diff --git a/misc/module-signing/README.md b/misc/module-signing/README.md new file mode 100644 index 00000000..3991bade --- /dev/null +++ b/misc/module-signing/README.md @@ -0,0 +1,31 @@ +# Module Sining + +In order to make the dkms modules work with secure boot they need to be singed. +This directory contains scripts that help you with that task. + +## Known Issues / Help Wanted + +- doctor script does nothing +- only supports amd64 +- only tested on Debian + +## Run Doctor + +The doctor script will check your environment and asks you to to install +additional packages if something is missing. + +## Cert Import + +If you alread have a certificate with a key under your control imported into +the bios you can scipt this section. + +bla bla + +## Signing of VBOX modules + +You need to either run the script in the directory that contains your +`MOK.der` and MOK.priv` or export the path in the `MOK_KEY_DIR` evironment +variable. + +Execute the scipt `MOK_KEY_DIR=/path/to/your/key/dir ./sign-xbox-modules` as +root or via sudo to sign the modules. diff --git a/misc/module-signing/create-key b/misc/module-signing/create-key new file mode 100755 index 00000000..56e650da --- /dev/null +++ b/misc/module-signing/create-key @@ -0,0 +1,10 @@ +#!/usr/bin/env bash +MOK_CN_NAME={MOK_CA_NAME:-"$USER@$HOST"} + +if [[ -e MOK.priv ]]; then + echo key already exists + exit 2 +fi + +openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=$MOK_CN_NAME (SecureBoot Mok)/" && \ +chmod 600 MOK.priv diff --git a/misc/module-signing/import-to-bios b/misc/module-signing/import-to-bios new file mode 100755 index 00000000..ddeacca3 --- /dev/null +++ b/misc/module-signing/import-to-bios @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +mokutil --import MOK.der diff --git a/misc/module-signing/sign-xbox-modules b/misc/module-signing/sign-xbox-modules new file mode 100755 index 00000000..91e0ef07 --- /dev/null +++ b/misc/module-signing/sign-xbox-modules @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# LICENSE GPL-2.0 +# AUTHOR Jan Christoph Uhde - jan@uhde.io +set -uo pipefail + +MOK_KEY_DIR="${MOK_KEY_DIR:-'.'}" + +ferr() { echo "$*"; exit 1; } + +hash_algo='sha256' +key="$MOK_KEY_DIR/MOK.priv" +x509="MOK_KEY_DIR/MOK.der" + +# TODO - maybe this could be done better without exporting the key to the env +# the key is only for a short time present in the process but it is still +# not optimal +test -v KBUILD_SIGN_PIN || read -p "passphrase for ${key}: " KBUILD_SIGN_PIN +export KBUILD_SIGN_PIN +echo + +# The exact location of `sign-file` might vary depending on your platform. +# TODO - test with different distributions +for module_dir in /usr/lib/linux-kbuild*; do + echo + echo "working on $module_dir" + sign_file="$module_dir/scripts/sign-file" + test -x $sign_file || ferr "can not execute $sign_file" + + version=${module_dir#/usr/lib/linux-kbuild-} + # TODO - other platforms?! + module_dir="/lib/modules/$version-amd64/updates/dkms" + echo "version: $version" + echo "module dir: $module_dir" + + if ! [[ -d $module_dir ]] ; then + echo "no such directory: $module_dir" + continue + fi + + echo + for module_path in "$module_dir"/hid-xpadneo* ; do + echo -n "module: $module_path ... " + if ! [[ -e "$module_path" ]] ; then + echo "skipped" + continue + fi + + case "$module_path" in + *xz) + unxz --keep "$module_path" || ferr "failed to unpack" + $sign_file "${hash_algo}" "${key}" "${x509}" "${module_path%%.xz}" || ferr "failed to sign" + rm "$module_path" + xz --check=crc32 --lzma2=dict=512KiB "${module_path%%.xz}" + ;; + *ko) + $sign_file "${hash_algo}" "${key}" "${x509}" "${module_path}" || ferr "failed to sign" + ;; + esac + echo "signed" + done + echo "$module_dir signed" + echo +done