI_SRC} .."
119- sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${GRUB_EFI_SRC} ${GRUB_EFI_SRC} -signed
118+ sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${GRUB_EFI_SRC} -s ${GRUB_EFI_SRC} -signed
120119
121120# cp signed grub to fs boot dir.
122121sudo cp ${GRUB_EFI_SRC} -signed $FS_ROOT /boot/grub${EFI_ARCH} .efi
@@ -133,20 +132,17 @@ CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
133132# clean old files
134133clean_file ${CURR_VMLINUZ} -signed
135134
136- # clean old grub files in the env
137- sudo rm -f ${CURR_VMLINUZ} -signed
138-
139135echo " signing ${CURR_VMLINUZ} .."
140- sudo ${EFI_SIGNING} $PEM_PRIV_KEY $PEM_CERT ${CURR_VMLINUZ} ${CURR_VMLINUZ} -signed
136+ sudo ${EFI_SIGNING} -p $PEM_PRIV_KEY -c $PEM_CERT -e ${CURR_VMLINUZ} -s ${CURR_VMLINUZ} -signed
141137
142138# rename signed vmlinuz with the name vmlinuz without signed suffix
143- sudo cp ${CURR_VMLINUZ} -signed ${CURR_VMLINUZ}
139+ sudo mv ${CURR_VMLINUZ} -signed ${CURR_VMLINUZ}
144140
145141sudo bash scripts/secure_boot_signature_verification.sh -c $PEM_CERT -e ${CURR_VMLINUZ}
146142
147143# ########################
148144# Kernel Modules signing
149145# ########################
150- sudo bash scripts/signing_kernel_modules.sh $LINUX_KERNEL_VERSION ${PEM_CERT} ${PEM_PRIV_KEY}
146+ sudo bash scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT }
151147
152148echo " $0 signing & verifying EFI files and Kernel Modules DONE"
0 commit comments