Re: [Linuxwacom-devel] [PATCH 5/6] Search for more potential key and cert locations

Tue, 09 Apr 2019 21:19:30 -0700 

On Tue, Apr 9, 2019 at 3:17 PM Gerecke, Jason <killert...@gmail.com> wrote:

> From: Jason Gerecke <jason.gere...@wacom.com>
>
> Previously we would only automatically discover Ubuntu's shim MOK if one
> had been created. We now also try to use the kernel's autogenerated key
> if present, and the key generated by rEFInd (though this may be inside
> a directory that only root can read from).


Does this mean we should prompt users to compile input-wacom under root?

It’s quite a lot of work. Thank you for your effort, Jason!

Acked-by: Ping Cheng <ping.ch...@wacom.com> for the whole set.

Cheers,
Ping


>
> Signed-off-by: Jason Gerecke <jason.gere...@wacom.com>
> ---
>  configure.ac | 52 ++++++++++++++++++++++++++++++++--------------------
>  1 file changed, 32 insertions(+), 20 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index fa88ade..5353705 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -248,6 +248,25 @@ dnl
> =======================================================
>  dnl Module signing
>  AC_DEFUN([WACOM_LINUX_READ_CONFIG], [grep -sh '^$1='
> $WCM_KERNEL_DIR/.config /boot/config-$MODUTS | head -n1 | cut -d= -f2- |
> sed -e 's/^"\(.*\)"$/\1/'])
>
> +AC_DEFUN([WACOM_LINUX_FILE_IF_EXISTS], [test -f "$1" && readlink -e "$1"])
> +
> +AC_DEFUN([WACOM_LINUX_CHECK_KEYCERT],
> +if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then
> +       AC_MSG_CHECKING(for $1 key at $2)
> +       KEYFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$2]))
> +       RESULT=$(test -z "$KEYFILE" && echo "no" || echo "yes")
> +       AC_MSG_RESULT([$RESULT])
> +       AC_MSG_CHECKING(for $1 cert at $3)
> +       CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$3]))
> +       RESULT=$(test -z "$CERTFILE" && echo "no" || echo "yes")
> +       AC_MSG_RESULT([$RESULT])
> +       if test -n "$KEYFILE" -a -n "$CERTFILE"; then
> +               MODSIGN_PRIVFILE="$KEYFILE"
> +               MODSIGN_CERTFILE="$CERTFILE";
> +       fi
> +fi)
> +
> +
>  MODSIGN_ENABLE=default
>  MODSIGN_HASHALGO=
>  MODSIGN_PRIVFILE=
> @@ -290,20 +309,6 @@ if test "$MODSIGN_ENABLE" = "yes" -o
> "$MODSIGN_ENABLE" = "default"; then
>
>
>
> -       # There is no standard location for storing kernel signing keys
> -       # and certificates. The kernel itself has CONFIG_MODULE_SIG_KEY
> -       # (which contains a key and cert) which likely points to a file
> -       # that doesn't exist unless you built the kernel yourself. Most
> -       # distributions use the "shim" bootloader which allows "machine
> -       # owner keys" (MOK) to be enrolled by the end-user, but only
> -       # Ubuntu provides a tool to automatically generate these keys
> -       # (`update-secureboot-policy --new-key`); other distros rely on
> -       # the user generating the key/cert themselves and keeping it in a
> -       # suitably-safe location.
> -       #
> -       # The kernel should automatically try to sign modules as part of
> -       # the `make modules_install` step, so that covers the first case.
> -       # In the second case the best we can do is try Ubuntu's location.
>         AC_ARG_WITH(signing-key,
>                 AS_HELP_STRING([--with-signing-key=<trusted.priv>],
> [Specify module signing key location]),
>                 [MODSIGN_PRIVFILE="$withval"])
> @@ -311,12 +316,19 @@ if test "$MODSIGN_ENABLE" = "yes" -o
> "$MODSIGN_ENABLE" = "default"; then
>                 AS_HELP_STRING([--with-signing-cert=<trusted.der>],
> [Specify module signing cert location]),
>                 [MODSIGN_CERTFILE="$withval"])
>
> -       if test "$MODSIGN_PRIVFILE" = "yes" -o -z "$MODSIGN_PRIVFILE"; then
> -               MODSIGN_PRIVFILE=$(ls /var/lib/shim-signed/mok/MOK.priv
> 2>/dev/null || echo "$MODSIGN_PRIVFILE")
> -       fi
> -       if test "$MODSIGN_CERTFILE" = "yes" -o -z "$MODSIGN_CERTFILE"; then
> -               MODSIGN_CERTFILE=$(ls /var/lib/shim-signed/mok/MOK.der
> 2>/dev/null || echo "$MODSIGN_CERTFILE")
> -       fi
> +       HASPRIVFILE=$(test "$MODSIGN_PRIVFILE" = "yes" -o -z
> "$MODSIGN_PRIVFILE" && echo 0 || echo 1)
> +       HASCERTFILE=$(test "$MODSIGN_CERTFILE" = "yes" -o -z
> "$MODSIGN_CERTFILE" && echo 0 || echo 1)
> +       if test "$HASPRIVFILE" -ne "$HASCERTFILE"; then
> +               AC_MSG_ERROR([Options '--with-signing-key' and
> '--with-signing-cert' must either both be set or both be unset.])
> +       elif test "$HASPRIVFILE" -eq 1; then
> +               # Try to get absolute path, if possible
> +
>  MODSIGN_PRIVFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_PRIVFILE]) || echo
> "$MODSIGN_PRIVFILE")
> +
>  MODSIGN_CERTFILE=$(WACOM_LINUX_FILE_IF_EXISTS([$MODSIGN_CERTFILE]) || echo
> "$MODSIGN_PRIVFILE")
> +       else
> +               WACOM_LINUX_CHECK_KEYCERT([kernel autogenerated],
> $WCM_KERNEL_DIR/$(WACOM_LINUX_READ_CONFIG([CONFIG_MODULE_SIG_KEY])),
> [$WCM_KERNEL_DIR/certs/signing_key.x509])
> +               WACOM_LINUX_CHECK_KEYCERT([shim MOK],
> [/var/lib/shim-signed/mok/MOK.priv], [/var/lib/shim-signed/mok/MOK.der])
> +               WACOM_LINUX_CHECK_KEYCERT([rEFInd MOK],
> [/etc/refind.d/keys/refind_local.key],
> [/etc/refind.d/keys/refind_local.cer])
> +       fi
>
>         AC_MSG_CHECKING(for module signing key)
>         AC_MSG_RESULT([$MODSIGN_PRIVFILE])
> --
> 2.21.0
>
>

_______________________________________________
Linuxwacom-devel mailing list
Linuxwacom-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linuxwacom-devel






















					Reply via email to