[Linuxwacom-devel] [PATCH 5/6] Search for more potential key and cert locations

Tue, 09 Apr 2019 15:17:58 -0700 

From: Jason Gerecke <jason.gere...@wacom.com>

Previously we would only automatically discover Ubuntu's shim MOK if one
had been created. We now also try to use the kernel's autogenerated key
if present, and the key generated by rEFInd (though this may be inside
a directory that only root can read from).

Signed-off-by: Jason Gerecke <jason.gere...@wacom.com>
---
 configure.ac | 52 ++++++++++++++++++++++++++++++++--------------------
 1 file changed, 32 insertions(+), 20 deletions(-)

diff --git a/configure.ac b/configure.ac
index fa88ade..5353705 100644
--- a/configure.ac
+++ b/configure.ac
@@ -248,6 +248,25 @@ dnl =======================================================
 dnl Module signing
 AC_DEFUN([WACOM_LINUX_READ_CONFIG], [grep -sh '^$1='  $WCM_KERNEL_DIR/.config 
/boot/config-$MODUTS | head -n1 | cut -d= -f2- | sed -e 's/^"\(.*\)"$/\1/'])
 
+AC_DEFUN([WACOM_LINUX_FILE_IF_EXISTS], [test -f "$1" && readlink -e "$1"])
+
+AC_DEFUN([WACOM_LINUX_CHECK_KEYCERT],
+if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then
+       AC_MSG_CHECKING(for $1 key at $2)
+       KEYFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$2]))
+       RESULT=$(test -z "$KEYFILE" && echo "no" || echo "yes")
+       AC_MSG_RESULT([$RESULT])
+       AC_MSG_CHECKING(for $1 cert at $3)
+       CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$3]))
+       RESULT=$(test -z "$CERTFILE" && echo "no" || echo "yes")
+       AC_MSG_RESULT([$RESULT])
+       if test -n "$KEYFILE" -a -n "$CERTFILE"; then
+               MODSIGN_PRIVFILE="$KEYFILE"
+               MODSIGN_CERTFILE="$CERTFILE";
+       fi
+fi)
+
+
 MODSIGN_ENABLE=default
 MODSIGN_HASHALGO=
 MODSIGN_PRIVFILE=
@@ -290,20 +309,6 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" = 
"default"; then
 
 
 
-       # There is no standard location for storing kernel signing keys
-       # and certificates. The kernel itself has CONFIG_MODULE_SIG_KEY
-       # (which contains a key and cert) which likely points to a file
-       # that doesn't exist unless you built the kernel yourself. Most
-       # distributions use the "shim" bootloader which allows "machine
-       # owner keys" (MOK) to be enrolled by the end-user, but only
-       # Ubuntu provides a tool to automatically generate these keys
-       # (`update-secureboot-policy --new-key`); other distros rely on
-       # the user generating the key/cert themselves and keeping it in a
-       # suitably-safe location.
-       #
-       # The kernel should automatically try to sign modules as part of
-       # the `make modules_install` step, so that covers the first case.
-       # In the second case the best we can do is try Ubuntu's location.
        AC_ARG_WITH(signing-key,
                AS_HELP_STRING([--with-signing-key=<trusted.priv>], [Specify 
module signing key location]),
                [MODSIGN_PRIVFILE="$withval"])
@@ -311,12 +316,19 @@ if test "$MODSIGN_ENABLE" = "yes" -o "$MODSIGN_ENABLE" = 
"default"; then
                AS_HELP_STRING([--with-signing-cert=<trusted.der>], [Specify 
module signing cert location]),
                [MODSIGN_CERTFILE="$withval"])
 
-       if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then
-               MODSIGN_PRIVFILE=$(ls /var/lib/shim-signed/mok/MOK.priv 
2>/dev/null || echo "$MODSIGN_PRIVFILE")
-       fi
-       if test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE"; then
-               MODSIGN_CERTFILE=$(ls /var/lib/shim-signed/mok/MOK.der 
2>/dev/null || echo "$MODSIGN_CERTFILE")
-       fi
+       HASPRIVFILE=$(test "$MODSIGN_PRIVFILE" = "yes" -o -z 
"$MODSIGN_PRIVFILE" && echo 0 || echo 1)
+       HASCERTFILE=$(test "$MODSIGN_CERTFILE" = "yes" -o -z 
"$MODSIGN_CERTFILE" && echo 0 || echo 1)
+       if test "$HASPRIVFILE" -ne "$HASCERTFILE"; then
+               AC_MSG_ERROR([Options '--with-signing-key' and 
'--with-signing-cert' must either both be set or both be unset.])
+       elif test "$HASPRIVFILE" -eq 1; then
+               # Try to get absolute path, if possible
+               
MODSIGN_PRIVFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_PRIVFILE]) || echo 
"$MODSIGN_PRIVFILE")
+               
MODSIGN_CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_CERTFILE]) || echo 
"$MODSIGN_PRIVFILE")
+       else
+               WACOM_LINUX_CHECK_KEYCERT([kernel autogenerated], 
$WCM_KERNEL_DIR/$(WACOM_LINUX_READ_CONFIG([CONFIG_MODULE_SIG_KEY])), 
[$WCM_KERNEL_DIR/certs/signing_key.x509])
+               WACOM_LINUX_CHECK_KEYCERT([shim MOK], 
[/var/lib/shim-signed/mok/MOK.priv], [/var/lib/shim-signed/mok/MOK.der])
+               WACOM_LINUX_CHECK_KEYCERT([rEFInd MOK], 
[/etc/refind.d/keys/refind_local.key], [/etc/refind.d/keys/refind_local.cer])
+       fi
 
        AC_MSG_CHECKING(for module signing key)
        AC_MSG_RESULT([$MODSIGN_PRIVFILE])
-- 
2.21.0



_______________________________________________
Linuxwacom-devel mailing list
Linuxwacom-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linuxwacom-devel

Reply via email to